PoliCTF challenge testata e funzionante. Polishing

2017-05-29 17:55:36 +02:00 · 2017-05-29 17:55:36 +02:00 · a0128d323b
commit a0128d323b
parent cc6cd1ee6e
13 changed files with 42 additions and 46 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,5 @@
 *.gipu
 *.out
 *.elf
+*.pasticciotto
 .vscode/
--- a/emulator/emulator.cpp
+++ b/emulator/emulator.cpp
@ -1,5 +1,5 @@
-#include "debug.h"
-#include "vm.h"
+#include "../vm/debug.h"
+#include "../vm/vm.h"
 #include <fstream>
 #include <stdint.h>
 #include <stdio.h>
--- a/polictf/asms/decrypt.pstc
+++ b/polictf/asms/decrypt.pstc
@ -89,14 +89,6 @@ poop r1
 retn

 def main:
-movi r0, 0x93af
-movi r1, 0x9ea9
-stri 0, r0
-stri 2, r1
-movi r0, 0x2008
-movi r1, 0xc917
-stri 0x4, r0
-stri 0x6, r1
 movi r0, 0
 call datastrlen
 movr r2, r0
@ -110,12 +102,10 @@ addr r1, s0
 call round
 poop s0
 addi s0, 4
-debg
 cmpr s0, r2
 jpbi decrypt
 lodi r0, 0
 lodi r1, 2
 lodi r2, 4
 lodi r3, 6
-debg
 shit
--- a/polictf/res/compiled.pstc
+++ b/polictf/res/compiled.pstc
--- a/polictf/res/decrypteddatasection.txt
+++ b/polictf/res/decrypteddatasection.txt
@ -1 +1 @@
-TheDataSectionHasBeenEncrypted
+TheDataSectionHasBeenEncrypted!WhoAreYouGonnaCall?TheRuNasss!
--- a/polictf/res/encrypteddatasection
+++ b/polictf/res/encrypteddatasection
@ -0,0 +1 @@
+Œê¾ªí Ðk™R%¹æØÿùé’zÅÄ~*ìg2E$ÐLdYí¦xþÑ¼àØ:ùûùùn\RXF<58>UXE!
--- a/polictf/server/pasticciotto_server.cpp
+++ b/polictf/server/pasticciotto_server.cpp
@ -25,13 +25,18 @@ void gen_random(uint8_t *s, const int len) {
 }

 unsigned char encrypted_data[] = {
-    0xcc, 0x8d, 0x5a, 0xcc, 0x73, 0xb5, 0xf2, 0xa3, 0xf3, 0x92,
-    0xa8, 0x8f, 0x2f, 0xf1, 0x3e, 0xf4, 0x69, 0x00, 0x4a, 0xcb,
-    0xed, 0xc4, 0x57, 0x9b, 0xf6, 0x9a, 0x78, 0x46, 0x83, 0xe9};
-unsigned int encrypted_data_len = 30;
+  0x8c, 0xea, 0xbe, 0xaa, 0xed, 0xa0, 0xd0, 0x6b, 0x99, 0x1c, 0x52, 0x25,
+  0xb9, 0xe6, 0xd8, 0xff, 0xf9, 0xe9, 0x92, 0x7a, 0x1c, 0xc5, 0xc4, 0x7e,
+  0x2a, 0xec, 0x67, 0x32, 0x1f, 0x45, 0x24, 0xd0, 0x4c, 0x7f, 0x15, 0x64,
+  0x59, 0xed, 0xa6, 0x78, 0xfe, 0xad, 0xd1, 0xbc, 0xe0, 0xd8, 0x3a, 0xf9,
+  0xfb, 0xf9, 0xf9, 0x6e, 0x5c, 0x52, 0x58, 0x46, 0x8d, 0x55, 0x58, 0x45,
+  0x21
+};
+unsigned int encrypted_data_len = 61;
+

 int main(int argc, char *argv[]) {
-  uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[DATAKEYLEN],
+  uint8_t *key = new uint8_t[KEYLEN], *decdatasec = new uint8_t[encrypted_data_len],
          *flag = new uint8_t[DATAKEYLEN];
  uint8_t *clientcode;
  uint8_t i;
@ -55,6 +60,10 @@ int main(int argc, char *argv[]) {
  }
  VM vm(key, clientcode, clientcodesize);
  vm.as.insData(encrypted_data, encrypted_data_len);
+  printf("BEFORE:\n");
+  for (i = 0; i < DATAKEYLEN; i++) {
+    fprintf(stdout, "buf[%d] = 0x%02x\n", i, vm.as.data[i]);
+  }
  vm.run();

  datap = fopen("../res/decrypteddatasection.txt", "r");
@ -66,9 +75,12 @@ int main(int argc, char *argv[]) {
  fscanf(datap, "%s", decdatasec);
  fclose(datap);

+  for (i = 0; i < DATAKEYLEN; i++) {
+    fprintf(stdout, "buf[%d] = 0x%02x\n", i, vm.as.data[i]);
+  }
  for (i = 0; i < DATAKEYLEN; i++) {
    if (vm.as.data[i] != decdatasec[i]) {
-        DBG_INFO(("Checking data[%d]..\n", i));
+        printf("Checking data[%d]..\n", i);
        fflush(stdout);
      printf("Nope!\n");
      fflush(stdout);
--- a/polictf/server/test.py
+++ b/polictf/server/test.py
@ -0,0 +1,16 @@
+from pwn import *
+import subprocess
+
+key_re = re.compile(".*\"(.*)\".*")
+r = remote("127.0.0.1", 8888)
+
+first = r.recv()
+key = key_re.match(first).group(1)
+print("Using key: {}".format(key))
+subprocess.check_call(["python3", "../../assembler/assembler.py", "{}".format(key), "../asms/decrypt.pstc", "./out.pasticciotto"])
+with open("./out.pasticciotto") as f:
+    data = f.read()
+r.send("{}\n".format(len(data)))
+print(r.recv())
+r.send("{}\n".format(data))
+print(r.recv(100000))
--- a/polictf/tea_cversion/decrypt_test
+++ b/polictf/tea_cversion/decrypt_test
@ -1 +0,0 @@
-4 test
--- a/polictf/tea_cversion/encrypted
+++ b/polictf/tea_cversion/encrypted
@ -1 +0,0 @@
-╞⌠╘· и
--- a/polictf/tea_cversion/tea-decrypt.c
+++ b/polictf/tea_cversion/tea-decrypt.c
@ -5,19 +5,15 @@
 #include <unistd.h>

 void decrypt(uint16_t *v) {
-  uint16_t v0 = v[0], v1 = v[1], sum = 0x3780, i; /* set up */
-  uint16_t delta = 0x626f;                        /* a key schedule constant */
+  uint16_t v0 = v[0], v1 = v[1], i;
  uint16_t k0 = 0x7065;                           // "pe"
  uint16_t k1 = 0x7065;                           // "pe"
  uint16_t k2 = 0x7275;                           // "ru"
  uint16_t k3 = 0x6e73;                           // "ns"
  for (i = 0; i < 128; i++) {
-    //printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1); /* basic cycle
-    // start */
    v1 -= ((v0 << 4) + k2) ^ (v0) ^ ((v0 >> 5) + k3);
    v0 -= ((v1 << 4) + k0) ^ (v1) ^ ((v1 >> 5) + k1);
-    sum -= delta;
-  } /* end cycle */
+  }
  v[0] = v0;
  v[1] = v1;
 }
--- a/polictf/tea_cversion/tea-encrypt.c
+++ b/polictf/tea_cversion/tea-encrypt.c
@ -5,21 +5,15 @@
 #include <unistd.h>

 void encrypt(uint16_t *v) {
-  uint16_t v0 = v[0], v1 = v[1], sum = 0, i; /* set up */
-  uint16_t delta = 0x626f;
+  uint16_t v0 = v[0], v1 = v[1], i;
  uint16_t k0 = 0x7065; // "pe"
  uint16_t k1 = 0x7065; // "pe"
  uint16_t k2 = 0x7275; // "ru"
  uint16_t k3 = 0x6e73; // "ns"
-  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
  for (i = 0; i < 128; i++) {
-    sum += delta;
    v0 += ((v1 << 4) + k0) ^ (v1) ^ ((v1 >> 5) + k1);
    v1 += ((v0 << 4) + k2) ^ (v0) ^ ((v0 >> 5) + k3);
-    // printf("Intermediate v0: 0x%x | v1: 0x%x\n", v0, v1);
  }
-  // printf("SUM: 0x%x\n", sum);
-  // printf("v0: 0x%x, v1: 0x%x\n", v0, v1);
  v[0] = v0;
  v[1] = v1;
 }
--- a/polictf/tea_cversion/test.py
+++ b/polictf/tea_cversion/test.py
@ -1,12 +0,0 @@
-from pwn import *
-
-r = remote("127.0.0.1", 8888)
-
-
-with open("./encrypted") as f:
-    data = f.read()
-
-print(r.recv())
-r.send("{}\n".format(len(data)))
-r.send("{}\n".format(data))
-print(r.recv())
				`@ -0,0 +1 @@`
				`Œê¾ªí Ðk™R%¹æØÿùé’zÅÄ~*ìg2E$ÐLdYí¦xþÑ¼àØ:ùûùùn\RXF<58>UXE!`