Participate Google CTF 2018 Finals

Author: Qwaz

GoogleCTF/2018 Finals/flagvm (unsolved)/converter.py

@@ -0,0 +1,58 @@
+# this code translates VM opcode to C code
+# you have to further optimize the converted code to get the flag
+
+header = '''#include <stdio.h>
+#include <string.h>
+
+int main(){
+    char table[256] = {0, 0xA1, 0x42, 0xE3, 0x84, 0x25, 0xC6, 0x67, 8, 0xA9, 0x4A, 0xEB, 0x8C, 0x2D, 0xCE, 0x6F, 0x10, 0xB1, 0x52, 0xF3, 0x94, 0x35, 0xD6, 0x77, 0x18, 0xB9, 0x5A, 0xFB, 0x9C, 0x3D, 0xDE, 0x7F, 0x20, 0xC1, 0x62, 3, 0xA4, 0x45, 0xE6, 0x87, 0x28, 0xC9, 0x6A, 0xB, 0xAC, 0x4D, 0xEE, 0x8F, 0x30, 0xD1, 0x72, 0x13, 0xB4, 0x55, 0xF6, 0x97, 0x38, 0xD9, 0x7A, 0x1B, 0xBC, 0x5D, 0xFE, 0x9F, 0x40, 0xE1, 0x82, 0x23, 0xC4, 0x65, 6, 0xA7, 0x48, 0xE9, 0x8A, 0x2B, 0xCC, 0x6D, 0xE, 0xAF, 0x50, 0xF1, 0x92, 0x33, 0xD4, 0x75, 0x16, 0xB7, 0x58, 0xF9, 0x9A, 0x3B, 0xDC, 0x7D, 0x1E, 0xBF, 0x60, 1, 0xA2, 0x43, 0xE4, 0x85, 0x26, 0xC7, 0x68, 9, 0xAA, 0x4B, 0xEC, 0x8D, 0x2E, 0xCF, 0x70, 0x11, 0xB2, 0x53, 0xF4, 0x95, 0x36, 0xD7, 0x78, 0x19, 0xBA, 0x5B, 0xFC, 0x9D, 0x3E, 0xDF, 0x80, 0x21, 0xC2, 0x63, 4, 0xA5, 0x46, 0xE7, 0x88, 0x29, 0xCA, 0x6B, 0xC, 0xAD, 0x4E, 0xEF, 0x90, 0x31, 0xD2, 0x73, 0x14, 0xB5, 0x56, 0xF7, 0x98, 0x39, 0xDA, 0x7B, 0x1C, 0xBD, 0x5E, 0xFF, 0xA0, 0x41, 0xE2, 0x83, 0x24, 0xC5, 0x66, 7, 0xA8, 0x49, 0xEA, 0x8B, 0x2C, 0xCD, 0x6E, 0xF, 0xB0, 0x51, 0xF2, 0x93, 0x34, 0xD5, 0x76, 0x17, 0xB8, 0x59, 0xFA, 0x9B, 0x3C, 0xDD, 0x7E, 0x1F, 0xC0, 0x61, 2, 0xA3, 0x44, 0xE5, 0x86, 0x27, 0xC8, 0x69, 0xA, 0xAB, 0x4C, 0xED, 0x8E, 0x2F, 0xD0, 0x71, 0x12, 0xB3, 0x54, 0xF5, 0x96, 0x37, 0xD8, 0x79, 0x1A, 0xBB, 0x5C, 0xFD, 0x9E, 0x3F, 0xE0, 0x81, 0x22, 0xC3, 0x64, 5, 0xA6, 0x47, 0xE8, 0x89, 0x2A, 0xCB, 0x6C, 0xD, 0xAE, 0x4F, 0xF0, 0x91, 0x32, 0xD3, 0x74, 0x15, 0xB6, 0x57, 0xF8, 0x99, 0x3A, 0xDB, 0x7C, 0x1D, 0xBE, 0x5F};
+
+    const int MEM_SIZE = 10000;
+    unsigned char mem[MEM_SIZE];
+    int index = 0;
+
+    memset(mem, 0, MEM_SIZE);
+
+'''
+
+footer = '''return 0;
+}'''
+
+
+def bit(index):
+    return 1 if ord(data[index // 8]) & (128 >> (index % 8)) != 0 else 0
+
+def decode(index):
+    return bit(3 * index) * 4 + bit(3 * index + 1) * 2 + bit(3 * index + 2)
+
+
+with open('flagvm', 'rb') as f:
+    data = f.read()
+
+max_len = len(data) * 8 // 3
+
+program = ''
+for i in range(max_len):
+    instruction = decode(i)
+
+    if instruction == 0:
+        program += 'mem[index] += 0x61;\n'
+    elif instruction == 1:
+        program += 'mem[index] -= 0x61;\n'
+    elif instruction == 2:
+        program += 'index = (index + 1) % MEM_SIZE;\n'
+    elif instruction == 3:
+        program += 'index = (index + MEM_SIZE - 1) % MEM_SIZE;\n'
+    elif instruction == 4:
+        program += 'putchar(table[mem[index]]);\n'
+    elif instruction == 5:
+        program += '// 5\nindex = 0\n'
+    elif instruction == 6:
+        program += 'while (mem[index]) {\n'
+    elif instruction == 7:
+        program += '}\n'
+    else:
+        program += '// 8\n'
+
+with open('flagvm.c', 'wb') as f:
+    f.write(header + program + footer)

GoogleCTF/2018 Finals/flagvm (unsolved)/execute

@@ -0,0 +1,137 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>JS safe v3.0 - the leading localStorage based safe solution with military grade JS anti-debug technology</title>
+<!--
+Advertisement:
+Looking for a hand-crafted, browser based virtual safe to store your most
+interesting secrets? Look no further, you have found it. You can order your own
+by sending a mail to [email protected]. When ordering, please specify the
+password you'd like to use to open and close the safe. We'll hand craft a
+unique safe just for you, that only works with your password of choice.
+-->
+<style>
+body {
+  text-align: center;
+}
+input {
+  font-size: 200%;
+  margin-top: 5em;
+  text-align: center;
+  width: 26em;
+}
+#result {
+  margin-top: 8em;
+  font-size: 300%;
+  font-family: monospace;
+  font-weight: bold;
+}
+body.granted>#result::before {
+  content: "Access Granted";
+  color: green;
+}
+body.denied>#result::before {
+  content: "Access Denied";
+  color: red;
+}
+#content {
+  display: none;
+}
+body.granted #content {
+  display: initial;
+}
+.wrap {
+  display: inline-block;
+  margin-top: 50px;
+  perspective: 800px;
+  perspective-origin: 50% 100px;
+}
+.cube {
+  position: relative;
+  width: 200px;
+  transform-style: preserve-3d;
+}
+.back {
+  transform: translateZ(-100px) rotateY(180deg);
+}
+.right {
+  transform: rotateY(-270deg) translateX(100px);
+  transform-origin: top right;
+}
+.left {
+  transform: rotateY(270deg) translateX(-100px);
+  transform-origin: center left;
+}
+.top {
+  transform: rotateX(-90deg) translateY(-100px);
+  transform-origin: top center;
+}
+.bottom {
+  transform: rotateX(90deg) translateY(100px);
+  transform-origin: bottom center;
+}
+.front {
+  transform: translateZ(100px);
+}
+@keyframes spin {
+  from { transform: rotateY(0); }
+  to { transform: rotateY(360deg); }
+}
+.cube {
+  animation: spin 20s infinite linear;
+}
+.cube div {
+  position: absolute;
+  width: 200px;
+  height: 200px;
+  background: rgba(0, 0, 0, 0.51);
+  box-shadow: inset 0 0 60px white;
+  font-size: 20px;
+  text-align: center;
+  line-height: 200px;
+  color: rgba(0,0,0,0.5);
+  font-family: sans-serif;
+  text-transform: uppercase;
+}
+</style>
+<script>
+eval(String.fromCharCode(102, 117, 110, 99, 116, 105, 111, 110, 32, 120, 40, 121, 41, 123, 111, 114, 100, 61, 70, 117, 110, 99, 116, 105, 111, 110, 46, 112, 114, 111, 116, 111, 116, 121, 112, 101, 46, 99, 97, 108, 108, 46, 98, 105, 110, 100, 40, 39, 39, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 41, 59, 99, 104, 114, 61, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 59, 102, 117, 110, 99, 116, 105, 111, 110, 32, 100, 40, 97, 44, 98, 44, 99, 41, 123, 102, 117, 110, 99, 116, 105, 111, 110, 32, 98, 121, 116, 101, 108, 105, 115, 116, 40, 120, 41, 123, 105, 102, 40, 116, 121, 112, 101, 111, 102, 32, 120, 61, 61, 39, 102, 117, 110, 99, 116, 105, 111, 110, 39, 41, 123, 120, 61, 120, 46, 116, 111, 83, 116, 114, 105, 110, 103, 40, 41, 59, 120, 61, 120, 46, 115, 108, 105, 99, 101, 40, 120, 46, 105, 110, 100, 101, 120, 79, 102, 40, 39, 47, 42, 39, 41, 43, 50, 44, 120, 46, 108, 97, 115, 116, 73, 110, 100, 101, 120, 79, 102, 40, 39, 42, 47, 39, 41, 41, 125, 105, 102, 40, 116, 121, 112, 101, 111, 102, 32, 120, 61, 61, 39, 115, 116, 114, 105, 110, 103, 39, 41, 114, 101, 116, 117, 114, 110, 32, 120, 46, 115, 112, 108, 105, 116, 40, 39, 39, 41, 46, 109, 97, 112, 40, 120, 61, 62, 111, 114, 100, 40, 120, 41, 41, 59, 105, 102, 40, 116, 121, 112, 101, 111, 102, 32, 120, 61, 61, 39, 111, 98, 106, 101, 99, 116, 39, 41, 114, 101, 116, 117, 114, 110, 32, 120, 125, 97, 61, 98, 121, 116, 101, 108, 105, 115, 116, 40, 97, 41, 59, 98, 61, 98, 121, 116, 101, 108, 105, 115, 116, 40, 98, 41, 59, 102, 111, 114, 40, 118, 97, 114, 32, 105, 61, 48, 59, 105, 33, 61, 97, 46, 108, 101, 110, 103, 116, 104, 59, 105, 43, 43, 41, 123, 100, 101, 98, 117, 103, 103, 101, 114, 59, 99, 61, 40, 99, 124, 124, 39, 39, 41, 43, 99, 104, 114, 40, 97, 91, 105, 93, 94, 98, 91, 105, 37, 98, 46, 108, 101, 110, 103, 116, 104, 93, 41, 125, 114, 101, 116, 117, 114, 110, 32, 101, 118, 97, 108, 40, 39, 101, 118, 97, 108, 40, 99, 41, 39, 41, 125, 118, 97, 114, 32, 100, 97, 116, 97, 61, 120, 61, 62, 47, 42, 28, 1, 78, 15, 18, 89, 21, 87, 95, 95, 88, 1, 4, 11, 105, 91, 2, 13, 84, 72, 77, 2, 79, 65, 19, 16, 83, 64, 30, 76, 19, 84, 7, 12, 83, 67, 21, 76, 11, 6, 65, 25, 1, 76, 31, 10, 73, 64, 28, 1, 20, 67, 31, 3, 18, 8, 87, 72, 88, 6, 75, 75, 16, 71, 25, 0, 95, 5, 95, 0, 18, 87, 77, 90, 21, 5, 123, 91, 101, 6, 126, 107, 84, 70, 126, 121, 83, 6, 84, 108, 97, 43, 91, 123, 77, 37, 99, 73, 71, 46, 111, 31, 28, 123, 61, 66, 20, 53, 53, 87, 24, 45, 97, 10, 82, 32, 108, 84, 85, 41, 120, 85, 27, 5, 101, 79, 95, 63, 103, 87, 65, 121, 96, 85, 122, 98, 97, 90, 108, 40, 127, 82, 68, 51, 47, 68, 30, 108, 41, 92, 23, 113, 58, 23, 31, 105, 56, 68, 64, 107, 100, 90, 25, 120, 17, 12, 12, 118, 61, 100, 80, 34, 250, 18, 11, 60, 114, 68, 27, 99, 111, 31, 80, 125, 115, 22, 93, 35, 127, 78, 100, 44, 121, 68, 69, 62, 122, 89, 73, 55, 68, 14, 88, 251, 46, 75, 77, 67, 99, 20, 7, 58, 3, 119, 90, 90, 63, 48, 79, 66, 112, 109, 120, 16, 109, 8, 103, 60, 101, 15, 20, 70, 105, 14, 55, 98, 88, 8, 109, 115, 122, 31, 205, 48, 106, 81, 95, 119, 109, 2, 88, 125, 116, 65, 71, 47, 111, 102, 24, 97, 54, 57, 5, 97, 119, 72, 25, 62, 97, 15, 64, 52, 42, 86, 71, 34, 102, 1, 7, 121, 55, 13, 22, 123, 42, 85, 11, 63, 103, 68, 83, 44, 32, 88, 6, 122, 124, 13, 74, 34, 61, 95, 31, 106, 109, 23, 76, 115, 36, 1, 89, 57, 48, 2, 70, 116, 48, 11, 12, 36, 103, 29, 20, 37, 40, 71, 14, 97, 36, 20, 75, 50, 97, 13, 94, 99, 103, 82, 25, 43, 33, 83, 86, 34, 59, 79, 66, 124, 42, 79, 94, 76, 108, 17, 71, 38, 98, 115, 89, 56, 32, 74, 117, 13, 126, 57, 86, 14, 126, 53, 83, 9, 125, 49, 63, 2, 93, 113, 112, 13, 10, 78, 21, 30, 92, 28, 7, 17, 95, 78, 72, 45, 18, 111, 72, 26, 51, 36, 72, 8, 52, 100, 98, 29, 6, 73, 109, 10, 42, 71, 85, 56, 32, 76, 89, 110, 123, 25, 11, 51, 115, 87, 3, 38, 127, 79, 87, 123, 53, 66, 90, 37, 50, 75, 78, 36, 124, 103, 83, 62, 56, 93, 81, 38, 38, 27, 86, 36, 29, 0, 87, 43, 11, 74, 73, 35, 35, 81, 25, 53, 121, 14, 31, 45, 112, 19, 12, 102, 120, 11, 14, 53, 39, 9, 82, 43, 126, 26, 39, 125, 107, 20, 11, 21, 55, 64, 204, 99, 108, 94, 68, 53, 124, 1, 89, 110, 55, 31, 69, 103, 58, 65, 73, 63, 3, 78, 79, 53, 34, 92, 76, 40, 46, 85, 114, 127, 63, 153, 24, 58, 42, 33, 85, 101, 96, 88, 53, 6, 61, 56, 9, 65, 40, 32, 70, 28, 31, 114, 91, 121, 0, 94, 83, 126, 115, 36, 95, 127, 80, 0, 110, 121, 10, 17, 76, 110, 170, 82, 92, 32, 56, 21, 91, 115, 63, 31, 66, 48, 32, 77, 89, 23, 127, 3, 0, 72, 98, 3, 65, 57, 126, 92, 87, 126, 39, 86, 28, 39, 32, 64, 80, 112, 96, 27, 1, 124, 113, 25, 28, 36, 108, 93, 81, 53, 52, 78, 22, 41, 97, 24, 74, 124, 45, 64, 11, 46, 120, 8, 91, 102, 43, 17, 18, 112, 62, 91, 6, 115, 33, 22, 6, 122, 107, 70, 81, 108, 115, 71, 30, 54, 105, 3, 18, 101, 44, 80, 87, 124, 57, 1, 81, 35, 126, 73, 23, 34, 49, 64, 13, 62, 37, 30, 28, 62, 57, 46, 90, 96, 32, 68, 84, 2, 62, 90, 22, 59, 18, 111, 72, 72, 49, 108, 72, 68, 52, 107, 75, 64, 88, 96, 107, 0, 23, 111, 98, 5, 95, 85, 19, 42, 47, 49, 59, 118, 97, 114, 32, 107, 49, 61, 121, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 48, 41, 59, 118, 97, 114, 32, 107, 50, 61, 121, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 49, 41, 59, 102, 111, 114, 40, 118, 97, 114, 32, 107, 51, 61, 48, 59, 107, 51, 60, 50, 53, 54, 59, 107, 51, 43, 43, 41, 123, 102, 111, 114, 40, 118, 97, 114, 32, 107, 52, 61, 48, 59, 107, 52, 60, 50, 53, 54, 59, 107, 52, 43, 43, 41, 123, 116, 114, 121, 123, 114, 101, 116, 117, 114, 110, 32, 100, 40, 100, 97, 116, 97, 44, 91, 107, 49, 44, 107, 50, 44, 107, 51, 44, 107, 52, 93, 41, 125, 99, 97, 116, 99, 104, 40, 101, 41, 123, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 40, 39, 69, 114, 114, 111, 114, 58, 39, 44, 101, 41, 125, 125, 125, 125));
+</script>
+<script>
+function open_safe() {
+  keyhole.disabled = true;
+  password = /^CTF{([0-9a-zA-Z_@!?-]+)}$/.exec(keyhole.value);
+  if (!password || !x(password[1])) return document.body.className = 'denied';
+  document.body.className = 'granted';
+  password = Array.from(password[1]).map(c => c.charCodeAt());
+  encrypted = JSON.parse(localStorage.content || '');
+  content.value = encrypted.map((c,i) => c ^ password[i % password.length]).map(String.fromCharCode).join('')
+}
+function save() {
+  plaintext = Array.from(content.value).map(c => c.charCodeAt());
+  localStorage.content = JSON.stringify(plaintext.map((c,i) => c ^ password[i % password.length]));
+}
+</script>
+</head>
+<body>
+<div>
+  <input id="keyhole" autofocus onchange="open_safe()" placeholder="🔑">
+</div>
+<div class="wrap">
+  <div class="cube">
+    <div class="front"></div>
+    <div class="back"></div>
+    <div class="top"></div>
+    <div class="bottom"></div>
+    <div class="left"></div>
+    <div class="right"></div>
+  </div>
+</div>
+<div id="result">
+</div>
+<div>
+  <input id="content" onchange="save()">
+</div>
+</body>
+</html>

GoogleCTF/2018 Finals/flagvm (unsolved)/execute.i64

@@ -0,0 +1,47 @@
+import os
+from pwn import *
+
+while True:
+    p = remote('auth.ctfcompetition.com', 1337)
+
+    p.recvuntil('graph {\n')
+
+    v = 0
+    e = 0
+    labels = []
+    edges = []
+
+    while True:
+        l = p.recvline().strip()
+
+        if '[label="' in l:
+            assert l[:l.index(' ')].strip() == str(v)
+            labels.append(int(l[l.index('[label="') + 8:l.index('"]')]))
+            v += 1
+        elif '--' in l:
+            index = l.index(' -- ')
+            v1 = int(l[:index])
+            v2 = int(l[index+4:])
+            l1 = labels[v1]
+            l2 = labels[v2]
+            assert abs(l1 - l2) == 1 or abs(l1 - l2) == v
+            edges.append((v1, v2))
+            e += 1
+        elif '}' in l:
+            break
+
+    data = '%d %d\n%s\n%s' % (v, e, '\n'.join(map(str, labels)), '\n'.join(map(lambda x: '%d %d' % (x[0], x[1]), edges)))
+    with open('input', 'w') as f:
+        f.write(data)
+
+    os.system('./algorithm < input > output')
+    with open('output') as f:
+        payload = f.read()
+
+    print payload
+    if "OK" in payload:
+        p.send(payload[payload.index('\n') + 1:])
+        p.interactive()
+        exit(0)
+
+    p.close()