Posts tagged with reversing

redpwnCTF - aall

Posted on June 25, 2020* in ctf-writeups


how many layers of vm are you on

like,, maybe 5, or 6 right now my dude

you are like a baby... watch this

nc 31755

We're also given a python file and a Dockerfile.


Looking at the python file shows that it writes out a file named breakout.aallo and calls exec on a string after base64-decoding and lzma-uncompressing it. We can modify the file to save the executed file to disk instead. It's a python script, but all of the variables are random unicode characters. Although the python interpreter is happy to run the code, it's nearly impossible to understand.

Continue Reading

picoCTF 2019 - Java Script Kiddie 2

Posted on October 12, 2019* in ctf-writeups

We are given a website, that is nearly identical to Java Script Kiddie 1. The assemble_png function takes in a key of length 32, and manipulates the bytes to decode the src attribute of an image.

function assemble_png(u_in){
    var LEN = 16;
    var key = "00000000000000000000000000000000";
    var shifter;
    if(u_in.length == key.length){
        key = u_in;
    var result = [];
    for(var i = 0; i < LEN; i++){
        shifter = Number(key.slice((i*2),(i*2)+1));
        for(var j = 0; j < (bytes.length / LEN); j ++){
            result[(j * LEN) + i] = bytes[(((j + shifter) * LEN) % bytes.length) + i]
    while(result[result.length-1] == 0){
        result = result.slice(0,result.length-1);
    document.getElementById("Area").src = "data:image/png;base64," + btoa(String.fromCharCode.apply(null, new Uint8Array(result)));
    return false;
Continue Reading

picoCTF 2018 - circuit123

Posted on October 17, 2018* in ctf-writeups


Can you crack the key to decrypt map2 for us? The key to map1 is 11443513758266689915.




Given the problem and the hint, it is clear that we can use z3 to solve this problem. We can create a z3 BitVec and pass it into the verify function to avoid writing a custom decrypter. Because we don't know the length of the bit vector, I used a conservative estimate of 128.

Continue Reading


As the song draws closer to the end, another executable be-quick-or-be-dead-3 suddenly pops up. This one requires even faster machines. Can you run it fast enough too?


After decompiling the program with Snowman, we can see pseudocode for the calc function:

uint32_t calc(uint32_t edi) {
    uint32_t eax2;
    uint32_t eax3;
    uint32_t eax4;
    uint32_t eax5;
    uint32_t eax6;
    uint32_t v7;

    if (edi > 4) {
        eax2 = calc(edi - 1);
        eax3 = calc(edi - 2);
        eax4 = calc(edi - 3);
        eax5 = calc(edi - 4);
        eax6 = calc(edi - 5);
        v7 = eax6 * 0x1234 + (eax2 - eax3 + (eax4 - eax5));
    } else {
        v7 = edi * edi + 0x2345;
    return v7;
Continue Reading