👨‍💻
CTFs
HomePlaygroundOSCPBuy Me a Flag 🚩
  • 🚩Zeyu's CTF Writeups
  • Home
  • Playground
  • OSCP
  • My Challenges
    • SEETF 2023
    • The InfoSecurity Challenge 2022
    • SEETF 2022
    • Cyber League Major 1
    • STANDCON CTF 2021
      • Space Station
      • Star Cereal
      • Star Cereal 2
      • Mission Control
      • Rocket Science
      • Space University of Interior Design
      • Rocket Ship Academy
      • Space Noise
  • 2023
    • DEF CON CTF 2023 Qualifiers
    • hxp CTF
      • true_web_assembly
    • HackTM CTF Qualifiers
      • Crocodilu
      • secrets
      • Hades
  • 2022
    • niteCTF 2022
      • Undocumented js-api
      • js-api
    • STACK the Flags 2022
      • Secret of Meow Olympurr
      • The Blacksmith
      • GutHib Actions
      • Electrogrid
      • BeautyCare
    • LakeCTF Qualifiers
      • People
      • Clob-Mate
      • So What? Revenge
    • The InfoSecurity Challenge 2022
      • Level 1 - Slay The Dragon
      • Level 2 - Leaky Matrices
      • Level 3 - PATIENT0
      • Level 4B - CloudyNekos
      • Level 5B - PALINDROME's Secret (Author Writeup)
    • BalsnCTF 2022
      • 2linenodejs
      • Health Check
    • BSidesTLV 2022 CTF
      • Smuggler
      • Wild DevTools
      • Tropical API
    • Grey Cat The Flag 2022
    • DEF CON CTF 2022 Qualifiers
    • Securinets CTF Finals 2022
      • StrUggLe
      • XwaSS ftw?
      • Strong
      • Artist
    • NahamCon CTF 2022
      • Flaskmetal Alchemist
      • Hacker TS
      • Two For One
      • Deafcon
      • OTP Vault
      • Click Me
      • Geezip
      • Ostrich
      • No Space Between Us
    • Securinets CTF Quals 2022
      • Document-Converter
      • PlanetSheet
      • NarutoKeeper
    • CTF.SG CTF
      • Asuna Waffles
      • Senpai
      • We know this all too well
      • Don't Touch My Flag
      • Wildest Dreams Part 2
      • Chopsticks
    • YaCTF 2022
      • Shiba
      • Flag Market
      • Pasteless
      • Secretive
      • MetaPDF
      • Crackme
    • DiceCTF 2022
      • knock-knock
      • blazingfast
    • TetCTF 2022
      • 2X-Service
      • Animals
      • Ezflag Level 1
  • 2021
    • hxp CTF 2021
    • HTX Investigator's Challenge 2021
    • Metasploit Community CTF
    • MetaCTF CyberGames
      • Look, if you had one shot
      • Custom Blog
      • Yummy Vegetables
      • Ransomware Patch
      • I Hate Python
      • Interception
    • CyberSecurityRumble CTF
      • Lukas App
      • Finance Calculat0r 2021
      • Personal Encryptor with Nonbreakable Inforation-theoretic Security
      • Enterprice File Sharing
      • Payback
      • Stonks Street Journal
    • The InfoSecurity Challenge (TISC) 2021
      • Level 4 - The Magician's Den
      • Level 3 - Needle in a Greystack
      • Level 2 - Dee Na Saw as a need
      • Level 1 - Scratching the Surface
    • SPbCTF's Student CTF Quals
      • 31 Line PHP
      • BLT
      • CatStep
    • Asian Cyber Security Challenge (ACSC) 2021
      • Cowsay As A Service
      • Favorite Emojis
      • Baby Developer
      • API
      • RSA Stream
      • Filtered
      • NYONG Coin
    • CSAW CTF Qualification Round 2021
      • Save the Tristate
      • securinotes
      • no pass needed
      • Gatekeeping
      • Ninja
    • YauzaCTF 2021
      • Yauzacraft Pt. 2
      • Yauzabomber
      • RISC 8bit CPU
      • ARC6969 Pt. 1
      • ARC6969 Pt. 2
      • Back in 1986 - User
      • Lorem-Ipsum
    • InCTF 2021
      • Notepad 1 - Snakehole's Secret
      • RaaS
      • MD Notes
      • Shell Boi
      • Listen
      • Ermittlung
      • Alpha Pie
    • UIUCTF 2021
      • pwnies_please
      • yana
      • ponydb
      • SUPER
      • Q-Rious Transmissions
      • capture the :flag:
      • back_to_basics
      • buy_buy_buy
    • Google CTF 2021
      • CPP
      • Filestore
    • TyphoonCon CTF 2021
      • Clubmouse
      • Impasse
    • DSTA BrainHack CDDC21
      • File It Away (Pwn)
      • Linux Rules the World! (Linux)
      • Going Active (Reconnaissance)
      • Behind the Mask (Windows)
      • Web Takedown Episode 2 (Web)
      • Break it Down (Crypto)
    • BCACTF 2.0
      • L10N Poll
      • Challenge Checker
      • Discrete Mathematics
      • Advanced Math Analysis
      • Math Analysis
      • American Literature
      • More Than Meets the Eye
      • 􃗁􌲔􇺟􊸉􁫞􄺷􄧻􃄏􊸉
    • Zh3ro CTF V2
      • Chaos
      • Twist and Shout
      • 1n_jection
      • alice_bob_dave
      • Baby SSRF
      • bxxs
      • Sparta
    • Pwn2Win CTF 2021
      • C'mon See My Vulns
      • Illusion
    • NorzhCTF 2021
      • Leet Computer
      • Secure Auth v0
      • Triskel 3: Dead End
      • Triskel 2: Going In
      • Triskel 1: First Contact
      • Discovery
    • DawgCTF 2021
      • Bofit
      • Jellyspotters
      • No Step On Snek
      • Back to the Lab 2
      • MDL Considered Harmful
      • Really Secure Algorithm
      • The Obligatory RSA Challenge
      • Trash Chain
      • What the Flip?!
      • Back to the Lab 1
      • Back to the Lab 3
      • Dr. Hrabowski's Great Adventure
      • Just a Comment
      • Baby's First Modulation
      • Two Truths and a Fib
    • UMDCTF 2021
      • Advantageous Adventures
      • Roy's Randomness
      • Whose Base Is It Anyway
      • Cards Galore
      • Pretty Dumb File
      • Minetest
      • Donnie Docker
      • Subway
      • Jump Not Easy
      • To Be XOR Not To Be
      • Office Secrets
      • L33t M4th
      • Bomb 2 - Mix Up
      • Jay
    • Midnight Sun CTF 2021
      • Corporate MFA
      • Gurkburk
      • Backups
    • picoCTF 2021
      • It Is My Birthday (100)
      • Super Serial (130)
      • Most Cookies (150)
      • Startup Company (180)
      • X marks the spot (250)
      • Web Gauntlet (170 + 300)
      • Easy Peasy (40)
      • Mini RSA (70)
      • Dachshund Attacks (80)
      • No Padding, No Problem (90)
      • Trivial Flag Transfer Protocol (90)
      • Wireshark twoo twooo two twoo... (100)
      • Disk, Disk, Sleuth! (110 + 130)
      • Stonks (20)
    • DSO-NUS CTF 2021
      • Insecure (100)
      • Easy SQL (200)
Powered by GitBook
On this page

Was this helpful?

  1. 2022
  2. YaCTF 2022

Crackme

This was a simple reversing challenge. Looking at the validation function, we could see that the key is relatively simple to bruteforce.

_BOOL8 __fastcall check(const char *a1)
{
  int i; // [rsp+14h] [rbp-6Ch]
  int k; // [rsp+14h] [rbp-6Ch]
  int m; // [rsp+14h] [rbp-6Ch]
  int n; // [rsp+14h] [rbp-6Ch]
  int j; // [rsp+18h] [rbp-68h]
  int v7; // [rsp+1Ch] [rbp-64h]
  int v8; // [rsp+24h] [rbp-5Ch]
  int v9; // [rsp+30h] [rbp-50h]
  int v10; // [rsp+34h] [rbp-4Ch]
  int v11; // [rsp+38h] [rbp-48h]
  int v12; // [rsp+3Ch] [rbp-44h]
  int v13; // [rsp+40h] [rbp-40h]
  int v14; // [rsp+44h] [rbp-3Ch]
  int v15; // [rsp+48h] [rbp-38h]
  int v16; // [rsp+4Ch] [rbp-34h]
  int v17; // [rsp+50h] [rbp-30h]
  int v18; // [rsp+54h] [rbp-2Ch]
  int v19; // [rsp+58h] [rbp-28h]
  int v20; // [rsp+5Ch] [rbp-24h]
  int v21; // [rsp+60h] [rbp-20h]
  int v22; // [rsp+64h] [rbp-1Ch]
  int v23; // [rsp+68h] [rbp-18h]
  int v24; // [rsp+6Ch] [rbp-14h]
  unsigned __int64 v25; // [rsp+78h] [rbp-8h]

  v25 = __readfsqword(0x28u);
  if ( strlen(a1) != 19 )
    return 0LL;
  for ( i = 4; i <= 19; i += 5 )
  {
    if ( i <= 14 && a1[i] != 45 )
      return 0LL;
    for ( j = i - 4; j < i; ++j )
    {
      if ( a1[j] <= 47 || a1[j] > 57 )
        return 0LL;
    }
  }
  v9 = toi((unsigned int)*a1);
  v10 = toi((unsigned int)a1[1]);
  v11 = toi((unsigned int)a1[2]);
  v12 = toi((unsigned int)a1[3]);
  v13 = toi((unsigned int)a1[5]);
  v14 = toi((unsigned int)a1[6]);
  v15 = toi((unsigned int)a1[7]);
  v16 = toi((unsigned int)a1[8]);
  v17 = toi((unsigned int)a1[10]);
  v18 = toi((unsigned int)a1[11]);
  v19 = toi((unsigned int)a1[12]);
  v20 = toi((unsigned int)a1[13]);
  v21 = toi((unsigned int)a1[15]);
  v22 = toi((unsigned int)a1[16]);
  v23 = toi((unsigned int)a1[17]);
  v24 = toi((unsigned int)a1[18]);
  if ( v9 != 8 )
    return 0LL;
  if ( v14 != 5 )
    return 0LL;
  if ( v16 != 6 )
    return 0LL;
  if ( v17 != 7 )
    return 0LL;
  if ( v18 != 8 )
    return 0LL;
  if ( v19 != 2 )
    return 0LL;
  if ( v21 != 3 )
    return 0LL;
  if ( v22 != 4 )
    return 0LL;
  if ( v23 != 7 )
    return 0LL;
  for ( k = 0; k <= 3; ++k )
  {
    if ( *(&v13 + k) <= 0 || *(&v13 + k) > 7 )
      return 0LL;
  }
  for ( m = 0; m <= 3; ++m )
  {
    if ( *(&v17 + m) <= 1 || *(&v17 + m) > 9 )
      return 0LL;
  }
  for ( n = 0; n <= 3; ++n )
  {
    if ( *(&v21 + n) <= 2 || *(&v21 + n) > 8 )
      return 0LL;
  }
  v7 = v11 + v10 + 8 + v12;
  v8 = v19 + v18 + v17 + v20;
  if ( v23 + v22 + v21 + v24 != (v15 + v14 + v13 + v16 + v7 + v8) / 3 )
    return 0LL;
  if ( v7 != (v23 + v22 + v21 + v24) / 2 )
    return 0LL;
  if ( v15 + v14 + v13 + v16 != v8 - 7 )
    return 0LL;
  if ( v8 + v7 == 33 )
    return v13 + v8 == 31;
  return 0LL;
}

Knowing that there are only 7 unknown digits, we could bruteforce the key by checking whether it fulfills the requirements.

start = 'yactf{'

remaining = [0 for _ in range(19)]
for i in range(4, 20, 5):
    if i <= 14:
        remaining[i] = chr(45)

remaining[0] = 8
remaining[6] = 5
remaining[8] = 6
remaining[10] = 7
remaining[11] = 8
remaining[12] = 2
remaining[15] = 3
remaining[16] = 4
remaining[17] = 7

print(remaining)

maximum = 10000000
curr = 0
while curr != maximum:

    # 7 unknowns
    num_string = str(curr).zfill(7)
    test_remaining = remaining.copy()
    
    j = 0
    for i in range(len(test_remaining)):
        if test_remaining[i] == 0:
            test_remaining[i] = int(num_string[j])
            j += 1

    print(test_remaining)

    v7 = test_remaining[2] + test_remaining[1] + 8 + test_remaining[3]
    v8 = 2 + 8 + 7 + test_remaining[13]

    try:
        assert 7 + 4 + 3 + test_remaining[18] == (test_remaining[7] + 5 + test_remaining[5] + 6 + v7 + v8) // 3
        assert v7 == (7 + 4 + 3 + test_remaining[18]) // 2
        assert test_remaining[7] + 5 + test_remaining[5] + 6 == v8 - 7
        assert v8 + v7 == 33
        assert test_remaining[5] + v8 == 31

    except:
        curr += 1

    else:
        print(''.join(map(str, test_remaining)))
        break

The key is yactf{8000-6516-7828-3473}

PreviousMetaPDFNextDiceCTF 2022

Last updated 3 years ago

Was this helpful?