#!/usr/bin/env python3 import sys
int __cdecl main() { char buf[0x100]; DWORD bytes; GetStdHandle(STD_OUTPUT_HANDLE); VirtualAlloc(0, 0x2000, MEM_COMMIT, PAGE_READWRITE); // Decrypt loop: for (i = 0; i < 0x100; ++i) buf[i] = encrypted[i] ^ key[i % keylen]; // WriteFile to stdout WriteFile(hStdOut, buf, 0x100, &bytes, 0); // Compare with expected value if (memcmp(buf, "FLAG", 5) == 0) puts(buf); else puts("Try again!"); return 0;
The goal is to retrieve the flag without resorting to brute‑force cracking or illegal cracking of any proprietary software – we only analyse the supplied binary. # 1. Create a clean analysis directory mkdir -p ~/ctf/kkmoom && cd ~/ctf/kkmoom
def lz_decompress(src): i = 0 dst = bytearray() while i < len(src): flags = src[i]; i += 1 for b in range(8): if i >= len(src): break if flags & (1 << b): dst.append(src[i]); i += 1 else: lo = src[i]; hi = src[i+1]; i += 2 offset = ((hi & 0xF0) << 4) | lo length = (hi & 0x0F) + 3 for _ in range(length): dst.append(dst[-offset]) return bytes(dst)
# Key location: [0x00401000]> s 0x00407000 [0x00407000]> pd 12 # → key = "kKMo0M_cRaZ" Extract both blobs:
© Bản quyền thuộc về TSD CO.,LTD. All rights reserved.
