OSCTF 2024 rev challenges writeup

Published: at 04:00 AM

Table of Contents

Open Table of Contents

Gophers Language

Challenge Description

I know go is not a popular language, so I decided of creating a reversing challenge out of it. I’m sure now go will overtake java!!

Author: @5h1kh4r

main.exe is provided

Solution

Challenge is written in Go.

Terminal window
└─$ strings main.exe| grep "OSCTF"
...
OSCTF{Why_G0_S0_H4rd}
(truncated)

We have our flag.

Another Python Game

Challenge Description

You know, I love Pygame why don’t you. Prove your love for Pygame by solving this challenge Note: It is necessary to keep the background.png file in the same place as the exe file so that the exe file runs properly

Author: @5h1kh4r

source.exe and background.png is provided.

Solution

The exe file looks like a Python compiled binary. We run (pyinstxtractor)[https://github.com/extremecoders-re/pyinstxtractor] to decompile the file. We get source.pyc.

Terminal window
└─$ strings source.pyc | grep OSCTF
Tz"OSCTF{1_5W3ar_I_D1dn'7_BruT3f0rc3}

We have our flag.

Avengers Assemble

Challenge Description

The Avengers have assembled but for what? To solve this!? Why call Avengers for such a simple thing, when you can solve it yourself

FLAG FORMAT: OSCTF{Inp1_Inp2_Inp3} (Integer values)

Author: @Inv1s1bl3

code.asm
asm
extern printf
extern scanf


section .data
        fmt: db "%ld",0
        output: db "Correct",10,0
        out: db "Not Correct",10,0
        inp1: db "Input 1st number:",0
        inp2: db "Input 2nd number:",0
        inp3: db "Input 3rd number:",0


section .text
        global main


        main:
        push ebp
        mov ebp,esp
        sub esp,0x20


        push inp1
        call printf
        lea eax,[ebp-0x4]
        push eax
        push fmt
        call scanf


        push inp2
        call printf
        lea eax,[ebp-0xc]
        push eax
        push fmt
        call scanf


        push inp3
        call printf
        lea eax,[ebp-0x14]
        push eax
        push fmt
        call scanf


        mov ebx, DWORD[ebp-0xc]
        add ebx, DWORD[ebp-0x4]
        cmp ebx,0xdeadbeef
        jne N


        cmp DWORD[ebp-0x4], 0x6f56df65
        jg N


        cmp DWORD[ebp-0xc], 0x6f56df8d
        jg N
        cmp DWORD[ebp-0xc], 0x6f56df8d
        jl N


        mov ecx, DWORD[ebp-0x14]
        mov ebx, DWORD[ebp-0xc]
        xor ecx, ebx
        cmp ecx, 2103609845
        jne N
        jmp O


        N:
        push out
        call printf
        leave
        ret


        O:
        push output
        call printf


        leave
        ret

Solution

We have to input 3 numbers to pass the conditional checks. The program asks for 3 inputs at the start.

        mov ebx, DWORD[ebp-0xc]
        add ebx, DWORD[ebp-0x4]
        cmp ebx,0xdeadbeef
        jne N

This moves DWORD[ebp-0xc] (second input) to ebx and adds the first input to ebx. The result should be 0xdeadbeef

        cmp DWORD[ebp-0x4], 0x6f56df65
        jg N


        cmp DWORD[ebp-0xc], 0x6f56df8d
        jg N
        cmp DWORD[ebp-0xc], 0x6f56df8d
        jl N

Our first input should be less than 0x6f56df65, and the second input should be exactly 0x6f56df8d (jg and jl would jump to the label N if true). So our first input is thus 0xdeadbeef - 0x6f56df8d = 1867964258

        mov ecx, DWORD[ebp-0x14]
        mov ebx, DWORD[ebp-0xc]
        xor ecx, ebx
        cmp ecx, 2103609845
        jne N
        jmp O

The second input is XOR’ed with the third input to get 2103609845. To get the third input, we xor the known second input with 2103609845. So 0x6f56df8d ^ 2103609845 = 305419896

The flag is thus OSCTF{1867964258_1867964301_305419896}.

The Broken Sword

Challenge Description

The time for the reforging of the The Sword That Was Broken has come.. Elendil left a riddle, solving which will give the password, which is what you need to find :p..

Flag Format: OSCTF{valueof'flag'variable_valueof'a'variable_valueof'v2'variable} / OSCTF{flag_a_v2}

Author: @Inv1s1bl3

challenge.py
from Crypto.Util.number import *
from secret import flag,a,v2,pi


z1 = a+flag
y = long_to_bytes(z1)
print("The message is",y)
s = ''
s += chr(ord('a')+23)
v = ord(s)
f = 5483762481^v
g = f*35




r = 14
l = g
surface_area= pi*r*l
w = surface_area//1
s = int(f)
v = s^34
for i in range(1,10,1):
    h = v2*30
    h ^= 34
    h *= pi
    h /= 4567234567342
a += g+v2+f
a *= 67
al=a
print("a1:",al)
print('h:',h)
The message is b'\x0c\x07\x9e\x8e/\xc2'
a1 is: 899433952965498
h is: 0.0028203971921452278

Solution

The for loop in the challenge is negligible as v2 remains constant every iteration, thus the outcome of h is the same. We write as solve script to work backwards using simple math to obtain the original values. pi is taken to be 3.14 such that h remains a whole number.

solve.py
h = 0.0028203971921452278


h *= 4567234567342
print(h)
h /= 3.14
h = int(h)
h ^= 34
h /= 30


print("v2:", h)


y = int.from_bytes(b"\x0c\x07\x9e\x8e/\xc2", "big")
print("y:", y)
s = chr(ord('a') + 23)
v = ord(s)
f = 5483762481^v
g = f*35


a1 = 899433952965498
a1 /= 67
a = a1 - (g+h+f)
print(a)
flag = y - a
print(flag)

The flag is thus OSCTF{29260723_13226835162127_136745387}.