ByteBandits CTF 2020
The challenges were good and really fun to solve, our team 7SecCTF managed to solve 6 challenges.
The gremlin challenge was particularly interesting
It was a Reverse-Engineering Challenge.
The challenge Description was :
There's a gremlin in my machinery. I guess it'll stop working soon. Can you help me?
along with a file cpg.bin to download
A Hint was also provided
u32 table[10][2] = { {0xff, 1}, {0xfe, 2}, {0xfd, 3},
{0xfc, 4}, {0xfb, 5}, {0x00, 5}, {0x01, 4}, {0x02, 3}, {0x03, 2}, {0x04, 1} };
I downloaded the cpg.bin file.
gremlin >> head cpg.bin
H:2,blockSize:1000,created:17168fe53f5,format:1,fletcher:a504a51d
H:2,blockSize:1000,created:17168fe53f5,format:1,fletcher:a504a51d
chunk:1,block:2,len:1,map:2,max:380,next:3,pages:3,root:400000c388,time:3ee,version:1
�RSTU'��LANGUAGE��C��6)��FULL_NAME��<global>�NAME��<global>
��@&��NAME��"/home/jai/Documents/ctf/bbctf/re.c��� �
�y)��FULL_NAME��+/home/jai/Documents/ctf/bbctf/re.c:<global>�NAME��<global>�
�� � (� k� �
�
�
�
� �
On running strings command on it, the output contained many strings like LINE_NUMBER ORDER PARSER_TYPE_NAME CODE and also contained some code segments
gremlin >> strings cpg.bin
....
....
....
LINE_NUMBER
ORDER
PARSER_TYPE_NAME
ForStatement
CODE
for (u8 i = 1; i <= key[1]; i++)
ARGUMENT_INDEX
COLUMN_NUMBER
LINE_NUMBER
CODE
TYPE_FULL_NAME
....
....
....
the for loop code segment was interesting, the file seemed like something related to CPG(Code Property Graph) representation, But i didn't know anything about CPG, so i examined the strings output for more details, i further came accross many more code segments
...
...
CODE
while (n > 0)
...
CODE
printf("%llu", out[i])
...
"%llu"
...
CODE
printf("\n")
...
...
we can also note that all the code segments are preceded by the string CODE, so i grepped the strings output
gremlin >> strings cpg.bin| grep CODE -A1|head -n30
CODE
u64 n
--
CODE
COLUMN_NUMBER
--
CODE
ARGUMENT_INDEX
--
CODE
TYPE_FULL_NAME
--
CODE
r = 0
--
CODE
ARGUMENT_INDEX
--
CODE
ARGUMENT_INDEX
--
CODE
while (n > 0)
--
CODE
n > 0
--
CODE
ARGUMENT_INDEX
--
after cleaning up the strings, we get
u64 n
r = 0
while (n > 0)
n > 0
r |= n & 0xff
n & 0xff
0xff
r <<= 1
n >>= 1
r >>= 1
return r;
u8 *s
u32 *idx
*key = table[s[0]]
table[s[0]]
table
s[0]
...
...
...
key[1]
return val;
char *s
u32 n
sz = 0
idx = 0
while (idx < n)
idx < n
*key = table[s[idx]]
table[s[idx]]
table
s[idx]
idx += key[1] + 1
key[1] + 1
key[1]
sz++
return sz;
idx = 0
in[] = { 0, 3, 9, 1, 1, 4, 5, 2, 7, 6, 1, 5, 0, 6, 3, 9, 8, 4,
9, 9, 2,\n 1, 3, 7, 6, 5, 4, 6, 1, 1, 2, 3, 3, 2, 1, 0, 3, 8, 2, 7 }
...
...
...
and after cleaning all the repeated code we finally get a rough c code
u64 n
r = 0
while (n > 0){
r |= n & 0xff
r <<= 1
n >>= 1
}
r >>= 1
return r;
u8 *s
u32 *idx
*key = table[s[0]]
s[0] &= key[0]
val = 0
val |= s[0]
for (u8 i = 1; i <= key[1]; i++){
val <<= 1
val |= s[i]
*idx += key[1] + 1
return val;
char *s
u32 n
sz = 0
idx = 0
while (idx < n){
*key = table[s[idx]]
idx += key[1] + 1
sz++
return sz;
idx = 0
in[] = { 0, 3, 9, 1, 1, 4, 5, 2, 7, 6, 1, 5, 0, 6, 3, 9, 8, 4,
9, 9, 2, 1, 3, 7, 6, 5, 4, 6, 1, 1, 2, 3, 3, 2, 1, 0, 3, 8, 2, 7 }
len = sizeof(in) / sizeof(u8)
sz = calc_size(in, len)
idx_o = 0
*out = (u64*)malloc(sz * sizeof(u64))
while (idx < len){
&out[idx_o++] = resolve(in + idx, &idx)
for (u32 i = 0; i < idx_o; i++)
printf("%llu", out[i])
printf("\n")
return 0;
we can also see that an array named table is being referred here which appears to be same as the one from the provided Hint.
i then converted the above c code to python which involved removing some size calculation and memory allocation functions
table = [ [0xff, 1], [0xfe, 2], [0xfd, 3], [0xfc, 4],
[0xfb, 5], [0x00, 5], [0x01, 4], [0x02, 3], [0x03, 2], [0x04, 1] ]
def resolve(s,idx):
key = table[s[0]]
s[0] &= key[0]
val = 0
val |= s[0]
for i in range(1,key[1]+1):
val <<= 1
val |= s[i]
idx += key[1] + 1
return (idx,val)
def main():
idx = 0
ln = [ 0, 3, 9, 1, 1, 4, 5, 2, 7, 6, 1, 5, 0, 6, 3, 9, 8, 4,
9, 9, 2, 1, 3, 7, 6, 5, 4, 6, 1, 1, 2, 3, 3, 2, 1, 0, 3, 8, 2, 7 ]
l = len(ln)
idx_o = 0
out= [0]*l
while (idx < l):
(idx,out[idx_o]) = resolve(ln[idx:], idx)
idx_o+=1
for i in range(0,idx_o):
print(out[i],end='')
print()
return 0
main()
after running the above python code we get some integer output 311329622193015237 and the flag is flag{311329622193015237}
Initially i thought that it would be hard to solve, mostly because of the low number of solves, but it came out pretty easy.
It was a really good challenge :)