# [HackIM 2016] [Misc 400 – Lol] Write Up

## Description

52.91.163.151:30303

===Win this simple text decoder and take your flag !===

## Resolution

This appears to be successing rounds that we must solve before receiving the flag. We first thought that there is 25 rounds, but the “Lol” title indicates that it wasn’t the case. So we automatized the resolution of rounds with following code (there is even some brainfuck code to interprete).

```def set_search(set, num): #returns whether num is in set or sets within set
for c in set:
if num in c:
return True
return False

def del_incompat(program):
counter = 0
for i in range(0,len(program)):
if not program[i-counter] in "+-><.,[]":
program = removeFromString(program,i-counter)
counter += 1
return program

def removeFromString(text, index): #simply remove the character at index
return text[0:index] + text[index+1:]

def pair_brackets(program,pairs):
#do it recursively:
i = 0
flag = False
while i < len(program):
if program[i] == "[" and not set_search(pairs,i):
tmp = i
flag = True
elif program[i] == "]" and not set_search(pairs,i):
pairs.append((tmp,i))
i = len(program)
i+=1
if flag:
return pair_brackets(program, pairs)
else:
return pairs

def get_cb(pairs,index): #get corresponding bracket, given an index. returns -1 if no such corresponding bracket exists
for c in pairs:
if c[0] == index:
return c[1]
elif c[1] == index:
return c[0]
return -1

def bfuk(program):
pairs = []
program = del_incompat(program)

pairs = pair_brackets(program,[])
p = 0 #pointer in cell of integers
i = 0 #interpreter pointer
li = [0]*30000
ret = ''
while i < len(program):
if program[i] == "+":
li[p] += 1
elif program[i] == "-":
li[p] -= 1
elif program[i] == ">":
p += 1
elif program[i] == "<":
p -= 1
elif program[i] == ".":
ret = ret+(chr(li[p]))
elif program[i] == ",":
li[p] = ord(input())
elif program[i] == "[":
if li[p] == 0:
i=get_cb(pairs,i)
elif program[i] == "]":
if li[p] != 0:
i=get_cb(pairs,i)
i+=1
return ret

import binascii
import base64
import socket
import zlib
import bz2

dict = {'tedejmyixyj':'Do not wish it','oekhicybu':'Your smile','yqcqwhuqjuh':'I am a greater','yjyirujjuh':'It is better','ikssuiiyi':'Success is',
'jxqdaoek':'Thank you'}

def analyse(msg):
global curIndex

toRegexOn = ''
i = 0
while i<len(msg) and msg[i]<127:
toRegexOn = toRegexOn+chr(msg[i])
i = i+1

m = re.search("(.*)\n([^-]*)-",toRegexOn)
if m is not None:
type = m.group(2)
data = msg[len(m.group(1))+len(type)+2:-1]
print(data)

if type=='bina':
toWorkOn = data.decode('ascii')
groups = re.findall('[01]{8}',toWorkOn)
ret = ''
for i in groups:
ret = ret+chr(int(i,2))
return ret.encode('ascii')
elif type=='ba16':
return base64.b16decode(data)
elif type=='ba32':
return base64.b32decode(data)
elif type=='ba64':
return base64.b64decode(data)
elif type=='ebcd':
return data.decode('cp500').encode('ascii')
elif type=='revs':
return data.decode('ascii')[::-1].encode('ascii')
elif type=='roti':
tmp = data.decode('ascii')
res = ''
for i in tmp:
if i>='a':
res = res+chr(ord('a')+((ord(i)-ord('a')+13)%26))
elif i>='A' and i<='Z':
res = res+chr(ord('A')+((ord(i)-ord('A')+13)%26))
else:
res = res+i
return res.encode('ascii')
elif type=='ro42':
if data.decode('ascii') in dict:
res = dict[data.decode('ascii')]
else:
res = input()
return res.encode('ascii')
elif type=='zlib':
return zlib.decompress(data)
elif type=='bz2c':
return bz2.decompress(data)
elif type=='bfuk':
return bfuk(data.decode('ascii')).encode('ascii')
elif type=='hexa':
return binascii.unhexlify(data)
return '\n'.encode('ascii')

TCP_IP = '52.91.163.151'
TCP_PORT = 30303
BUFFER_SIZE = 1024

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
buf = s.recv(BUFFER_SIZE)
print(buf)

j=0
buf = '0'.encode('ascii')
while buf != ''.encode('ascii'):
buf = s.recv(BUFFER_SIZE)
print(buf)
buf = s.recv(BUFFER_SIZE)
print(buf)

s.send(analyse(buf))
j = j+1
```

The server gave us the string “666p61677o6433633064696r675s69735s656173795s4p4s4p7q20”.
Using a rot13: “666c61677b6433633064696e675f69735f656173795f4c4f4c7d20”.
De-hexed : “flag{d3c0ding_is_easy_LOL}”.

Flag was “flag{d3c0ding_is_easy_LOL}“.