Table of Contents

DDOS

Category

forensic

reverse

Solution

We have the xmas_enc file. Based on the contents of the file, we can assume that this file is encrypted by the XOR algorithm with an unknown key. Decrypt this file as follows (the key file contains the last 7 bytes of the xmas_enc file contents):

# decrypt ELF with open ( 'key' , 'rb' ) as f : key = f . read ()[:: - 1 ] with open ( 'xmas_enc' , 'rb' ) as f : enc = f . read ()[:: - 1 ] dec = bytearray ([ enc [ i ] ^ key [ i % len ( key )] for i in range ( len ( enc ))]) with open ( 'xmas_dec' , 'wb' ) as f : f . write ( dec [:: - 1 ])

As a result, we get the xmas_dec file, which is an ELF 32-bit executable. The following global variables can be found in the data segment of this file:

xorkey

encrypted

Get the flag using the following script:

# decrypt flag xorkey = bytearray ([ 0x52 , 0x67 , 0xA0 , 0xEF , 0x6D , 0xC1 , 0x3A , 0xE4 , 0x59 , 0xDB , 0xB3 , 0x24 , 0x93 , 0x9D , 0x31 , 0x67 , 0xC1 , 0x85 , 0x43 , 0x6D , 0xE6 , 0xDB , 0x7F , 0x0F , 0x13 , 0xBD , 0xD5 , 0xAA ]) encrypted = bytearray ([ 0x0A , 0x4A , 0xED , 0xAE , 0x3E , 0xBA , 0x74 , 0xD4 , 0x2E , 0x84 , 0xD4 , 0x4B , 0xCC , 0xF1 , 0x01 , 0x0E , 0xA2 , 0xDA , 0x37 , 0x05 , 0xD5 , 0x84 , 0x11 , 0x3F , 0x23 , 0xDF , 0xAF , 0xD7 ]) flag = bytearray ([ xorkey [ i ] ^ encrypted [ i ] for i in range ( len ( encrypted ))]) print ( flag )

Pushy

Category

misc

reverse

Solution

We have the pushy file. Open the graph-view of the main function. By default, such a large graph will not open in IDA. In this case, you need to slightly adjust the graph display settings.

As a result, you should see something like this:

Eggnog

Category

pwn

crypto

Solution

We have the ELF 64-bit executable file: chall.

In fact, the shellcode is changed before execution. The change can be predicted if you find out the unknown parameters of the linear congruent generator.

To get the final shellcode, I wrote the script lcg_get_next.py.

The flag can be obtained as follows:

Don’t Jump

Category

reverse

Solution

The solution is very well described here. I had also began to solve the task in a way until I noticed that the task has a logical error.

In fact, if you pass a string like X-MAS{} to the verification server, it will reply that the flag is correct, but not finished. When sending strings X-MAS{a} or X-MAS{i} the answer will be similar.

Based on this, we can brute the flag byte by byte using server answers. We can also brute the flag locally, but it will take much more time.

To implement brute, I wrote the following script: sol-get-byte.py.

Kernel Crackme

Category

reverse

Solution

We have the PE32+ executable file challenge.exe and PE32+ executable (native) file X-MAS_kernel_crackme.sys.

Script to get the flag:

from Crypto.Cipher import AES # from challenge.exe executable file result = bytearray ([ 0xF2 , 0x63 , 0x69 , 0x4F , 0xF5 , 0xCB , 0xFB , 0xF4 , 0x98 , 0x19 , 0xC2 , 0xFD , 0x39 , 0xED , 0xF9 , 0xCC , 0x5D , 0xEC , 0xD9 , 0xEC , 0x66 , 0xA5 , 0x30 , 0xD1 , 0x82 , 0x46 , 0x7D , 0xA9 , 0xFD , 0x5B , 0x3C , 0xBF , 0x1C , 0x3D , 0xBD , 0x70 , 0x26 , 0x00 , 0x6A , 0x43 , 0xC4 , 0x0A , 0x47 , 0x4C , 0xB7 , 0x56 , 0x2D , 0x50 ]) # from X-MAS_kernel_crackme.sys driver aes_key = bytearray ([ 0x4B , 0x61 , 0x50 , 0x64 , 0x53 , 0x67 , 0x56 , 0x6B , 0x58 , 0x70 , 0x32 , 0x73 , 0x35 , 0x76 , 0x38 , 0x79 ]) cipher = AES . new ( aes_key , AES . MODE_ECB ) print ( cipher . decrypt ( result ))

Secret Journal

Category

reverse

Solution

Initial data: files from the archive Secret_journal.7z.

Script to get the flag:

from Crypto.Cipher import AES # from data/101.png file # references: https://en.wikipedia.org/wiki/Esoteric_programming_language # references: https://www.bertnase.de/npiet/npiet-execute.php key = b'parola_smechera0' iv = b' \x00 ' * 16 cipher = AES . new ( key , AES . MODE_CBC , iv ) with open ( 'enc_res' , 'rb' ) as f : enc = f . read () dec = cipher . decrypt ( enc ) with open ( 'res.png' , 'wb' ) as f : f . write ( dec )

As a result of the script, we get a QR code with a flag. Decryption key obtained by executing an esoteric program:

QR code with a flag:

VM

Category

reverse

Solution

We have ELF 64-bit executable file VM. I previously patched this file for correct decompilation.

To solve the task, I completely rewrote the virtual machine into python, and then implemented the function of getting the flag byte by byte.

Script to get the flag: vm.py.

Script execution result: