-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathamen.html
More file actions
245 lines (212 loc) · 12.2 KB
/
amen.html
File metadata and controls
245 lines (212 loc) · 12.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Amen - Instruo CTF 2025</title>
<script src="https://cdn.tailwindcss.com"></script>
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/styles/github-dark.min.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.9.0/highlight.min.js"></script>
<style>
@import url('https://fonts.googleapis.com/css2?family=IBM+Plex+Mono:wght@300;400;500;600;700&display=swap');
* { font-family: 'IBM Plex Mono', monospace; }
body {
background: linear-gradient(135deg, #1a1a2e 0%, #16213e 50%, #0f3460 100%);
min-height: 100vh;
}
.glass {
background: rgba(255, 255, 255, 0.1);
backdrop-filter: blur(10px);
border: 1px solid rgba(255, 255, 255, 0.2);
box-shadow: 0 8px 32px 0 rgba(0, 0, 0, 0.3);
}
.content-section {
background: rgba(255, 255, 255, 0.95);
border-radius: 1rem;
padding: 2rem;
margin-bottom: 2rem;
}
pre { background: #1e1e1e !important; border-radius: 0.5rem; padding: 1rem; overflow-x: auto; }
code { background: #f3f4f6; padding: 0.2rem 0.4rem; border-radius: 0.25rem; font-size: 0.875rem; }
pre code { background: transparent; padding: 0; }
table { width: 100%; border-collapse: collapse; margin: 1rem 0; }
table th, table td { border: 1px solid #e5e7eb; padding: 0.75rem; text-align: left; }
table th { background: #f9fafb; font-weight: 600; }
</style>
</head>
<body class="antialiased">
<nav class="glass fixed w-full z-50 top-0">
<div class="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8">
<div class="flex items-center justify-between h-16">
<div class="flex items-center">
<a href="../index.html" class="flex items-center space-x-2">
<svg class="w-6 h-6 text-white" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 12l2-2m0 0l7-7 7 7M5 10v10a1 1 0 001 1h3m10-11l2 2m-2-2v10a1 1 0 01-1 1h-3m-6 0a1 1 0 001-1v-4a1 1 0 011-1h2a1 1 0 011 1v4a1 1 0 001 1m-6 0h6"></path>
</svg>
<span class="text-white text-xl font-bold">Instruo CTF</span>
</a>
</div>
<a href="../index.html" class="text-white hover:text-gray-200 px-3 py-2 text-sm font-medium">Back to Home</a>
</div>
</div>
</nav>
<div class="pt-24 pb-12 px-4 sm:px-6 lg:px-8">
<div class="max-w-4xl mx-auto">
<div class="glass rounded-2xl p-8 mb-8">
<div class="flex items-center space-x-3 mb-4">
<svg class="w-8 h-8 text-white" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.066c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z"></path>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z"></path>
</svg>
<h1 class="text-4xl font-bold text-white">Amen</h1>
</div>
<div class="flex flex-wrap gap-3">
<span class="inline-flex items-center px-3 py-1 rounded-full text-sm font-medium bg-indigo-700 text-white">Reverse Engineering</span>
<span class="inline-flex items-center px-3 py-1 rounded-full text-sm font-medium bg-yellow-600 text-white">Medium</span>
</div>
</div>
<div class="content-section">
<h2 class="text-2xl font-bold mb-4">Challenge Information</h2>
<ul class="space-y-2">
<li><strong>Challenge Name:</strong> Amen (Binary: "a (3)")</li>
<li><strong>Category:</strong> Reverse Engineering</li>
<li><strong>File:</strong> 32-bit ELF executable</li>
<li><strong>Hint:</strong> "strings lol.. zsteg the file bro"</li>
<li><strong>Flag:</strong> <code class="text-green-600">EOF{wh3r3_ar3_my_po1n+5}</code></li>
</ul>
</div>
<div class="content-section">
<h2 class="text-2xl font-bold mb-4">Solution Methodology</h2>
<h3 class="text-xl font-semibold mb-3 mt-4">Step 1: Initial Binary Analysis</h3>
<pre><code class="language-bash">file "a (3)"
# Output: ELF 32-bit LSB executable, Intel 80386
strings "a (3)" | grep -i "flag\|eof"
# Found hint: "strings lol.. zsteg the file bro"</code></pre>
<p class="mb-3"><strong>Observation:</strong> The binary is a 32-bit executable with a misleading hint about zsteg (which is for images).</p>
<h3 class="text-xl font-semibold mb-3 mt-6">Step 2: Disassembly and Function Discovery</h3>
<p class="mb-3">Using a disassembler (Ghidra/IDA), key functions identified:</p>
<ul class="list-disc list-inside space-y-2 mb-4">
<li><code>main()</code> - Prompts for a number input</li>
<li><code>recursive_fibonacci_mask()</code> - Complex recursive function</li>
<li><code>print_flag()</code> - Generates and prints the flag</li>
<li><code>dump()</code> - Helper function (returns 0)</li>
</ul>
<p class="mb-3"><strong>Critical Flow:</strong></p>
<pre><code class="language-c">if (input > 10) {
seed = recursive_fibonacci_mask(input);
print_flag(seed);
}</code></pre>
<h3 class="text-xl font-semibold mb-3 mt-6">Step 3: Understanding the Algorithm</h3>
<p class="mb-3"><strong>The print_flag() Function:</strong></p>
<pre><code class="language-c">void print_flag(unsigned int seed) {
unsigned int data[24] = { /* hardcoded array */ };
srand(seed);
for (int i = 0; i < 24; i++) {
int r = rand();
char c = (r - data[i]) & 0xFF;
printf("%c", c);
}
}</code></pre>
<div class="bg-yellow-50 border-l-4 border-yellow-400 p-4 mb-4">
<p class="font-semibold mb-2">Key Discovery:</p>
<p class="text-sm">The seed value is hardcoded as <code>0xff10ca3b</code> in the binary's logic!</p>
</div>
<p class="mb-3"><strong>The Data Array Location:</strong></p>
<p class="mb-3">The data array is stored at virtual address <strong>0x0804a0a0</strong> in the binary:</p>
<ul class="list-disc list-inside space-y-2 mb-4">
<li>Contains 24 unsigned 32-bit integers (96 bytes total)</li>
<li>Values are stored in little-endian format</li>
</ul>
<h3 class="text-xl font-semibold mb-3 mt-6">Step 4: Extracting the Data Array</h3>
<pre><code class="language-python">import struct
with open("a (3)", "rb") as f:
content = f.read()
# Search for the data pattern
target = bytes.fromhex("80033018e240063f")
offset = content.find(target)
print(f"Found at offset: 0x{offset:x}")
# Extract 96 bytes (24 integers)
data = content[offset:offset+96]
values = [struct.unpack('<I', data[i:i+4])[0] for i in range(0, 96, 4)]
# Display as C array
print("unsigned int data[] = {")
for i in range(0, len(values), 4):
line = ", ".join(f"0x{v:08x}" for v in values[i:i+4])
print(f" {line},")
print("};")
</code></pre>
<p class="mb-3"><strong>Extracted Data Array:</strong></p>
<pre><code class="language-c">unsigned int data[] = {
0x18300380, 0x3f0640e2, 0x47c88dae, 0x4770cb65,
0x70868fee, 0x5887f01e, 0x07b695b3, 0x7e5fe4f7,
0x2b2bcab8, 0x7b1c25a5, 0x6cc1d210, 0x1029aafa,
0x2b07785e, 0x45c80fee, 0x2d96388c, 0x0135865e,
0x4eb1e13d, 0x5182204f, 0x21f78a34, 0x212d3340,
0x40e64e84, 0x1c66c1b7, 0x6712a7ce, 0x4252dd56
};</code></pre>
<h3 class="text-xl font-semibold mb-3 mt-6">Step 5: Replicating the Flag Generation</h3>
<pre><code class="language-c">#include <stdio.h>
#include <stdlib.h>
unsigned int data[] = {
0x18300380, 0x3f0640e2, 0x47c88dae, 0x4770cb65,
0x70868fee, 0x5887f01e, 0x07b695b3, 0x7e5fe4f7,
0x2b2bcab8, 0x7b1c25a5, 0x6cc1d210, 0x1029aafa,
0x2b07785e, 0x45c80fee, 0x2d96388c, 0x0135865e,
0x4eb1e13d, 0x5182204f, 0x21f78a34, 0x212d3340,
0x40e64e84, 0x1c66c1b7, 0x6712a7ce, 0x4252dd56
};
int main() {
unsigned int seed = 0xff10ca3b;
printf("Flag: ");
srand(seed);
for (int i = 0; i < 24; i++) {
int r = rand();
unsigned int val = data[i];
char c = (r - val) & 0xFF;
printf("%c", c);
}
printf("\n");
return 0;
}</code></pre>
<p class="mb-3"><strong>Compilation and Execution:</strong></p>
<pre><code class="language-bash">gcc -o solve_final solve_final.c
./solve_final</code></pre>
<div class="bg-green-50 border-l-4 border-green-400 p-4 mt-4">
<p class="font-semibold text-green-700"><strong>Output:</strong> <code class="text-green-600">EOF{wh3r3_ar3_my_po1n+5}</code></p>
<p class="text-sm mt-2"><strong>Translation:</strong> "where are my points?" - A humorous complaint about CTF scoring! 😄</p>
</div>
</div>
<div class="content-section">
<h2 class="text-2xl font-bold mb-4">Key Insights</h2>
<h3 class="text-xl font-semibold mb-3">Why This Challenge Was Clever</h3>
<ol class="list-decimal list-inside space-y-2 mb-4">
<li><strong>Misleading Hint:</strong> The "zsteg" hint was a red herring (zsteg is for image steganography)</li>
<li><strong>Hardcoded Seed:</strong> The seed <code>0xff10ca3b</code> was embedded in the binary's logic</li>
<li><strong>PRNG-Based Encryption:</strong> Used C's <code>rand()</code> function for pseudo-random character generation</li>
<li><strong>Data Extraction:</strong> Required understanding of binary structure and memory layout</li>
</ol>
<h3 class="text-xl font-semibold mb-3 mt-6">Tools Used</h3>
<ul class="list-disc list-inside space-y-2">
<li><strong>Ghidra</strong> - For disassembly and decompilation</li>
<li><strong>Python</strong> - For data extraction scripts</li>
<li><strong>GCC</strong> - To compile the solution</li>
<li><code>strings</code>, <code>hexdump</code>, <code>file</code> - For initial analysis</li>
</ul>
</div>
<div class="content-section">
<h2 class="text-2xl font-bold mb-4">Complete Solution Summary</h2>
<pre><code class="language-bash"># 1. Disassemble binary to understand logic
# Use Ghidra/IDA to find print_flag() and data array location
# 2. Extract data array
python3 extract_data.py # Extract 24 integers from offset
# 3. Compile and run solver
gcc -o solve solve.c
./solve
# Output: EOF{wh3r3_ar3_my_po1n+5}</code></pre>
<p class="mt-4">This challenge demonstrates the importance of reverse engineering skills, understanding C standard library functions (<code>rand()</code>, <code>srand()</code>), and the ability to extract and analyze binary data structures!</p>
</div>
</div>
</div>
<script>hljs.highlightAll();</script>
</body>
</html>