OldSchool - GoogleCTF 2023
Ubuntuではlibncurses6:i386が必要
usernameとpasswordを入力すると正しいか判定するプログラムが与えられる
50組のusernameとpasswordからflagを生成するflag_maker.pyも与えられる
passwordはすべてプレースホルダになっているので、usernameから正しいpasswordを求める必要がある
strlen関数の呼び出しをたどると、usernameとpasswordを引数に取る関数が0x212aに見つかる
0か1かを返すので、この関数が正誤判定をしていそう
passwordのフォーマットは00000-00000-00000-00000-00000のような形
使って良い文字は23456789ABCDEFGHJKLMNPQRSTUVWXYZ
username、passwordそれぞれを変形してバイト列を生成し、その2つのバイト列が特定の条件を満たすときのみ1を返している
usernameのバイト列は以下のdump.pyを用いてダンプした
passwordのバイト列は、usernameのバイト列からz3で求められそうな形だったのでz3で解いた
passwordのバイト列が手に入ったら、逆変形をしてpasswordを求めればよい
求めたpasswordはgdbでデバッグしているときのみ正しかった
main関数内の0xaf7fにptraceでデバッグされているかどうかを判定する処理があった
パッチして無効化した
最初のusernameに関して正しいpasswordを得られることがわかったので、50個すべてのusernameに対して同じ操作をした
おそらく自動化すべきだが、ncursesの自動化の方法がよくわからなかったので手動でやった
適切にflag_maker.pyのpasswordを書き換えて実行するとフラグが得られた
code: dump.py
import gdb
gdb.execute('b initscr')
gdb.execute('r')
gdb.execute('brva 0x2946')
gdb.execute('c')
# username enc
enc = []
for i in range(80):
v = int(gdb.execute(f'x/bx $ebp-0x254+{i*4}', to_string=True).split(':')1, 16) enc.append(v)
print(enc)
with open('username_enc.py', 'a') as f:
f.write(str(enc))
f.write(',\n')
gdb.execute('q')
code: username_enc.py
username_enc_list = [
18, 29, 16, 19, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 31, 8, 23, 30, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 3, 28, 10, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 29, 8, 16, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 30, 7, 20, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 31, 10, 7, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 14, 0, 22, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 10, 20, 9, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 7, 11, 26, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 9, 1, 30, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 1, 25, 28, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 31, 10, 4, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 19, 20, 30, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 6, 8, 20, 25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 22, 25, 21, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 19, 29, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 17, 6, 0, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 9, 31, 10, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 15, 2, 25, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 2, 15, 4, 25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 27, 12, 25, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 29, 15, 17, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 19, 19, 22, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 2, 9, 26, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 29, 6, 13, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 13, 8, 5, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 17, 16, 24, 2, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 0, 25, 19, 25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 16, 15, 29, 30, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 3, 16, 16, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 23, 16, 28, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 26, 3, 1, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 8, 28, 3, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 22, 22, 2, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 10, 5, 4, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 3, 21, 9, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 10, 6, 9, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 17, 4, 13, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 9, 6, 6, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 12, 22, 9, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 27, 19, 27, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 21, 8, 14, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 4, 17, 8, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 11, 18, 6, 25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 9, 28, 21, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 16, 3, 28, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 10, 20, 28, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 25, 8, 14, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 4, 22, 24, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 16, 16, 9, 25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 21, 2, 14, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 15, 29, 28, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 26, 30, 16, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 6, 29, 8, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 10, 21, 21, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 11, 27, 9, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 2, 15, 22, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 27, 9, 7, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 9, 29, 1, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 16, 18, 25, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 25, 3, 2, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 23, 6, 31, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 11, 15, 9, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 28, 9, 21, 26, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 12, 25, 27, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 9, 29, 11, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 21, 25, 6, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 16, 0, 12, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 14, 21, 23, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 22, 20, 3, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 27, 23, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 10, 22, 11, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 16, 20, 20, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 8, 3, 17, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 17, 16, 14, 4, 26, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 16, 24, 16, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 27, 26, 8, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 22, 9, 28, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 14, 4, 26, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 19, 20, 25, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 27, 10, 2, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 30, 31, 10, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 31, 18, 20, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 3, 18, 10, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 22, 23, 1, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 7, 28, 8, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 14, 17, 23, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 7, 9, 14, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 4, 24, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 10, 21, 24, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 16, 30, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 18, 3, 9, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 13, 27, 16, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 13, 10, 4, 30, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 7, 6, 6, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 27, 11, 6, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 11, 12, 18, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 12, 24, 20, 26, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 1, 2, 23, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 0, 24, 30, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 23, 21, 30, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 2, 23, 24, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 10, 18, 2, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 31, 2, 27, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 8, 29, 20, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 29, 2, 15, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 30, 5, 21, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 12, 2, 29, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 12, 23, 9, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 15, 6, 19, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 17, 22, 25, 12, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 15, 3, 11, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 25, 24, 23, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 29, 16, 18, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 5, 3, 6, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 25, 10, 0, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 16, 4, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 22, 16, 23, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 14, 23, 28, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 19, 28, 22, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 31, 28, 14, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 3, 6, 7, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 28, 0, 17, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 2, 17, 28, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 31, 2, 2, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 30, 3, 2, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 15, 5, 12, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 7, 23, 29, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 19, 14, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 5, 7, 5, 30, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 14, 18, 28, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 15, 28, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 7, 0, 22, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 10, 1, 3, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 4, 1, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 15, 8, 26, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 21, 6, 16, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 3, 4, 12, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 30, 31, 23, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 11, 23, 6, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 22, 16, 27, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 17, 25, 6, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 7, 21, 13, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 9, 9, 16, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 27, 14, 7, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 12, 22, 0, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 15, 19, 16, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 20, 7, 22, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 26, 23, 27, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 5, 7, 9, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 11, 23, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 20, 15, 24, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 2, 28, 27, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 9, 1, 4, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 29, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 31, 15, 17, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 9, 22, 24, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 30, 4, 10, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 19, 31, 31, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 8, 14, 23, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 28, 5, 30, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 7, 27, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 20, 29, 17, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 11, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 8, 13, 28, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 27, 6, 10, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 27, 19, 16, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 11, 27, 19, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 7, 4, 14, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 29, 23, 1, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 6, 23, 13, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 25, 30, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 25, 18, 24, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 1, 13, 21, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 16, 7, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 24, 26, 19, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 17, 22, 18, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 21, 7, 16, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 19, 27, 6, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 24, 27, 0, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 6, 29, 28, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 19, 5, 0, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 4, 25, 0, 23, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 28, 26, 29, 31, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 18, 18, 23, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 25, 24, 17, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 17, 9, 26, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 13, 26, 22, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 29, 28, 3, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 16, 27, 3, 26, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 3, 16, 17, 25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 30, 17, 18, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 15, 3, 15, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 6, 23, 2, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 17, 16, 28, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 20, 31, 6, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 4, 13, 10, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 9, 31, 26, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 10, 2, 23, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 19, 0, 21, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 17, 3, 30, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 11, 3, 9, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 13, 11, 29, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 12, 3, 17, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 10, 21, 25, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 13, 8, 9, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 5, 15, 5, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 1, 15, 1, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 23, 9, 6, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 31, 15, 5, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 14, 20, 15, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 25, 21, 23, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 3, 13, 15, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 8, 7, 10, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 23, 28, 7, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 4, 26, 11, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 17, 26, 25, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 23, 8, 13, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 21, 28, 1, 26, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 2, 14, 19, 27, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 14, 16, 16, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 7, 7, 9, 30, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 4, 27, 14, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 6, 28, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 27, 19, 22, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 17, 2, 0, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 29, 13, 17, 24, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 2, 2, 1, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 17, 7, 1, 26, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 14, 7, 9, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 3, 14, 2, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 24, 14, 17, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 16, 9, 13, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 4, 21, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 12, 11, 13, 21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 25, 16, 15, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 31, 20, 0, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 30, 12, 10, 17, 29, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 19, 5, 21, 25, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 19, 14, 0, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 1, 5, 28, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 16, 10, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 13, 16, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 25, 3, 30, 18, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 29, 14, 7, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 17, 7, 1, 6, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 28, 17, 14, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 26, 10, 9, 30, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 16, 30, 7, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 3, 0, 4, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ]
code: solve.py
from username_enc import username_enc_list
from z3 import *
import hashlib
pairs = [
('gdwAnDgwbRVnrJvEqzvs', '{password}'),
('ZQdsfjHNgCpHYnOVcGvr', '{password}'),
('PmJgHBtIpaWNEMKiDQYW', '{password}'),
('OAmhVkxiUjUQWcmCCrVj', '{password}'),
('ALdgOAnaBbMwhbXExKrN', '{password}'),
('tqBXanGeFuaRSMDmwrAo', '{password}'),
('etTQMfSiRlMbNSuEOFZo', '{password}'),
('wceLFjLkBstBfQTtwnmv', '{password}'),
('rBiaRSHGLToSvIAQhZIs', '{password}'),
('ackTeRoASCkkkRUIBjmX', '{password}'),
('UBFLQMizCtLCnnOjaLMa', '{password}'),
('UwiBcAZEAJHKmZSrLqTB', '{password}'),
('oYlcWeZwpEEejIGuCHSU', '{password}'),
('txWHHXTtBXbckmRPxgCx', '{password}'),
('mhPdqEbAligcqQCsHLGl', '{password}'),
('UsIdCFPOqrXwsSMoqfIv', '{password}'),
('OdSAfswQJnMyjOlqpmqJ', '{password}'),
('eNKVZRlVwQCxWzDvUrUW', '{password}'),
('dUVNMmEPDxRIdVRXzbKa', '{password}'),
('iMBkfiyJxewhnvxDWXWB', '{password}'),
('xlQgeOrNItMzSrkldUAV', '{password}'),
('UPEfpiDmCeOzpXeqnFSC', '{password}'),
('ispoleetmoreyeah1338', '{password}'),
('dNcnRoRDFvfJbAtLraBd', '{password}'),
('FKBEgCvSeebMGixUVdeI', '{password}'),
('DfBrZwIrsHviSIbenmKy', '{password}'),
('OvQEEDVvxzZGSgNOhaEW', '{password}'),
('iNduNnptWlmAVsszvTIZ', '{password}'),
('GvTcyPNIUuojKfdqCbIQ', '{password}'),
('noAJKHffdaRrCDOpvMyj', '{password}'),
('rAViEUMTbUByuosLYfMv', '{password}'),
('YiECebDqMOwStHZyqyhF', '{password}'),
('phHkOgbzfuvTWVbvRlyt', '{password}'),
('arRzLiMFyEqSAHeemkXJ', '{password}'),
('jvsYsTpHxvXCxdVyCHtM', '{password}'),
('yOOsAYNxQndNLuPlMoDI', '{password}'),
('qHRTGnlinezNZNUCFUld', '{password}'),
('HBBRIZfprBYDWLZOIaAd', '{password}'),
('kXWLSuNpCGxenDxYyalv', '{password}'),
('EkrdIpWkDeVGOSPJNDVr', '{password}'),
('pDXIOdNXHhehzlpbJYGs', '{password}'),
('WMkwVDmkxpoGvuLvgESM', '{password}'),
('aUwdXCDDUWlPQwadOliF', '{password}'),
('WmlngotWTsikaXRDakbp', '{password}'),
('thrZhzSRBzJFPrxKmetr', '{password}'),
('TcurEDzLjepMrNwspPqd', '{password}'),
('SScTJRokTraQbzQpwDTR', '{password}'),
('PObUeTjQTwEflLQtPOJM', '{password}'),
('LUDPGXGvuVFAYlMTTowZ', '{password}'),
('UlTVDrBlCmXmFBmwLLKX', '{password}'),
]
chars = 0x32 , 0x33 , 0x34 , 0x35 , 0x36 , 0x37 , 0x38 , 0x39 , 0x41 , 0x42 , 0x43 , 0x44 , 0x45 , 0x46 , 0x47 , 0x48 , 0x4a , 0x4b , 0x4c , 0x4d , 0x4e , 0x50 , 0x51 , 0x52 , 0x53 , 0x54 , 0x55 , 0x56 , 0x57 , 0x58 , 0x59 , 0x5a dword_1E180 = [
0x10, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0D, 0x00,
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00,
0x11, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x1E, 0x00,
0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00,
0x12, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x1A, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0x1F, 0x00, 0x00, 0x00, 0x19, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00,
0x14, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x05, 0x00,
0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
0x1D, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00,
dword_250E0 = [
0x19, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00,
0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
0x1A, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x1E, 0x00,
0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x10, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x0E, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
0x1F, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x0B, 0x00,
0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,
0x1C, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x09, 0x00,
0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00,
0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0C, 0x00,
0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
0x17, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00
def solve(username_enc):
s = Solver()
for k in range(5):
for m in range(5):
v = 0
for i in range(5):
if k == m:
s.add(v == 1)
else:
s.add(v == 0)
s.check()
m = s.model()
buf_from_password = [m[xi].as_long() for i in range(25)] for k in range(4, 0, -1):
for m in range(4, 5 - k - 1, -1):
for m in range(4, k - 1, -1):
for m in range(k - 1, -1, -1):
for k in range(4, -1, -1):
for m in range(4, -1, -1):
for k in range(4, -1, -1):
for m in range(4, -1, -1):
password = ''
for i in range(len(buf_from_password)):
password += '-'
password += chr(chars[buf_from_passwordi]) return password
pairs2 = []
for i in range(len(username_enc_list)):
username_enc = username_enc_listi password = solve(username_enc)
pairs2.append((pairsi0, password)) print(pairs2)
print('CTF{' + hashlib.sha1(b'|'.join(f'{u}:{p}'.encode('utf-8') for u, p in pairs2)).hexdigest() + '}')