[HackIM 2016] [Misc 400 – Lol] Write Up


===Win this simple text decoder and take your flag !===


This appears to be successing rounds that we must solve before receiving the flag. We first thought that there is 25 rounds, but the “Lol” title indicates that it wasn’t the case. So we automatized the resolution of rounds with following code (there is even some brainfuck code to interprete).

def set_search(set, num): #returns whether num is in set or sets within set
 for c in set:
 if num in c:
 return True
 return False

def del_incompat(program):
 counter = 0
 for i in range(0,len(program)):
 if not program[i-counter] in "+-><.,[]":
 program = removeFromString(program,i-counter)
 counter += 1
 return program

def removeFromString(text, index): #simply remove the character at index
 return text[0:index] + text[index+1:]

def pair_brackets(program,pairs):
 #do it recursively: 
 i = 0
 flag = False
 while i < len(program):
 if program[i] == "[" and not set_search(pairs,i):
 tmp = i
 flag = True
 elif program[i] == "]" and not set_search(pairs,i):
 i = len(program)
 if flag:
 return pair_brackets(program, pairs)
 return pairs

def get_cb(pairs,index): #get corresponding bracket, given an index. returns -1 if no such corresponding bracket exists
 for c in pairs:
 if c[0] == index:
 return c[1]
 elif c[1] == index:
 return c[0]
 return -1

def bfuk(program):
 pairs = []
 program = del_incompat(program)

 pairs = pair_brackets(program,[])
 p = 0 #pointer in cell of integers
 i = 0 #interpreter pointer
 li = [0]*30000
 ret = ''
 while i < len(program):
 if program[i] == "+":
 li[p] += 1
 elif program[i] == "-":
 li[p] -= 1
 elif program[i] == ">":
 p += 1
 elif program[i] == "<":
 p -= 1
 elif program[i] == ".":
 ret = ret+(chr(li[p]))
 elif program[i] == ",":
 li[p] = ord(input())
 elif program[i] == "[":
 if li[p] == 0:
 elif program[i] == "]":
 if li[p] != 0:
 return ret

import binascii
import base64
import socket
import zlib
import bz2

dict = {'tedejmyixyj':'Do not wish it','oekhicybu':'Your smile','yqcqwhuqjuh':'I am a greater','yjyirujjuh':'It is better','ikssuiiyi':'Success is',
'jxqdaoek':'Thank you'}

def analyse(msg):
 global curIndex
 toRegexOn = ''
 i = 0
 while i<len(msg) and msg[i]<127:
 toRegexOn = toRegexOn+chr(msg[i])
 i = i+1
 m = re.search("(.*)\n([^-]*)-",toRegexOn)
 if m is not None:
 type = m.group(2)
 data = msg[len(m.group(1))+len(type)+2:-1]
 if type=='bina':
 toWorkOn = data.decode('ascii')
 groups = re.findall('[01]{8}',toWorkOn)
 ret = ''
 for i in groups:
 ret = ret+chr(int(i,2))
 return ret.encode('ascii')
 elif type=='ba16':
 return base64.b16decode(data)
 elif type=='ba32':
 return base64.b32decode(data)
 elif type=='ba64':
 return base64.b64decode(data)
 elif type=='ebcd':
 return data.decode('cp500').encode('ascii')
 elif type=='revs':
 return data.decode('ascii')[::-1].encode('ascii')
 elif type=='roti':
 tmp = data.decode('ascii')
 res = ''
 for i in tmp:
 if i>='a':
 res = res+chr(ord('a')+((ord(i)-ord('a')+13)%26))
 elif i>='A' and i<='Z':
 res = res+chr(ord('A')+((ord(i)-ord('A')+13)%26))
 res = res+i
 return res.encode('ascii')
 elif type=='ro42':
 if data.decode('ascii') in dict:
 res = dict[data.decode('ascii')]
 res = input()
 return res.encode('ascii')
 elif type=='zlib':
 return zlib.decompress(data)
 elif type=='bz2c':
 return bz2.decompress(data)
 elif type=='bfuk':
 return bfuk(data.decode('ascii')).encode('ascii')
 elif type=='hexa':
 return binascii.unhexlify(data)
 return '\n'.encode('ascii')

TCP_IP = ''
TCP_PORT = 30303

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
buf = s.recv(BUFFER_SIZE)

buf = '0'.encode('ascii')
while buf != ''.encode('ascii'):
 buf = s.recv(BUFFER_SIZE)
 buf = s.recv(BUFFER_SIZE)
 j = j+1

The server gave us the string “666p61677o6433633064696r675s69735s656173795s4p4s4p7q20”.
Using a rot13: “666c61677b6433633064696e675f69735f656173795f4c4f4c7d20”.
De-hexed : “flag{d3c0ding_is_easy_LOL}”.

Flag was “flag{d3c0ding_is_easy_LOL}“.

Leave a Reply

Your email address will not be published. Required fields are marked *