Evlz CTF 2019 Smol-Big

대회 때 바이너리를 받아놓고 풀어보진 않았었는데, 풀 문제들 찾아보다 눈에보여서 풀어봤다.

먼저 바이너리를 실행해보면 입력값을 받아 1,0으로 이루어진 2진수 값으로 반환을 해준다. 이 값이 어떻게 반환되는지 보기 위해 아래 코드를 분석해봤다.

코드를 보면 0x55FF4A443080 메모리 영역에 테이블 값이 존재했는데 대충 값을 보니 아래와 같은 형태로 이루어져 있었다.

10 , 1 , 0 , 1 , 0 , 1 , 0 , 1 , 0 , 1 , 0 , 1 , 5 , 1 , 1 , 1 , 1 , 1 , 0 , 1 , 0 , 1 , 0 , 1  

이 때 입력 값으로 테이블 인덱스 값을 구해 해당 인덱스의 존재하는 값을 길이로 지정한다. 그 후 해당 길이만큼 반복문을 돌면서 그 다음 메모리에 존재하는 값들을 더해 구한 2진수 값 만들고 반환해준다.

알고리즘 분석은 다 했으니 이제 역연산을 해주면 되는데, 문제에서 바이너리와 함께 제공해준 데이터 파일을 역연산 해주면 된다.

flag_binary = "11110101011110010101111101111001110001100000001000000100101011111001110001100110100010110010111010111100101011100011000010000000001101110001100111000000011110011111000110111001001111100011001101011010111100000010011111011010110011011111000110101011100101011100011001110000000110100000001000000000001001101011000001100001001111110001100111110001011100000001101110010011111000110000100111110110100111000110011010001011111000110011111000000101010010011110001011110100111000110000110111110111100100000101111001010111000110000000110000110101100000110100000001101001010111000000110111000110010101001101110001100001011111100000001001001011110010101111101110001100111110001101110001100110100010110010111010111100101011111011100011001111001110000000100111110000111000000011100011001110000000001011100000111011110101111000000011100101111110001100110111001101110001100111110110000000001111001110001100111000000011010011100011001111000000011000000000111100111000110011011011111011000000000111000000011110011100100111110001100111110110110001011101110011101000001101011111000000111110010000110010101110010001001000010000000111000000111000011100000110000011101001001110000011100111111000000111100000011101001110000011101101110000001110010101110000011000010111001000111100000000010111111010001100001011101000011101011001101011011100011001110111101010000000100111000110011000001011001000011011001010101011101001110001100111110010100111110110010101101011000000011011100000000011000000010111100001110001100101010010111001011111100000001111001101011010111110001100001011111100000001001001011110010100000000100111000110011000000000001000000011100011001010100110111000110011100000000010111000001110111101010000010000111000110011111001010011100011001111101110000000111000110011010110101111110011110001011110100010111110001100110101101011110000001001111101110111101011110000000001101110010111111000110011111110101000000010011100011001110000000101010011011111011100011000000011001010101011100101011111011100011001101000101100101110101111001010111000110000000110000111000110011001010111110100001100101011111000001011111011000011010011111011001010000000011011100011000000011000011100011001101100101100101111010110000001101110000000001101111101110001100110110111110001011100000001101110001100111110001000010011111011100011001101011000000010111001011110101111100111000110011010001011001011101011110010101111101110001100111110101011110001100101101010110011100000111000000000110111000110011000010101001011100101111110000000111000110010000111000000011001010000001110000000001101010111001010"

table = "10,1,1,1,0,0,0,1,1,0,0,0,10,1,1,1,0,0,0,1,1,1,0,0,10,1,1,1,0,0,0,0,1,0,0,0,10,1,1,1,0,0,0,1,1,1,1,0,10,1,1,1,0,1,0,0,1,1,1,0,10,1,1,1,0,0,0,0,1,0,1,0,10,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,1,1,1,0,0,1,1,0,0,0,0,10,1,1,1,0,0,1,0,0,0,0,0,10,1,1,1,0,0,0,0,1,1,1,0,10,1,1,1,0,1,0,0,0,1,0,0,10,1,1,1,0,0,1,0,0,1,1,0,10,1,1,1,0,0,1,0,1,0,1,0,10,1,1,1,0,0,1,0,1,1,1,0,10,1,1,0,0,1,0,0,0,1,1,0,10,1,1,1,0,0,0,0,0,0,1,0,10,1,1,1,0,0,1,1,0,0,1,0,10,1,1,1,0,1,0,0,1,1,0,0,10,1,1,1,0,0,1,0,0,0,1,0,10,1,1,1,0,0,0,0,1,1,0,0,10,1,1,1,0,1,0,0,1,0,0,0,10,1,1,1,0,1,0,0,1,0,1,0,10,1,1,1,0,1,0,0,0,1,1,0,10,1,1,1,0,0,1,0,0,1,0,0,10,1,1,1,0,1,0,1,1,1,0,0,10,1,1,1,0,1,0,1,1,1,1,0,10,1,1,1,0,1,0,1,1,0,0,0,10,1,1,1,0,1,0,1,1,0,1,0,10,1,1,1,0,1,0,1,0,1,0,0,10,1,1,1,0,0,0,1,0,0,0,0,10,1,1,1,0,0,0,0,0,1,0,0,10,1,1,1,0,1,0,1,0,0,1,0,5,1,0,0,0,1,0,0,0,0,0,0,7,1,1,0,1,0,1,0,0,0,0,0,6,1,1,0,0,1,1,0,0,0,0,0,6,1,1,1,1,1,1,0,0,0,0,0,5,1,0,1,1,1,0,0,0,0,0,0,6,1,0,0,1,1,0,0,0,0,0,0,6,0,0,0,0,1,1,0,0,0,0,0,5,0,0,0,1,0,0,0,0,0,0,0,5,0,1,1,0,1,0,0,0,0,0,0,9,1,1,1,0,0,1,1,0,1,0,0,7,0,0,1,0,1,1,0,0,0,0,0,6,1,1,1,1,0,1,0,0,0,0,0,6,1,1,0,0,0,1,0,0,0,0,0,5,0,1,0,0,1,0,0,0,0,0,0,5,0,1,1,1,1,0,0,0,0,0,0,7,1,1,1,0,1,1,0,0,0,0,0,8,1,1,0,0,1,0,0,1,0,0,0,5,0,0,0,1,1,0,0,0,0,0,0,5,0,0,1,1,1,0,0,0,0,0,0,5,1,0,1,0,0,0,0,0,0,0,0,6,1,1,0,1,1,1,0,0,0,0,0,7,0,1,1,1,0,1,1,0,0,0,0,6,0,1,0,0,0,1,0,0,0,0,0,8,1,1,1,0,0,1,1,1,0,0,0,6,0,1,0,1,0,1,0,0,0,0,0,10,1,1,1,0,0,1,0,1,1,0,0,6,0,1,0,0,0,0,0,0,0,0,0,10,1,1,1,0,1,0,1,0,1,1,0,10,1,1,1,0,0,0,1,0,0,1,0,9,1,1,0,0,1,0,0,0,0,0,0,10,1,1,1,0,0,0,0,0,1,1,0,10,1,1,1,0,1,0,1,0,0,0,0,10,1,1,1,0,0,0,0,0,0,0,0,5,1,0,0,1,0,0,0,0,0,0,0,7,1,1,0,1,0,1,1,0,0,0,0,6,1,1,0,1,0,0,0,0,0,0,0,6,1,1,1,1,1,0,0,0,0,0,0,5,1,0,1,1,0,0,0,0,0,0,0,6,1,0,0,1,1,1,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,5,0,1,1,0,0,0,0,0,0,0,0,9,1,1,1,0,0,0,1,0,1,0,0,7,0,0,1,0,1,1,1,0,0,0,0,6,1,1,1,1,0,0,0,0,0,0,0,6,1,1,0,0,0,0,0,0,0,0,0,5,0,1,0,1,1,0,0,0,0,0,0,5,1,0,0,0,0,0,0,0,0,0,0,7,1,1,1,0,1,1,1,0,0,0,0,8,1,1,0,0,1,0,1,0,0,0,0,5,0,0,1,0,0,0,0,0,0,0,0,5,0,0,1,1,0,0,0,0,0,0,0,5,1,0,1,0,1,0,0,0,0,0,0,6,1,1,0,1,1,0,0,0,0,0,0,7,0,1,1,1,0,1,0,0,0,0,0,6,0,1,0,1,0,0,0,0,0,0,0,8,1,1,0,0,1,0,1,1,0,0,0,6,0,1,1,1,0,0,0,0,0,0,0,10,1,1,1,0,1,0,0,0,0,0,0,6,0,0,1,0,1,0,0,0,0,0,0,10,1,1,1,0,1,0,0,0,0,1,0"

table = table.split(',')

count = 1

binary = ""

binary_table = []

for i in range(0,len(table)):

    if i%12==0:

        tmp = int(table[i],10)

    elif i%12==11:

        binary_table.append(binary[0:tmp])

        binary = ""

        count += 1

    else:

        binary += table[i]

def flagSearch(flag_binary):

    for i in range(5,11):

        result = findString(flag_binary[0:i])

        if result!="not found":

            return [result,i]

def findString(data):

    for i in range(0,len(binary_table)):

        if data==binary_table[i]:

            return chr(i+32)

    return "not found"

flag = ""

for i in range(0,600):

    result = flagSearch(flag_binary)

    flag += result[0]

    flag_binary = flag_binary[result[1]:]

print flag

해당 코드를 돌려주면 아래와 같은 문장이 나오고 해당 문장 안에 플래그가 들어있었다.

Result

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, evlz{c0mpr3ssi0n_i5_g00d_f0r_h3al7h}ctf quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur

Flag = evlz{c0mpr3ssi0n_i5_g00d_f0r_h3al7h}ctf