S01den's S01den's cube

Author:
S01den

Language:
C/C++

Upload:
2022-07-14 21:28

Download

Platform:
Unix/linux etc.

Difficulty:
4.0

Quality:
4.5

Arch:
x86-64

Downloads:
14

Size:
14.12 KB

Writeups:
2

Comments:
6

Description

Find a correct flag! This one might be pretty fun. Good luck!

Comments (6)
Writeups (2)

You must be logged in to post a comment

ezimmermann on 2022-08-02 13:13: Loving the static analysis and think I might have a flag, but it requires GLIBC_2_34 (experimental) on your system to run. Is that part of the challenge? Working on it...

S01den on 2022-08-02 22:17: Nope, no tricks with libraries!

ezimmermann on 2022-08-06 21:39: The flag that solves the crackme is any solution to the 2x2 rubik's cube listed in the executable. I submitted a well-thought-out explanation of this, including half a dozen examples of acceptable flags that got the "g00d flag" reply from the program, but these were rejected as "incorrect" by sar, so I have no idea what the flag is then... That also means that by definition, this comment is not a spoiler, since apparently I haven't solved it according to sar. You can look up the paper I posted on discord if you're struggling with this and want some insight and think you might come up with a more acceptable flag.

ezimmermann on 2022-08-07 13:24: [Click to reveal]The flag I found was "URRfRUfu" which is accepted by the program, but was rejected by sar. Since I came up with what the website owner believes is an incorrect flag, then revealing is, by definition, not a spoiler. Anyway, for anyone interested in how this crackme works, full explanation follows: S01den's cube https://crackmes.one/crackme/62d08a7a33c5d44a934e97bb Full Solution by Everleigh Zimmermann 2 August 2022 The Flag for this crackme is a solution to a 2x2 Rubik's cube, written in semi-standard Rubik's notation. I really enjoyed this crackme, because I love Rubik's cubes, and have played with the 2x2 cube. If you have done any cubing, you think more in terms of pieces rather than stickers, where a piece contains 1-3 stickers. Corner pieces have the most, with 3 stickers each, and a 2x2 cube has nothing but corners, which means it has a very high sticker-per-piece ratio of 3:1. Therefore, if you reverse the software, you'll find that the rotation code is written to deal with stickers rather than pieces, and that's why it's so long and tricky. When a side is rotated, it moves all of the stickers to their proper new places. The cube handling code appears to be correct, if not a bit wordy, preferring to do everything long form... i.e. "for a Front turn, move sticker A to B, move sticker C to D, etc." The flag itself is the solution to a particular scrambled 2x2 cube using almost standard notation. Except, instead of using tick marks to signify anti-clockwise, you just lowercase the letter instead. So three turns clockwise: URU Three turns anti-clockwise: uru The 2x2 cube to solve can be found in cleartext at file offset 0x00003048, and consists of 24 bytes: 00003040: 6f 6f 62 76 62 62 6a 42 oobvbbjB 00003050: 72 6f 72 76 6a 42 76 72 6a 42 72 76 6a 42 6f 62 rorvjBvrjBrvjBob I created the following structure from the bytes (Address remapping done by Binary Ninja) 00004048 struct cube cube = 00004048 { 00004048 struct side up = 00004048 { 00004048 char top_left = 'o' 00004049 char top_right = 'o' 0000404a char bottom_left = 'b' 0000404b char bottom_right = 'v' 0000404c } 0000404c struct side back = 0000404c { 0000404c char top_left = 'b' 0000404d char top_right = 'b' 0000404e char bottom_left = 'j' 0000404f char bottom_right = 'B' 00004050 } 00004050 struct side front = 00004050 { 00004050 char top_left = 'r' 00004051 char top_right = 'o' 00004052 char bottom_left = 'r' 00004053 char bottom_right = 'v' 00004054 } 00004054 struct side down = 00004054 { 00004054 char top_left = 'j' 00004055 char top_right = 'B' 00004056 char bottom_left = 'v' 00004057 char bottom_right = 'r' 00004058 } 00004058 struct side left = 00004058 { 00004058 char top_left = 'j' 00004059 char top_right = 'B' 0000405a char bottom_left = 'r' 0000405b char bottom_right = 'v' 0000405c } 0000405c struct side right = 0000405c { 0000405c char top_left = 'j' 0000405d char top_right = 'B' 0000405e char bottom_left = 'o' 0000405f char bottom_right = 'b' 00004060 } 00004060 } As you can see, there are 6 unique letters used, and each letter is used 4 times. Since a 2x2 cube has 6 faces of 4 stickers per face, this makes sense. You can assign any color you like to each side, I chose the following: r = Red j = Green B = Blank (White) v = Yellow o = Orange b = Blue So just fire up your favorite 2x2 Rubik's cube solver, and enter the cube. For example: https://rubiks-cube-solver.com/2x2/ Click "Edit", then click the 4 red squares, then the 4 green ones, and so on. You'll end up with something that looks like this: o-o b-v j-B r-o j-B b-b r-v r-v o-b j-B j-B v-r Then click Solve, and you get: U R2 F' R U F' U' R2 means "turn R twice" so we turn that into 2 upper OR lowercase R's (doesn't matter which) We also don't support ticks, so those become lowercase letters So we end up with: URRfRUfu Which is one of many possible "flags": user@user-pc:~/Downloads$ ./cm_rb_easy URRfRUfu [*] G00d flag! user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfu [*] G00d flag! Any letters that are not in the set [BDFLRUbdflru] are ignored and can be used for stylizing your flag. user@user-pc:~/Downloads$ ./cm_rb_easy "Using other chars is fine AREN'T YOU having fun?" [*] G00d flag! Any valid solution is a valid flag... so we can tack on some moves at the end that undo themselves using their lowercase versions. user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuFFff [*] G00d flag! And of course turning a side 4 times has no affects, so 4 letters in a row can be added anywhere. user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuFFFF [*] G00d flag! Flags can even be very long.... user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL [*] G00d flag! Up to 100 characters. Then you get told to stop by the author... user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL [!] The flag is too long... - Everleigh

ezimmermann on 2022-08-07 13:27: The previous comment had all of its indentation lost and whitespace gaps reduced to single spaces.. Keep that in mind when reading it. You can find a .zip containing the original with indentation intact by searching my name on the Discord server.

50r4 on 2023-01-18 11:00: WRITE-UP: https://s00ra.github.io/crackmes/2.html

Show all spoilers

You must be logged in to submit a writeup

Solution by misra.cxx on 2022-12-04 14:23:

Download

Solution by Lorvillian on 2023-08-11 08:51:
A subtle fix of the first solution.

Download