Cairo ICT CTF 2022 by Cyshield

My write-ups to many challenges in Cairo ICT CTF 2022 by Cyshield

In this CTF competition, we got 11th place after great work and speed in solving challenges
  • Name : deviation
  • Category: Reverse
  • Level: Medium
  • Flag : CYCTF{UND3RST4ND1NG_H0W_S3H_W0RK5_1S_ESS3NTI4L}
SOLUTION
  • at the first I opened the challenge file by ida pro , I realized that there are two functions:
  • the first function is simple calculator :
  • the second function sounds exciting and xor function :
  • so we will put breakpoint to escape the first function
  • and set ip in second function
  • And simply the flag appeared to us
  • Name : inter
  • Category: Reverse
  • Level: Medium
  • Flag : CyCTF{R34D1NG_LLVM_1NT3RMED1AT3_R3PR3SENT4T10N_15_EZ}
SOLUTION
  • at the first I found the extension of file is .ll so i searched about it https://fileinfo.com/extension/ll
  • then i opened the file , and realised that this code repeated many times :
  • so i checked the LLVM IR documentation https://llvm.org/docs/LangRef.html
  • and after many search and reading , i found that : This code is written in LLVM IR, which is an intermediate representation language used by the LLVM compiler infrastructure. The LLVM IR is a low-level, platform-independent assembly-like language that is used as an intermediate step in the compilation process. This particular code fragment is performing a load and some arithmetic operations on some pointers. Here is a breakdown of what is happening:
    %4 = load ptr, ptr %3, align 8, !dbg !20
    This line loads a value from memory at the address pointed to by %3 with 8-byte alignment, and stores the result in %4.
    %5 = getelementptr inbounds i8, ptr %4, i64 36, !dbg !20
    This line computes a new pointer that points to the 36th byte after the address pointed to by %4, and stores the result in %5.
    %6 = load i8, ptr %5, align 1, !dbg !20
    This line loads a value from memory at the address pointed to by %5 with 1-byte alignment, and stores the result in %6.
    %7 = sext i8 %6 to i32, !dbg !20
    This line sign-extends %6 from an 8-bit value to a 32-bit value, and stores the result in %7.
    %8 = sub nsw i32 %7, 31, !dbg !22
    This line subtracts the value 31 from %7 with no signed overflow, and stores the result in %8.
    %9 = icmp ne i32 %8, 20, !dbg !23
    This line compares %8 with the value 20 using a "not equal" comparison, and stores the result in %9.
    br i1 %9, label %10, label %11, !dbg !24
    This line performs a conditional branch based on the value of %9. If %9 is true (i.e. not equal to 20), control is transferred to the label %10. Otherwise, control is transferred to the label %11.
  • and from above i thought the 36th byte value is x[36]-31=20 which mean x[36]=51 which equal to "3" from ascii
  • and i know the flag start with "CyCTF" so i go to first byte "c"
  • and from above the value is x[0]*24=1608 which mean x[0]=67 which equal to "C" from ascii
  • and i know the flag start with "CyCTF" so i go to second byte "y"
  • and from above the value is x[1]-28=93 which mean x[1]=121 which equal to "y" from ascii
  • then i completed and get all the flag
  • Name : Bipolar
  • Category: Reverse
  • Level: hard
  • Flag : CyCTF{C0ND1TION_B4S3D_B1NRY_ENC0D3D_57R1NGS_4_TH3_W1N}
SOLUTION
  • at the first I did static analysis and opened the challenge file by Die , I realized that the file is packed:
  • so I searched for how to unpacked it , and i found this website https://reverseengineering.stackexchange.com/questions/30545/how-do-i-unpack-a-file-protected-by-mpress
  • and this was the steps to unpacked the file :
  • so I followed the steps and unpacked the file successfully
  • then i opened unpacked file with ida and opened the strings window , and i found this
  • then i started to follow this string , and went to sub_140001000
  • in sub_140001000 i found that :
  • so i tried to take this repeated text and turn it into 0 and 1
  • at last i used cyberchef to turn it from binary , and i get the flag