ISITDTU CTF 2019 Quals Writeup
2019-06-30 22:46:49 Author:查看原文) 阅读量:95 收藏

I played the ISITDTU CTF 2019 Quals as a member of zer0pts. We got 7655 points and reached 10th place. Excepting that the score server was very slow entire the competition and some of challenges were not CTF challenges, I almost enjoyed this competition. Thank you admins for holding this CTF!


[Reverse 100points] Pytecode

We were given a disassembled python bytecode file. Because it had a simple structure, I could decompile it by my hand. As it gave a lot of constraints for the input, I used the z3 to determine the correct input.

from z3 import *

flag = [Int("x%d" % i) for i in range(30)]
solver = Solver()

for f in flag:
    solver.add(0x20 <= f, f <= 0x7F)

solver.add(flag[0] + 52 == flag[-1])
solver.add(flag[-1] - 2 == flag[7])
for i, c in enumerate("ISITDTU"):
    solver.add(flag[i] == ord(c))

solver.add(flag[9] == flag[14])
solver.add(flag[19] == flag[14])
solver.add(flag[19] == flag[24])
solver.add(flag[8] == 49)
solver.add(flag[8] == flag[16])

for i, c in enumerate("d0nT"):
    solver.add(flag[i + 10] == ord(c))

solver.add(flag[18] == ord("3"))
solver.add(flag[23] == ord("3"))
solver.add(flag[28] == ord("3"))

solver.add(flag[15] == ord("L"))

solver.add(flag[17] == 107)
solver.add(flag[20] + 2 == flag[27])
solver.add(flag[27] == 100)
solver.add(flag[20] >= 97)
solver.add(flag[27] % 100 == 0)
solver.add(flag[25] == ord("C"))
    ord("0") <= flag[26],
    flag[26] <= ord("9"),
    flag[26] % 2 == 0,
    flag[26] % 3 == 0,
    flag[26] % 4 == 0,
solver.add(ord("0") <= flag[23], flag[23] <= ord("9"), flag[23] == ord("3"))
solver.add(flag[22] == flag[13] + 0x20)

solver.add(sum(flag) == 2441)
solver.add(flag[7] == ord("{"))
solver.add(flag[9] == ord("_"))

if solver.check() != sat:

model = solver.model()
flag_str = ""
for f in flag:
    flag_str += chr(model[f].as_long())

This script outs ISITDTU{1_d0nT_L1k3_b:t3_C0d3}.

[Programming 100points] Do you like math?

This is not a CTF challenge.

from ptrlib import Socket

symbols = [
# #
#     #
#     #
#     #
#    #
#    #
#    #
#     #
#     #
#     #
#     #
#    #
#     #
#     #
#     #
#     #
#     #
#     #
#     #
 #   #
#     #
#     #
#     #
 #   #



 #   #
  # #
  # #
 #   #




def get_symbol(lines, p):
    for sym in symbols:
        is_this = True
        for i, symline in enumerate(sym[0].split("\n")):
            if i >= len(lines):
            if not lines[i][p:].startswith(symline):
                is_this = False
        if is_this:
            width = 0
            for symline in sym[0].split("\n"):
                width = max(width, len(symline))
            return (sym[1], width + p + 1)
    return ("=", p)

sock = Socket("", 8083)

cnt = 0
while True:
    lines = []
    for _ in range(9):
        line = sock.recvline().decode().rstrip()
        print(line, flush=True)
    sock.recvuntil(">>> ")

    expr = ""
    p = 0
    while True:
        sym, p = get_symbol(lines, p)
        if sym == "=":
        expr += sym
    print("{}: {}".format(cnt, expr))
    cnt += 1

    if cnt == 100:

