Friday, December 26, 2014

adctf2014 - Crypto - Day 10 xor

712249146f241d31651a504a1a7372384d173f7f790c2b115f47

Source Code:

#include <stdio.h>
#include <string.h>

int main() {
  char flag[] = "ADCTF_XXXXXXXXXXXXXXXXXXXX";
  int len = strlen(flag);
  for (int i = 0; i < len; i++) {
    if (i > 0) flag[i] ^= flag[i-1];
    flag[i] ^= flag[i] >> 4;
    flag[i] ^= flag[i] >> 3;
    flag[i] ^= flag[i] >> 2;
    flag[i] ^= flag[i] >> 1;
    printf("%02x", (unsigned char)flag[i]);
  }
  return 0;
}




We're given an output, and the source of the code that generated said output. The source take a flag string which has been stripped, does some math, and prints the output.

Since we have the math, I presume that we could reverse the operations and discover the original flag string, but math is for nerds.

Instead I altered the source to bruteforce the string by going through each ascii value and check if the result matches the output. If it does, it moves on to the next value until it's bruteforced the entire string.



#include <stdio.h>
#include <string.h>

int main() {
  char flag[] = "ADCTF_XXXXXXXXXXXXXXXXXXXX";

  char hash[] = {0x71,0x22,0x49,0x14,0x6f,0x24,0x1d,0x31,0x65,0x1a,0x50,0x4a,0x1a,0x73,0x72,0x38,0x4d,0x17,0x3f,0x7f,0x79,0x0c,0x2b,0x11,0x5f,0x47};

  int len = strlen(hash);
  for (int i = 1; i < len; i++) {
    for (int t = 48; t < 127; t++) {
      int x=t;
      x ^= hash[i-1];
      x ^= x >> 4;
      x ^= x >> 3;
      x ^= x >> 2;
      x ^= x >> 1;

      if (x == hash[i]) {
        flag[i]=t;
        break;
      }
    }
    printf(flag);
    printf("\n");
  }
  return 0;
}

gomi@(none):~/advctf$ ./a.out
ADCTF_XXXXXXXXXXXXXXXXXXXX
ADCTF_XXXXXXXXXXXXXXXXXXXX
ADCTF_XXXXXXXXXXXXXXXXXXXX
ADCTF_XXXXXXXXXXXXXXXXXXXX
ADCTF_XXXXXXXXXXXXXXXXXXXX
ADCTF_5XXXXXXXXXXXXXXXXXXX
ADCTF_51XXXXXXXXXXXXXXXXXX
ADCTF_51mXXXXXXXXXXXXXXXXX
ADCTF_51mpXXXXXXXXXXXXXXXX
ADCTF_51mplXXXXXXXXXXXXXXX
ADCTF_51mpl3XXXXXXXXXXXXXX
ADCTF_51mpl3_XXXXXXXXXXXXX
ADCTF_51mpl3_XXXXXXXXXXXXX
ADCTF_51mpl3_X0XXXXXXXXXXX
ADCTF_51mpl3_X0RXXXXXXXXXX
ADCTF_51mpl3_X0R_XXXXXXXXX
ADCTF_51mpl3_X0R_RXXXXXXXX
ADCTF_51mpl3_X0R_R3XXXXXXX
ADCTF_51mpl3_X0R_R3vXXXXXX
ADCTF_51mpl3_X0R_R3v3XXXXX
ADCTF_51mpl3_X0R_R3v3rXXXX
ADCTF_51mpl3_X0R_R3v3r5XXX
ADCTF_51mpl3_X0R_R3v3r51XX
ADCTF_51mpl3_X0R_R3v3r51nX
ADCTF_51mpl3_X0R_R3v3r51n6
ADCTF_51mpl3_X0R_R3v3r51n6
gomi@(none):~/advctf$

I could have had the program start of the 7th character (first X), but having it process a known value helps confirm the code was written right.

No comments:

Post a Comment