Лаборатория DEF CON CTF Quals 2016 - baby-re [1]

delimitry
, 23 мая 2016

baby-re
Baby's First, 36 points
Get to reversing.

We have a binary. Need to find 13 appropriate variables (printable characters) with a flag, to pass 13 check functions.

After long restore of 13 check functions from disassembler (yes I've solved it without hexrays), I've got the next 13 equations: 

37485 * var[0] - 21621 * var[1] - 1874 * var[2] - 46273 * var[3] + 50633 * var[4] + 43166 * var[5] + 29554 * var[6] + 16388 * var[7] + 57693 * var[8] + 14626 * var[9] + 21090 * var[10] + 39342 * var[11] + 54757 * var[12] = 0x1468753
50936 * var[0] + 4809 * var[1] - 6019 * var[2] + 38962 * var[3] + 14794 * var[4] + 22599 * var[5] - 837 * var[6] - 36727 * var[7] - 50592 * var[8] - 11829 * var[9] - 20046 * var[10] - 9256 * var[11] + 53228 * var[12] = 0x162F30
-38730 * var[0] + 52943 * var[1] - 16882 * var[2] + 26907 * var[3] - 44446 * var[4] - 18601 * var[5] - 65221 * var[6] - 47543 * var[7] + 17702 * var[8] - 33910 * var[9] + 42654 * var[10] + 5371 * var[11] + 11469 * var[12] = 0x0FFB2939C
57747 * var[0] - 23889 * var[1] - 26016 * var[2] - 25170 * var[3] + 54317 * var[4] - 32337 * var[5] + 10649 * var[6] + 34805 * var[7] - 9171 * var[8] - 22855 * var[9] + 8621 * var[10] - 634 * var[11] - 11864 * var[12] = 0x0FFAC90E3
-14005 * var[0] + 16323 * var[1] + 43964 * var[2] + 34670 * var[3] + 54889 * var[4] - 6141 * var[5] - 35427 * var[6] - 61977 * var[7] + 28134 * var[8] + 43186 * var[9] - 59676 * var[10] + 15578 * var[11] + 50082 * var[12] = 0x76D288
-40760 * var[0] - 22014 * var[1] + 13608 * var[2] - 4946 * var[3] - 26750 * var[4] - 31708 * var[5] + 39603 * var[6] + 13602 * var[7] - 59055 * var[8] - 32738 * var[9] + 29341 * var[10] + 10305 * var[11] - 15650 * var[12] = 0x0FF78BF99
-47499 * var[0] + 57856 * var[1] + 13477 * var[2] - 10219 * var[3] - 5032 * var[4] - 21039 * var[5] - 29607 * var[6] + 55241 * var[7] - 6065 * var[8] + 16047 * var[9] - 4554 * var[10] - 2262 * var[11] + 18903 * var[12] = 0x0FFF496E3
-65419 * var[0] + 17175 * var[1] - 9410 * var[2] - 22514 * var[3] - 52377 * var[4] - 9235 * var[5] + 53309 * var[6] + 47909 * var[7] - 59111 * var[8] - 41289 * var[9] - 24422 * var[10] + 41178 * var[11] - 23447 * var[12] = 0x0FF525E90
1805 * var[0] + 4135 * var[1] - 16900 * var[2] + 33381 * var[3] + 46767 * var[4] + 58551 * var[5] - 34118 * var[6] - 44920 * var[7] - 11933 * var[8] - 20530 * var[9] + 15699 * var[10] - 36597 * var[11] + 18231 * var[12] = 0xFFFD7704
-42941 * var[0] + 61056 * var[1] - 45169 * var[2] + 41284 * var[3] - 1722 * var[4] - 26423 * var[5] + 47052 * var[6] + 42363 * var[7] + 15033 * var[8] + 18975 * var[9] + 10788 * var[10] - 33319 * var[11] + 63680 * var[12] = 0x897CBB
-37085 * var[0] - 51590 * var[1] - 17798 * var[2] - 10127 * var[3] - 52388 * var[4] + 12746 * var[5] + 12587 * var[6] + 58786 * var[7] - 8269 * var[8] + 22613 * var[9] + 30753 * var[10] - 20853 * var[11] + 32216 * var[12] = 0xFFC05F9F
36650 * var[0] + 47566 * var[1] - 33282 * var[2] - 59180 * var[3] + 65196 * var[4] + 9228 * var[5] - 59599 * var[6] - 62888 * var[7] + 48719 * var[8] + 47348 * var[9] - 37592 * var[10] + 57612 * var[11] + 40510 * var[12] = 0x3E4761
51735 * var[0] + 35879 * var[1] - 63890 * var[2] + 4102 * var[3] + 59511 * var[4] - 21386 * var[5] - 20769 * var[6] + 26517 * var[7] + 28153 * var[8] + 25252 * var[9] - 43789 * var[10] + 25633 * var[11] + 7314 * var[12] = 0x1B4945

So to find all variables it is needed to solve a system of linear equations. I've used Wolfram Mathematica to solve it:

Solve[{37485*v0 - 21621*v1 - 1874*v2 - 46273*v3 + 50633*v4 + 
    43166*v5 + 29554*v6 + 16388*v7 + 57693*v8 + 14626*v9 + 
    21090*v10 + 39342*v11 + 54757*v12 == 21399379, 
  50936*v0 + 4809*v1 - 6019*v2 + 38962*v3 + 14794*v4 + 22599*v5 - 
    837*v6 - 36727*v7 - 50592*v8 - 11829*v9 - 20046*v10 - 9256*v11 + 
    53228*v12 == 
   1453872, -38730*v0 + 52943*v1 - 16882*v2 + 26907*v3 - 44446*v4 - 
    18601*v5 - 65221*v6 - 47543*v7 + 17702*v8 - 33910*v9 + 
    42654*v10 + 5371*v11 + 11469*v12 == -5074020, 
  57747*v0 - 23889*v1 - 26016*v2 - 25170*v3 + 54317*v4 - 32337*v5 + 
    10649*v6 + 34805*v7 - 9171*v8 - 22855*v9 + 8621*v10 - 634*v11 - 
    11864*v12 == -5467933, -14005*v0 + 16323*v1 + 43964*v2 + 
    34670*v3 + 54889*v4 - 6141*v5 - 35427*v6 - 61977*v7 + 28134*v8 + 
    43186*v9 - 59676*v10 + 15578*v11 + 50082*v12 == 
   7787144, -40760*v0 - 22014*v1 + 13608*v2 - 4946*v3 - 26750*v4 - 
    31708*v5 + 39603*v6 + 13602*v7 - 59055*v8 - 32738*v9 + 
    29341*v10 + 10305*v11 - 15650*v12 == -8863847, -47499*v0 + 
    57856*v1 + 13477*v2 - 10219*v3 - 5032*v4 - 21039*v5 - 29607*v6 + 
    55241*v7 - 6065*v8 + 16047*v9 - 4554*v10 - 2262*v11 + 
    18903*v12 == -747805, -65419*v0 + 17175*v1 - 9410*v2 - 22514*v3 - 
    52377*v4 - 9235*v5 + 53309*v6 + 47909*v7 - 59111*v8 - 41289*v9 - 
    24422*v10 + 41178*v11 - 23447*v12 == -11379056, 
  1805*v0 + 4135*v1 - 16900*v2 + 33381*v3 + 46767*v4 + 58551*v5 - 
    34118*v6 - 44920*v7 - 11933*v8 - 20530*v9 + 15699*v10 - 
    36597*v11 + 18231*v12 == -166140, -42941*v0 + 61056*v1 - 
    45169*v2 + 41284*v3 - 1722*v4 - 26423*v5 + 47052*v6 + 42363*v7 + 
    15033*v8 + 18975*v9 + 10788*v10 - 33319*v11 + 63680*v12 == 
   9010363, -37085*v0 - 51590*v1 - 17798*v2 - 10127*v3 - 52388*v4 + 
    12746*v5 + 12587*v6 + 58786*v7 - 8269*v8 + 22613*v9 + 30753*v10 - 
    20853*v11 + 32216*v12 == -4169825, 
  36650*v0 + 47566*v1 - 33282*v2 - 59180*v3 + 65196*v4 + 9228*v5 - 
    59599*v6 - 62888*v7 + 48719*v8 + 47348*v9 - 37592*v10 + 
    57612*v11 + 40510*v12 == 4081505, 
  51735*v0 + 35879*v1 - 63890*v2 + 4102*v3 + 59511*v4 - 21386*v5 - 
    20769*v6 + 26517*v7 + 28153*v8 + 25252*v9 - 43789*v10 + 
    25633*v11 + 7314*v12 == 1788229}, {v0, v1, v2, v3, v4, v5, v6, v7,
   v8, v9, v10, v11, v12}]

Mathematica successfully solved it:

{{v0 -> 77, v1 -> 97, v2 -> 116, v3 -> 104, v4 -> 32, v5 -> 105, v6 -> 115, v7 -> 32, v8 -> 104, v9 -> 97, v10 -> 114, v11 -> 100, v12 -> 33}}
print ''.join(map(chr, [77, 97, 116, 104, 32, 105, 115, 32, 104, 97, 114, 100, 33]))

And the flag is: Math is hard!