Hack.lu 2011 CTF – Python Crackme Solution

Python Crackme

This challenge’s hero, needs your help. Sadly, our Commander Sheen has lost his Pogo Stick. Without his Pogo Stick, Commander Sheen is not WINNING. Can you help him? Solve the puzzle and find out what space-tool could support him. download

After downloading the mentioned file, we can see it is a pyc file which can be run with python2.7, using the script provided here to review the structure of pyc files  (if you are using 64 bits python make sure to change struct.unpack(‘L’, moddate)[0]) to struct.unpack(‘<L’, moddate)[0]) to get it working.) we could see some stuff like how many arguments it required to run:

24 LOAD_NAME                2 (len)
27 LOAD_NAME                0 (sys)
30 LOAD_ATTR                3 (argv)
33 CALL_FUNCTION            1
36 LOAD_CONST              28 (10)
39 COMPARE_OP               2 (==)
42 POP_JUMP_IF_TRUE        51
45 LOAD_GLOBAL              4 (AssertionError)
48 RAISE_VARARGS            1

Here len(sys.argv) == 10 should be true otherwise an assertion occurs

 
51 BUILD_LIST               0
54 LOAD_NAME                0 (sys)
57 LOAD_ATTR                3 (argv)
60 LOAD_CONST               3 (1)
63 SLICE+1
64 GET_ITER
65 FOR_ITER                18 (to 86)
68 STORE_NAME               5 (x)
71 LOAD_NAME                6 (int)
74 LOAD_NAME                5 (x)
77 CALL_FUNCTION            1
80 LIST_APPEND              2
83 JUMP_ABSOLUTE           65
86 UNPACK_SEQUENCE          9
89 STORE_NAME               7 (a)
92 STORE_NAME               8 (b)
95 STORE_NAME               9 (c)
98 STORE_NAME              10 (d)
101 STORE_NAME              11 (e)
104 STORE_NAME              12 (f)
107 STORE_NAME              13 (g)
110 STORE_NAME              14 (h)
113 STORE_NAME              15 (i)

All the arguments (from 1 onwards) are stored on a, b, c, d, e, f , g, h, i.

116 LOAD_NAME                8 (b)
119 LOAD_NAME                9 (c)
122 COMPARE_OP               2 (==)
125 POP_JUMP_IF_TRUE       134
128 LOAD_GLOBAL              4 (AssertionError)
131 RAISE_VARARGS            1

Some additional conditions appeared, b == c, c == g, g == h, g + b + c == 0.


254 LOAD_CONST               7 (3)
257 LOAD_NAME                7 (a)
260 BINARY_MULTIPLY
261 LOAD_CONST               8 (12)
264 LOAD_NAME               10 (d)
267 BINARY_MULTIPLY
268 BINARY_ADD
269 LOAD_NAME               11 (e)
272 BINARY_ADD
273 LOAD_CONST               9 (4)
276 LOAD_NAME               12 (f)
279 BINARY_MULTIPLY
280 BINARY_ADD
281 LOAD_CONST              10 (6)
284 LOAD_NAME               15 (i)
287 BINARY_MULTIPLY
288 BINARY_ADD
289 LOAD_CONST              11 (2194)
292 COMPARE_OP               2 (==)
295 POP_JUMP_IF_TRUE       304
298 LOAD_GLOBAL              4 (AssertionError)
301 RAISE_VARARGS            1

Here we get the next equation:

3*a + 12*d + e + 4*f + 6*i == 2194.

There are 4 additional equations:

-6 * a + 2 * d - 4 * e - f + 9 * i == -243
a + 6 * d + 2 * e + 7 * f + 11 * i == 2307
5 * a - 2 * d - 7 * e + 76 * f + 8 * i == 8238
2 * a - 2 * d - 2 * e - 2 * f + 2 * i == -72

After solving the equations we get:

a = 124,d = 71,e = 72,f = 100,i = 83

The additional values must be zero:

a = 124, b = 0, c = 0,  d = 71, e = 72, f = 100, g = 0 , h = 0, i = 83

$ python2 crackme.pyc 124 0 0 71 72 100 0 0 83
sp4ceb4llz of st33l

Flag: sp4ceb4llz of st33l

One thought on “Hack.lu 2011 CTF – Python Crackme Solution

Leave a Reply

Your email address will not be published. Required fields are marked *


three + 4 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>