-
Notifications
You must be signed in to change notification settings - Fork 4
/
solve.py
executable file
·100 lines (90 loc) · 2.31 KB
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env python2
# 1. xor every char with 0x76
# 2. xor chars [7, 14) w/ 0xad and other stuff
# 3. xor chars [14, 21) w/ 0xbe and other stuff
# 4. xor chars [21, 28) w/ 0xef and other stuff
from pwn import *
def lshift(y, x):
return x << y
def rshift(y, x):
return x >> y
def _and(y, x):
return y & x;
def _or(y, x):
return y | x;
def _xor(y, x):
return y ^ x;
def math7to14(char):
return _or(
rshift(1,
_and(0xAA,
_xor(0xad,
_xor(0x76, char)
)
)
),
_and(0xAA,
lshift(1,
_xor(0xad,
_xor(0x76, char)
)
)
)
)
def math14to21(char):
return _or(
rshift(2,
_and(0xcc,
_xor(0xbe,
_xor(0x76, char)
)
)
),
_and(0xcc,
lshift(2,
_xor(0xbe,
_xor(0x76, char)
)
)
)
)
def math21to28(char):
return _or(
rshift(4,
_and(0xf0,
_xor(0xef,
_xor(0x76, char)
)
)
),
_and(0xf0,
lshift(4,
_xor(0xef,
_xor(0x76, char)
)
)
)
)
#encoded flag address: 0x41b0dc
encoded_flag = list("\x1e\x15\x02\x10\rHHo\xdd\xddHdc\xd7.,\xfejm*\xf2o\x9aM\x8bK\xca\xcfN@F\x10GF\x0b")
flag = []
for c in encoded_flag:
flag += [(chr(ord(c) ^ 0x76)) ]
for i in range(len(encoded_flag)):
if 7 <= i < 14:
for j in range(128):
if math7to14(j) == ord(encoded_flag[i]):
print("i: " + str(i) + " j: " + str(j) + " char: " +chr(j))
flag[i] = chr(j)
if 14 <= i < 21:
for j in range(128):
if math14to21(j) == ord(encoded_flag[i]):
print("i: " + str(i) + " j: " + str(j) + " char: " +chr(j))
flag[i] = chr(j)
if 21 <= i < 28:
for j in range(128):
if math21to28(j) == ord(encoded_flag[i]):
print("i: " + str(i) + " j: " + str(j) + " char: " +chr(j))
flag[i] = chr(j)
print(''.join(c for c in flag))
# hctf{>>D55_CH0CK3R_B0o0M!-5e860f10}