Skip to content

Latest commit

 

History

History
293 lines (264 loc) · 12.6 KB

writeup.md

File metadata and controls

293 lines (264 loc) · 12.6 KB

In script babushka.py, there are 250 functions with random generated names, half of them are not called. To seperate them we generate a list of all the random generated names in file func_names, scan again to find thoses actually contribute to the final result, we only pay attention to those function listed in file valid_funcs.

for f in `cat func_names`;do c=$(grep $f babushka.py |wc -l);if [ $c -gt 1 ];then echo $f:$c;fi;done > valid_funcs

check_key takes input string as key and pads it to reach length of 128, return a list of boolean value, combiner takes the list as parameter, return true if particular positions in the list is True.

Run combiner only with key UMASS, we get a list of 23 False from check_key.

    key = input("Oi, babushka, what's the key? ")
    combiner = types.FunctionType(types.CodeType(*pickle.loads(b'\x80\x04\x95\xcc\x00\x00\x00\x00\x00\x00\x00]\x94(K\x01K\x00K\x00K\x04K\x03KCC@d\x01}\x01|\x00D\x00]\x0c}\x02|\x01o\x12|\x02}\x01q\x08d\x02}\x03|\x00D\x00]\x0c}\x02|\x03|\x02O\x00}\x03q\x1e|\x01s4|\x03r8d\x02p>|\x00d\x03\x19\x00S\x00\x94(N\x88\x89K\x00t\x94)(\x8c\nOUVCHXMRZO\x94\x8c\nGDOZHYKENT\x94\x8c\nTZCLOUEGVM\x94\x8c\nMMBJDKSFLR\x94t\x94\x8c\x0e<OwOwhatsthis>\x94\x8c\x0cany_combiner\x94J\xa2\xee\x81\x02C\x0e\x00\x01\x04\x01\x08\x01\n\x01\x04\x01\x08\x01\n\x01\x94))e.')), globals())

    res = check_key(key)
    print(res)

Create a list of 23 True, change one position to False every time. As long as res[0] is True, the result is Yes!.

    res = [True] * 23
    for i in range(len(res)):
        res[i] = False
        if combiner(res):
            print("Yes!")
        else:
            print("No!")
        res[i] = True
python3 babushka.py <<< UMASS
Oi, babushka, what's the key? No!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!
Yes!

Insert debug code print(inspect.stack()[0].function, b) into each function before return, we are able to observe how return of each function affect the final result. Play around with different conditions, it seems if the 14th place of list returned by DSIIPABGWUFNMMMZAGWI function is True, the result is Yes!.

BHXFVDRTGGNFTXBCOMOJ [False, False, False, False]
BFUQBRFEKUSFTVYAIUBC [False, False, False, False, False, False, False, False]                                                                                       LXNQKJIZEUZPFAQFDWIY [False, False, False, False, False, False, False, False, False, False, False, False]
DSIIPABGWUFNMMMZAGWI [False, False, False, False, False, False, False, False, False, False, False, False, False, True, False, False]
GXMDJYHXMQHQTWTTLDEF [False, False, False, False, False, False, False, False, False, False, False, False, False, True, False, False, False, False, False, False]
AVMDIBYGKPJHLWZSFMZK [False, False, False, False, False, False, False, False, False, False, False, False, False, True, False, False, False, False, False, False, False, False, False, False]                                                                                                                                            
QHNSNERTVUQZQIOVLXHU [True, False, False, False]
...
check_key: [True, False, False, False, False, False, False, False, False, False, False, False, False, False, False, False, False, False, False, False, False, False, True]
Yes!

The 14th value is controlled by bytecode in function DSIIPABGWUFNMMMZAGWI. Disassemble bytecode (code0) in function DSIIPABGWUFNMMMZAGWI with Python module dis, we get another piece of bytecode(code1), disassemble code1 we get bytecodes (code2) without any further call to randomly named function. Every return appends a True or False to the list, so return of code1 might give us what we what.

import types,pickle,dis
code = types.CodeType(*pickle.loads(b'\x80\x04\x95\x11\x13\x00\x00\x00\x00\x00\x00]\x94(K\x01K\x00K...\x01\x14\x01\x16\x018\x01\x06\x01\x1a\x01\x0c\x01\x94))e.'))
dis.disco(code)

Now take a look into the dissambled code1, to make it return True we need to make the key meet all the requirements here.

42069667           0 LOAD_CONST               1 (True)
                   2 STORE_FAST               1 (OVXPEYYWSK)

42069668           4 LOAD_FAST                1 (OVXPEYYWSK)
                   6 JUMP_IF_FALSE_OR_POP   198
                   8 LOAD_GLOBAL              0 (ord)
                  10 LOAD_FAST                0 (QFBKDVBLQX)
                  12 LOAD_CONST               2 (12)
                  14 BINARY_SUBSCR
                  16 CALL_FUNCTION            1
                  18 LOAD_CONST               3 (128)
                  20 BINARY_AND
                  22 LOAD_CONST               4 (7)
                  24 BINARY_RSHIFT
                  26 LOAD_CONST               5 (0)
                  28 COMPARE_OP               2 (==)
                  30 JUMP_IF_FALSE_OR_POP   198
                  32 LOAD_GLOBAL              0 (ord)
                  34 LOAD_FAST                0 (QFBKDVBLQX)
                  36 LOAD_CONST               2 (12)
                  38 BINARY_SUBSCR
                  40 CALL_FUNCTION            1
                  42 LOAD_CONST               6 (64)
                  44 BINARY_AND
                  46 LOAD_CONST               7 (6)
                  48 BINARY_RSHIFT
                  50 LOAD_CONST               8 (1)
                  52 COMPARE_OP               2 (==)
                  54 JUMP_IF_FALSE_OR_POP   198
                  56 LOAD_GLOBAL              0 (ord)
                  58 LOAD_FAST                0 (QFBKDVBLQX)
                  60 LOAD_CONST               2 (12)
                  62 BINARY_SUBSCR
                  64 CALL_FUNCTION            1
                  66 LOAD_CONST               9 (32)
                  68 BINARY_AND
                  70 LOAD_CONST              10 (5)
                  72 BINARY_RSHIFT
                  74 LOAD_CONST               8 (1)
                  76 COMPARE_OP               2 (==)
                  78 JUMP_IF_FALSE_OR_POP   198
                  80 LOAD_GLOBAL              0 (ord)
                  82 LOAD_FAST                0 (QFBKDVBLQX)
                  84 LOAD_CONST               2 (12)
                  86 BINARY_SUBSCR
                  88 CALL_FUNCTION            1
                  90 LOAD_CONST              11 (16)
                  92 BINARY_AND
                  94 LOAD_CONST              12 (4)
                  96 BINARY_RSHIFT
                  98 LOAD_CONST               5 (0)
                 100 COMPARE_OP               2 (==)
                 102 JUMP_IF_FALSE_OR_POP   198
                 104 LOAD_GLOBAL              0 (ord)
                 106 LOAD_FAST                0 (QFBKDVBLQX)
                 108 LOAD_CONST               2 (12)
                 110 BINARY_SUBSCR
                 112 CALL_FUNCTION            1
                 114 LOAD_CONST              13 (8)
                 116 BINARY_AND
                 118 LOAD_CONST              14 (3)
                 120 BINARY_RSHIFT
                 122 LOAD_CONST               8 (1)
                 124 COMPARE_OP               2 (==)
                 126 JUMP_IF_FALSE_OR_POP   198
                 128 LOAD_GLOBAL              0 (ord)
                 130 LOAD_FAST                0 (QFBKDVBLQX)
                 132 LOAD_CONST               2 (12)
                 134 BINARY_SUBSCR
                 136 CALL_FUNCTION            1
                 138 LOAD_CONST              12 (4)
                 140 BINARY_AND
                 142 LOAD_CONST              15 (2)
                 144 BINARY_RSHIFT
                 146 LOAD_CONST               5 (0)
                 148 COMPARE_OP               2 (==)
                 150 JUMP_IF_FALSE_OR_POP   198
                 152 LOAD_GLOBAL              0 (ord)
                 154 LOAD_FAST                0 (QFBKDVBLQX)
                 156 LOAD_CONST               2 (12)
                 158 BINARY_SUBSCR
                 160 CALL_FUNCTION            1
                 162 LOAD_CONST              15 (2)
                 164 BINARY_AND
                 166 LOAD_CONST               8 (1)
                 168 BINARY_RSHIFT
                 170 LOAD_CONST               5 (0)
                 172 COMPARE_OP               2 (==)
                 174 JUMP_IF_FALSE_OR_POP   198
                 176 LOAD_GLOBAL              0 (ord)
                 178 LOAD_FAST                0 (QFBKDVBLQX)
                 180 LOAD_CONST               2 (12)
                 182 BINARY_SUBSCR
                 184 CALL_FUNCTION            1
                 186 LOAD_CONST               8 (1)
                 188 BINARY_AND
                 190 LOAD_CONST               5 (0)
                 192 BINARY_RSHIFT
                 194 LOAD_CONST               8 (1)
                 196 COMPARE_OP               2 (==)
                 ...

                3976 LOAD_GLOBAL              0 (ord)
                3978 LOAD_FAST                0 (QFBKDVBLQX)
                3980 LOAD_CONST               7 (6)
                3982 BINARY_SUBSCR
                3984 CALL_FUNCTION            1
                3986 LOAD_CONST              19 (15)
                3988 BINARY_AND
                3990 LOAD_CONST              12 (4)
                3992 BINARY_XOR
                3994 LOAD_CONST               5 (0)
                3996 COMPARE_OP               2 (==)
             >> 3998 STORE_FAST               1 (OVXPEYYWSK)

42069715        4000 LOAD_FAST                1 (OVXPEYYWSK)
                4002 EXTENDED_ARG            15
                4004 JUMP_IF_FALSE_OR_POP  4020
                4006 LOAD_GLOBAL              0 (ord)
                4008 LOAD_FAST                0 (QFBKDVBLQX)
                4010 LOAD_CONST              61 (27)
                4012 BINARY_SUBSCR
                4014 CALL_FUNCTION            1
                4016 LOAD_CONST              51 (95)
                4018 COMPARE_OP               2 (==)
             >> 4020 STORE_FAST               1 (OVXPEYYWSK)

42069716        4022 LOAD_FAST                1 (OVXPEYYWSK)
                4024 BUILD_LIST               1
                4026 STORE_FAST               1 (OVXPEYYWSK)

42069717        4028 LOAD_GLOBAL              2 (types)
                4030 LOAD_METHOD              3 (FunctionType)
                4032 LOAD_GLOBAL              2 (types)
                4034 LOAD_ATTR                4 (CodeType)
                4036 LOAD_GLOBAL              5 (pickle)
                4038 LOAD_METHOD              6 (loads)
                4040 LOAD_CONST              62 (b'\x80\x04\x95\x11\x13\x00\x00...\x01\x0c\x01\x94))e.')
                4042 CALL_METHOD              1
                4044 CALL_FUNCTION_EX         0
                4046 LOAD_GLOBAL              7 (globals)
                4048 CALL_FUNCTION            0
                4050 CALL_METHOD              2
                4052 STORE_FAST               3 (RWNMTPXTXX)

42069718        4054 LOAD_FAST                3 (RWNMTPXTXX)
                4056 LOAD_FAST                0 (QFBKDVBLQX)
                4058 CALL_FUNCTION            1
                4060 LOAD_FAST                1 (OVXPEYYWSK)
                4062 BINARY_ADD
                4064 STORE_FAST               1 (OVXPEYYWSK)

42069719        4066 LOAD_FAST                1 (OVXPEYYWSK)
                4068 RETURN_VALUE

Translate them block by block, here is the positional values of the key according to the opcodes.

s = [0]*128
s[:5] = 'UMASS'
s[5] = 123
s[6] = 112|4
s[7] = 96|8
s[8] = 51
s[9] = 80|15
s[10] = ((1<<6)&64)|((1<<5)&32)|((1<<4)&16)|((1<<1)&2)|((1<<0)&1)
s[11] = ((1<<6)&64)|((1<<5)&32)|((1<<4)&16)
s[12] = ((1<<6)&64)|((1<<5)&32)|((1<<3)&8)|((1<<0)&1)
s[13] = ((1<<5)&32)|((1<<4)&16)|((1<<0)&1)
s[14] = 49
s[15] = ((1<<6)&64)|((1<<5)&32)|((1<<0)&1)
s[16] = ((1<<6)&64)|((1<<5)&32)|((1<<2)&4)|((1<<1)&2)|((1<<0)&1)
s[17] = ((1<<5)&32)|((1<<4)&16)|((1<<1)&2)|((1<<0)&1)
s[18] = 80|15
s[19] = 98
s[20] = 112|9
s[21] = 116
s[22] = 48|3
s[23] = ((1<<6)&64)|((1<<5)&32)|((1<<1)&2)|((1<<0)&1)
s[24] = 48
s[25] = 100
s[26] = 51
s[27] = 95
s[28] = ((1<<6)&64)|((1<<5)&32)|((1<<1)&2)|((1<<0)&1)
s[29] = 112|4
s[30] = 96|6
s[31] = 116
s[32] = 96|9
s[33] = 109
s[34] = 51
s[35] = 95
s[36] = 104
s[37] = 97
s[38] = ((1<<6)&64)|((1<<5)&32)|((1<<1)&2)|((1<<0)&1)
s[39] = 96|11
s[40] = ((1<<6)&64)|((1<<5)&32)|((1<<4)&16)|((1<<3)&8)|((1<<2)&4)|((1<<0)&1)
print(''.join(s[:5])+''.join(map(chr, s[5:])))

Run the script and feed the output to babushka we get a yes!, which means this the flag.

$ python3 key.py|python3 babushka.py
Yes!