{"id":884,"date":"2021-04-16T10:25:35","date_gmt":"2021-04-16T10:25:35","guid":{"rendered":"http:\/\/student-activity.binus.ac.id\/csc\/?p=884"},"modified":"2021-04-16T10:25:35","modified_gmt":"2021-04-16T10:25:35","slug":"picoctf%e2%80%8c-%e2%80%8c2021%e2%80%8c-%e2%80%8cwriteup%e2%80%8c","status":"publish","type":"post","link":"https:\/\/student-activity.binus.ac.id\/csc\/2021\/04\/picoctf%e2%80%8c-%e2%80%8c2021%e2%80%8c-%e2%80%8cwriteup%e2%80%8c\/","title":{"rendered":"PICOCTF\u200c \u200c2021\u200c \u200cWRITEUP\u200c"},"content":{"rendered":"

Pada artikel CTF kali ini, kami akan membahas mengenai PICOCTF 2021 yang bisa kalian akses soalnya di <\/span>https:\/\/picoctf.org\/<\/span><\/a>. Soal yang akan kami jelaskan adalah soal Reverse Engineering yang bernama <\/span>Transformation<\/strong> dengan nilai 20 poin.<\/span><\/p>\n

\"\"<\/p>\n

Attached file content:<\/b><\/p>\n

enc :<\/span><\/p>\n\n\n\n
\u7069\u636f\u4354\u467b\u3136\u5f62\u6974\u735f\u696e\u7374\u3334\u645f\u6f66\u5f38\u5f65\u3134\u3161\u3066\u377d<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\n

Analisa Soal<\/b><\/p>\n

Diberikan sebuah <\/span>text<\/span><\/i> yang nampaknya sudah terenkripsi menggunakan <\/span>code python <\/span><\/i>yang telah diberikan. Kami mencoba untuk memodifikasi <\/span>code <\/span><\/i>tersebut agar lebih mudah dimengerti. Setelah dianalisa, <\/span>code<\/span><\/i> tersebut dapat kita rekonstruksi menjadi seperti ini:\u00a0<\/span><\/p>\n\n\n\n
def<\/b> encrypted<\/b>(flag):<\/span>
\n<\/span>\u00a0 \u00a0 enc = <\/span>“”<\/span>
\n<\/span>\u00a0 \u00a0 <\/span>for<\/b> i <\/span>in<\/b> range(<\/span>0<\/span>, len(flag), <\/span>2<\/span>):<\/span>
\n<\/span> \u00a0 <\/span> enc += chr((ord(flag[i]) << <\/span>8<\/span>) + ord(flag[i + <\/span>1<\/span>]))<\/span>
\n<\/span>
\n<\/span>\u00a0 \u00a0 dec = <\/span>”<\/span>.join(enc)<\/span>
\n<\/span>\u00a0 \u00a0 print(dec)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\n

Alur <\/b>code<\/i><\/b>:<\/b><\/p>\n

    \n
  1. Fungsi <\/span>encrypted<\/em> <\/span>akan menerima <\/span>string<\/em> <\/span>flag.<\/span><\/li>\n
  2. Fungsi akan mengambil per 2 karakter. Dimana karakter pertama akan diubah ke bentuk desimal dan di-<\/span>shift<\/span><\/em> sebanyak 8 bit ke kiri. Kemudian hasilnya akan ditambahkan dengan nilai desimal karakter setelahnya. Jumlah nilai ini akan dijadikan karakter baru melalui fungsi chr().<\/span><\/li>\n
  3. Proses ini dilakukan secara repetitif hingga seluruh karakter dari<\/span> string<\/span><\/em> flag terenkripsi.<\/span><\/li>\n<\/ol>\n

    *catatan: Karena fungsi mengambil per 2 karakter, maka total panjang hasil enkripsi akan berjumlah setengahnya dari string flag. Hal itu menandakan bahwa panjang flag pasti genap.<\/span><\/em><\/p>\n

    \n

    Solusi<\/b><\/p>\n

    Berarti yang harus kami lakukan adalah men-<\/span>shift<\/span><\/em> setiap karakter yang telah dienkripsi sebanyak 8 kali ke kanan. Dan beginilah scriptnya:\u00a0<\/span><\/p>\n\n\n\n
    file = open(<\/span>“enc”<\/span>, <\/span>“r”<\/span>).read()<\/span>
    \n<\/span>shifted = <\/span>“”<\/span>
    \n<\/span>for<\/b> i <\/span>in<\/b> file:<\/span>
    \n<\/span>\u00a0 \u00a0 shifted += chr(ord(i) >> <\/span>8<\/span>)<\/span>
    \n<\/span>print(shifted)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    \n

    Output:<\/b><\/p>\n\n\n\n
    pcCF1_isis3do__1107<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Dari pola <\/span>output<\/span><\/em> yang kita temukan, mulai terbentuk format flag \u201cpicoCTF{\u201d. Jika kita perhatikan, ada huruf-huruf yang hilang dari flag orisinil, yaitu setiap karakter di urutan genap. Jadi apabila digambarkan flag sesungguhnya akan berbentuk seperti di bawah ini:<\/span><\/p>\n

    \n\n\n\n
    p*c*C*F*<\/span>1<\/span>*_*i*s*i*s*<\/span>3<\/span>*d*o*_*_*<\/span>1<\/span>*<\/span>1<\/span>*<\/span>0<\/span>*<\/span>7<\/span>*<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Bagaimana cara mendapatkan karakter-karakter yang hilang tersebut? Sebelumnya kita ketahui bahwa karakter hasil enkripsi tersusun dari karakter yang sudah di-<\/span>shift<\/span><\/em> 8 kali dan dijumlahkan dengan nilai desimal karakter setelahnya. Sekarang coba kita bandingkan nilai desimal karakter-karakter hasil enkripsi dengan nilai desimal karakter output<\/em> yang kita temukan, namun di-shift<\/em> 8 ke kanan.\u00a0<\/span><\/p>\n

    \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Decimal <\/i><\/b>Karakter Hasil Enkripsi<\/b><\/td>\nDecimal 8 bit Shifted Output<\/i><\/b><\/td>\n<\/tr>\n
    28777<\/span><\/td>\n28672<\/span><\/td>\n<\/tr>\n
    25455<\/span><\/td>\n25344<\/span><\/td>\n<\/tr>\n
    17236<\/span><\/td>\n17152<\/span><\/td>\n<\/tr>\n
    18043<\/span><\/td>\n17920<\/span><\/td>\n<\/tr>\n
    12598<\/span><\/td>\n12544<\/span><\/td>\n<\/tr>\n
    24418<\/span><\/td>\n24320<\/span><\/td>\n<\/tr>\n
    26996<\/span><\/td>\n26880<\/span><\/td>\n<\/tr>\n
    29535<\/span><\/td>\n29440<\/span><\/td>\n<\/tr>\n
    26990<\/span><\/td>\n26880<\/span><\/td>\n<\/tr>\n
    29556<\/span><\/td>\n29440<\/span><\/td>\n<\/tr>\n
    13108<\/span><\/td>\n13056<\/span><\/td>\n<\/tr>\n
    25695<\/span><\/td>\n25600<\/span><\/td>\n<\/tr>\n
    28518<\/span><\/td>\n28416<\/span><\/td>\n<\/tr>\n
    24376<\/span><\/td>\n24320<\/span><\/td>\n<\/tr>\n
    24421<\/span><\/td>\n24320<\/span><\/td>\n<\/tr>\n
    12596<\/span><\/td>\n12544<\/span><\/td>\n<\/tr>\n
    12641<\/span><\/td>\n12544<\/span><\/td>\n<\/tr>\n
    12390<\/span><\/td>\n12288<\/span><\/td>\n<\/tr>\n
    14205<\/span><\/td>\n14080<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n


    \n<\/b>Jika dibandingkan, ada selisih antara hasil enkripsi dengan <\/span>shifted<\/span> output<\/span><\/em>. Nilai selisih itu adalah nilai desimal dari karakter-karakter yang hilang. Mengapa? Karena pada proses enkripsi nilai yang ter-<\/span>shift<\/span><\/em> dijumlahkan dengan angka-angka ini. Jadi, yang perlu kita lakukan adalah mengubah nilai selisih tersebut menjadi bentuk karakter.\u00a0 Contohnya, selisih nilai pada karakter pertama adalah 105 atau \u201ci\u201d dalam bentuk desimal. Artinya, karakter flag yang kedua adalah \u201ci\u201d.<\/span><\/p>\n

    \n

    Untuk mempermudah, bisa kita gunakan kode seperti ini:<\/span><\/p>\n\n\n\n
    shifted2 = <\/span>“”<\/span>
    \n<\/span>for<\/b> j <\/span>in<\/b> range(len(file)):<\/span>
    \n<\/span>\u00a0 \u00a0 shifted2 += chr(ord(file[j])-(ord(shifted[j]) << <\/span>8<\/span>))<\/span>
    \n<\/span>print(shifted2)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    \n

    Output:<\/b><\/p>\n\n\n\n
    ioT{<\/span>6<\/span>bt_nt4_f8e4af}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Dikarenakan kita sudah mendapatkan setiap karakter urutan genap. Kita dapat menggabungkan output hasil ganjil dengan output<\/em> hasil genap. Berikut script lengkap yang digunakan:\u00a0<\/span><\/p>\n\n\n\n
    file = open(<\/span>“enc”<\/span>, <\/span>“r”<\/span>).read()<\/span>
    \n<\/span>shifted = <\/span>“” #<\/span>pcCF1_isis3do__1107<\/span>
    \n<\/span>for<\/b> i <\/span>in<\/b> file:<\/span>
    \n<\/span>\u00a0 \u00a0 shifted += chr(ord(i) >> <\/span>8<\/span>)<\/span>
    \n<\/span>
    \n<\/span>shifted2 = <\/span>“” #<\/span>ioT{<\/span>6<\/span>bt_nt4_f8e4af}<\/span>
    \n<\/span>for<\/b> j <\/span>in<\/b> range(len(file)):<\/span>
    \n<\/span>\u00a0 \u00a0 shifted2 += chr(ord(file[j])-(ord(shifted[j]) << <\/span>8<\/span>))<\/span>
    \n<\/span>
    \n<\/span>for<\/b> i <\/span>in<\/b> range(len(shifted)):<\/span>
    \n<\/span>\u00a0 \u00a0 print(shifted[i], end=<\/span>“”<\/span>)<\/span>
    \n<\/span>\u00a0 \u00a0 print(shifted2[i], end=<\/span>“”<\/span>)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    \n

    Output<\/b>:<\/span><\/p>\n\n\n\n
    picoCTF{<\/span>16<\/span>_bits_inst34d_of_8_e141a0f7}<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    \n","protected":false},"excerpt":{"rendered":"

    Pada artikel CTF kali ini, kami akan membahas mengenai PICOCTF 2021 yang bisa kalian akses soalnya di https:\/\/picoctf.org\/. Soal yang akan kami jelaskan adalah soal Reverse Engineering yang bernama Transformation dengan nilai 20 poin. Attached file content: enc : \u7069\u636f\u4354\u467b\u3136\u5f62\u6974\u735f\u696e\u7374\u3334\u645f\u6f66\u5f38\u5f65\u3134\u3161\u3066\u377d Analisa Soal Diberikan sebuah text yang nampaknya sudah terenkripsi menggunakan code python yang telah diberikan. […]<\/p>\n","protected":false},"author":42,"featured_media":891,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[20,22,21],"class_list":["post-884","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","tag-ctf","tag-ctf-writeup","tag-writeup"],"_links":{"self":[{"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/posts\/884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/comments?post=884"}],"version-history":[{"count":10,"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/posts\/884\/revisions"}],"predecessor-version":[{"id":898,"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/posts\/884\/revisions\/898"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/media\/891"}],"wp:attachment":[{"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/media?parent=884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/categories?post=884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/student-activity.binus.ac.id\/csc\/wp-json\/wp\/v2\/tags?post=884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}