CTF(x) - 50 - λ - Cryptography

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

Description

I used this program to encrypt a flag. The output was: n1s4_t1An([email protected]_h3)m3lp3y__Eas

file: λ.py

Solution

TL;DR : that solution is just a trick not a smart de-obfuscation.

  • Here is the code of the λ.py:

1
print (lambda j,m:(lambda f,t:t if len(t) <= 1 else j([f(f,x)for x in m(j,m(reversed,(lambda s:zip(*[iter(s)]*(len(s)/2)))(t+"\x01"*(len(t)%2))))]))(lambda f,t:t if len(t) <= 1 else j([f(f,x)for x in m(j,m(reversed,(lambda s: zip(*[iter(s)]*(len(s)/2)))(t+"\x01"*(len(t)%2))))]),raw_input("Plaintext:")))(''.join,map).replace("\x01","")

  • It's clear that the code is obfuscated, but even beautified it's still a mess.
  • So as I don't want my brain to blow trying to de-obfuscate this, I got around.
  • I realized that, with enought iteration, we gan get back the original string. So I modified the code to "brute-force" the good combination:

1
2
3
4
5
6
7
8
9
10
11
# Modiied code
mixed_flag = "n1s4_t1An([email protected]_h3)m3lp3y__Eas"
for i in range(100):
old_mixed_flag = mixed_flag
mixed_flag = (lambda j, m: (lambda f, t: t
if len(t) <= 1
else j([f(f, x) for x in m(j, m(reversed, (lambda s: zip( * [iter(s)] * (len(s) / 2)))(t + "\x01" * (len(t) % 2))))]))(lambda f, t: t
if len(t) <= 1
else j([f(f, x) for x in m(j, m(reversed, (lambda s: zip( * [iter(s)] * (len(s) / 2)))(t + "\x01" * (len(t) % 2))))]), old_mixed_flag))(''.join, map).replace("\x01", "")
print(str(i) + " " + mixed_flag)

  • Here the non-filtered output, that's quite long:

1
2
3
4
5
6
7
8
9
┌─[[email protected]]─[~/CTF/CTFx/2016/50-lambda_λ-cryptography]
└──╼ #python lambda_λ.py
0 c1t([email protected]_n1nAt1_y_p3sEah_3pll3)m
1 n_14s1tnA([email protected]_3m3)p_3_yhasE
2 cf1([email protected]_An1ty_h_3Eas_l3lpp)m3
[...]
97 n_14s1tnA([email protected]_3m3)_l3_ypasE
98 cf1([email protected]_An1ty_pl3Eas_h3lp_)m3
99 ns_41t1An([email protected]_h33)mlp3y__sEa

  • Now let's see what begins with ctf(

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌─[[email protected]]─[~/CTF/CTFx/2016/50-lambda_λ-cryptography]
└──╼ #python lambda_λ.py | grep 'ctf('
4 ctf([email protected]_1nsnAt1_y_h3asElp3pl_m3)
10 ctf([email protected]_1nsAn1ty__p3asEh_3lplm3)
16 ctf([email protected]_1nsnAt1_yl_3asEp_3plhm3)
22 ctf([email protected]_1nsAn1ty_h_3asE_l3lppm3)
28 ctf([email protected]_1nsnAt1_ypl3asE_h3pl_m3)
34 ctf([email protected]_1nsAn1ty__h3asElp3lp_m3)
40 ctf([email protected]_1nsnAt1_y_p3asEh_3pllm3)
46 ctf([email protected]_1nsAn1ty_l_3asEp_3lphm3)
52 ctf([email protected]_1nsnAt1_yh_3asE_l3plpm3)
58 ctf([email protected]_1nsAn1ty_pl3asE_h3lp_m3)
64 ctf([email protected]_1nsnAt1_y_h3asElp3pl_m3)
70 ctf([email protected]_1nsAn1ty__p3asEh_3lplm3)
76 ctf([email protected]_1nsnAt1_yl_3asEp_3plhm3)
82 ctf([email protected]_1nsAn1ty_h_3asE_l3lppm3)
88 ctf([email protected]_1nsnAt1_ypl3asE_h3pl_m3)
94 ctf([email protected]_1nsAn1ty__h3asElp3lp_m3)

  • That begins to make sense, more filtering:

1
2
3
4
5
6
7
8
9
10
┌─[[email protected]]─[~/CTF/CTFx/2016/50-lambda_λ-cryptography]
└──╼ #python lambda_λ.py | grep 'ctf([email protected]_1nsAn1ty_'
10 ctf([email protected]_1nsAn1ty__p3asEh_3lplm3)
22 ctf([email protected]_1nsAn1ty_h_3asE_l3lppm3)
34 ctf([email protected]_1nsAn1ty__h3asElp3lp_m3)
46 ctf([email protected]_1nsAn1ty_l_3asEp_3lphm3)
58 ctf([email protected]_1nsAn1ty_pl3asE_h3lp_m3)
70 ctf([email protected]_1nsAn1ty__p3asEh_3lplm3)
82 ctf([email protected]_1nsAn1ty_h_3asE_l3lppm3)
94 ctf([email protected]_1nsAn1ty__h3asElp3lp_m3)

  • Not so hard: 58 ctf([email protected]_1nsAn1ty_pl3asE_h3lp_m3).
Share