Skip to content

Instantly share code, notes, and snippets.

@g05u

g05u/venom_solver.py

Last active August 29, 2015 14:20
Show Gist options
  • Save g05u/659e0da9084763a15f6a to your computer and use it in GitHub Desktop.
Save g05u/659e0da9084763a15f6a to your computer and use it in GitHub Desktop.
Download ZIP
TJCTF 2015 Venom reversing chall
Raw
venom_solver.py
import struct, random
# TJCTF 2015 Venom reversing chall
# www.null-life.com
# @_g05u_
f = open('./venom', 'rb')
data = f.read()
f.close()
s = '1462132F222E292F'.decode('hex')
i = data.find(s)
data = data[i : i + (53 * 53)]
tmp = map(lambda x: ord(x) ^ 42, data)
bytes = [[tmp[r * 53 + c] for c in range(53)] for r in range(53)]
xxx = [0] * 30
for xxxx in range(256):
output = [0] * 3348
pwd = chr(xxxx) * 27
ip = 0
row = 0
col = 0
resta = 0
index = 0
inc = 0
multi = 0
col_inc = [11, -11, 0, 0]
row_inc = [0, 0, 11, -11]
fl_exit = False
flfl = False
while True:
b = bytes[row][col]
#print 'Opt: %s' % chr(b)
while True:
if b == 34:
resta = 1 - resta
break
if resta:
output[index] = b
index += 1
break
if b == 62:
inc = 0
break
if b == 60:
inc = 1
break
if b == 118:
inc = 2
break
if b == 94:
inc = 3
break
if b == 106:
multi += 1
index = multi * 1116
break
if b >= 0x30 and b <= 0x39:
output[index] = b - 0x30
index += 1
break
if b == 103:
v = index - 1
v2 = output[v]
v -= 1
output[v] = output[1116 * output[v] + v2]
index = v + 1
break
if b == 115:
v = index - 1
v2 = output[v]
v -= 1
v3 = output[v]
index = v - 1
output[1116 * output[index] + v3] = v2
break
if b == 112:
index -= 1
break
if b == 109:
output[index - 1] = output[index - 1]%256
break
if b == 110:
v = index - 1
v2 = output[v]
v -= 1
output[v] = (~(v2 | output[v])) & 0xFFFF
index = v + 1
break
if b == 45:
v = index - 1
v2 = output[v]
v -= 1
output[v] = (output[v] - v2) & 0xFFFF
index = v + 1
break
if b == 43:
v = index - 1
v2 = output[v]
v -= 1
output[v] = (output[v] + v2) & 0xFFFF
index = v + 1
break
if b == 42:
v = index - 1
v2 = output[v]
v -= 1
output[v] = (output[v] * v2) & 0xFFFF
index = v + 1
break
if b == 99:
v = index - 1
v2 = output[v]
v -= 1
if output[v] == v2:
xxx[ip] = xxxx
flfl = True
output[v] = (output[v] ^ v2) & 0xFFFF
index = v + 1
break
if b == 105:
output[index] = ord(pwd[ip])
index += 1
ip += 1
break
if b == 124:
v = index - 1
v2 = output[v] & 0xFFFF
index = v - 1
if output[index] <= v2:
if output[index] < v2:
inc = 3
else:
inc = 2
break
if b == 95:
v = index - 1
v2 = output[v] & 0xFFFF
index = v - 1
if output[index] <= v2:
if output[index] < v2:
inc = 1
else:
inc = 0
break
if b == 114:
fl_exit = True
break
if b == 63:
inc = random.randint(0, 3)
break
#Fin While
if fl_exit:
break
col = (col_inc[inc] + 53 + col) % 53
row = (row_inc[inc] + 53 + row) % 53
if flfl:
print 'Flag: %s' % ''.join(map(chr, xxx))
'''
Flag: 1
Flag: 13
Flag: 413
Flag: 41355
Flag: 41_3_5_5
Flag: 41a_a3_5_5
Flag: b41a_ba3_5_5
Flag: b41ca_ba3_5_5
Flag: b41ca_ba3f_5_5
Flag: b41call_bal3fl_l5_l5
Flag: b41call_bal3fl_pl5_pl5
Flag: b4s1call_bal3fl_pl5_pl5
Flag: b4s1call_bal3ful_plu5_plu5
Flag: b4s1cally_bal3ful_plu5_plu5
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment