CTF
Search…
Cyber Sea Game 2018
Sorry for not keeping my promise but I am still a little bit shy using German, so maybe next time idk

Foreword

So basically it's not actual Cyber Sea Game 2018, it's just one of the Cyber Sea Game 2019 events where we have to play CTF with other players from other countries which selected randomly to solve last year challenges. I have played and luckily won. Thanks to those new friends ;)

Wasm

main.wasm
403B
Binary
So basically this chall was released in the last hour and it's the chall that lead our team to the winning and only 1 solve during the contest. Before it was released, there were 2 reverse challenges left, one was 200 points (this one) and another was 300 points. So I decided to take a safe bet and solved this challenge instead of the 300 points one.
To disassemble WASM, I have used this web-based tool
1
https://webassembly.github.io/wabt/demo/wasm2wat/
Copied!
Disassemble the main.wasm, we got
Take a quick look at the disassembled code, we realize there are 2 functions, p and q which basically work as following
1
- p() function call the q() function
2
- q() function take 2 integers and doing some calculation then return 1 interger
Copied!
So basically, I dont have to care about the calculation in q() function, just re-code it in python
1
def q(p0, p1):
2
i0 = p0
3
i1 = 1
4
i0 <<= (i1 & 31)
5
i1 = p1
6
i0 ^= i1
7
i1 = 24
8
i0 <<= (i1 & 31)
9
i1 = 24
10
i0 = (i0 >> (i1 & 31))
11
return i0
Copied!
Later on, I realized the p() function was took our input and passed it to q() function to do the calculation, 2 chars each
1
Let's say:
2
- input = "abcdef"
3
Round 1:
4
q(a, b)
5
Round 2:
6
q(b, c)
7
Round 3:
8
q(c, d)
Copied!
and then output of the q() was compared with data in $d0. So I just wrote a script to bruteforce the flag char by char by knowing the flag is in "flag{}" format
1
import string
2
3
def q(p0, p1):
4
i0 = p0
5
i1 = 1
6
i0 <<= (i1 & 31)
7
i1 = p1
8
i0 ^= i1
9
i1 = 24
10
i0 <<= (i1 & 31)
11
i1 = 24
12
i0 = (i0 >> (i1 & 31))
13
return i0
14
15
16
encoded = [0xa0, 0xb9, 0xa5, 0xb5, 0x81, 0xdd, 0x55, 0x55, 0x04, 0x9b, 0xdf, 0xb1,
17
0x95, 0xd5, 0x0b, 0xb8, 0xa8, 0xa1, 0xad, 0x8f, 0x11, 0xb9, 0xcd, 0xd6,
18
0x3f, 0xd9, 0xfe, 0x50, 0x50, 0x50, 0x04, 0xb5, 0xfa]
19
20
flag = "f"
21
pos = 0
22
while flag[len(flag) - 1] != "}":
23
for c in string.printable:
24
if q(ord(flag[pos]), ord(c)) == encoded[pos]:
25
flag += c
26
print flag
27
pos += 1
28
break
Copied!
Later on, I realized there is tool that can convert wasm to C (https://github.com/WebAssembly/wabt). I tried some but all failed, this one worked
1
flag{w333b_ass3mbly_1s_s0_g0000d}
Copied!

End game

The winning team got a small souvenir from ETDA, thanks ETDA ;)
It's pretty sad that I have not taken any picture with my new team :( Too bad, maybe next year...
Last modified 1yr ago
Copy link