Category: binary - Points: 75
Description: The flag is in the form of two words separated by an underscore.
The task comes with the file and_so_on.exe. As always we first check if the extension is correct:
$ file and_so_on.exe and_so_on.exe: PE32 executable for MS Windows (console) Intel 80386 32-bit
Seems legit. So we fire up our Windows virtual machine and try to play with it:
C:\ctf>and_so_on.exe LoadLibrary(pythondll) failed. The specified module could not be found. PYTHON27.DLL
Ok, it seems to be a python program. Let’s give it the dll so we can play:
C:\ctf>and_so_on.exe Welcome, try your favorite number. >>> 0 1 >>> 1 4 >>> 2 1 >>> 3 5 >>> 4 9 >>> 5 2 >>> 6 6 >>> 7 5
14159265 are the first decimals of . We could fire IDA to check what’s going on, but since the program seems to use python, let’s check if we can get the python script out of there. We use
strings at first and between lots of semi-interesting strings there are also things like:
PY2EXE_VERBOSE PY2EXE_VERBOSE C:\Python27\lib\site-packages\py2exe\boot_common.pyR
$ python unpy2exe.py and_so_on.exe Magic value: 78563412 Code bytes length: 4029 Archive name: library.zip Extracting C:\Python27\lib\site-packages\py2exe\boot_common.py.pyc Extracting pypy.py.pyc
$ uncompyle2 --py -o . pypy.py.pyc +++ okay decompyling pypy.py.pyc # decompiled 1 files: 1 okay, 0 failed, 0 verify failed
The decompiled pypy.py.py is:
First we note that
bigstring reversed (because of
[::-1]) are actually the decimals of .
list1 is exactly composed by:
[762, 763, 764, 765, 766, 767]
The main loop asks the user to insert numbers which are used to retrieve and print the corresponding indexes in
bigstring (restarting from the beginning if the number is greater than 1000). The last six numbers inserted by the user are kept in a list which is passed to
comp1. So if the last 6 numbers from the user are
[762, 763, 764, 765, 766, 767] the following string is printed and the program exits:
You've done well, what you've reached is the answer.
Let’s try it:
C:\ctf>and_so_on.exe Welcome, try your favorite number. >>> 762 9 >>> 763 9 >>> 764 9 >>> 765 9 >>> 766 9 >>> 767 8 You've done well, what you've reached is the answer.
After some time investing on the result, we thought that’s it’s quite interesting that in the first 1000 digits of there are five 9’s in a row. Actually this is a famous sequence known as Feynman Point:
Remembering that the description of the task was:
The flag is in the form of two words separated by an underscore, the flag is: