samueltangz
diff --git a/‎crackme/writeups/author/README.md
Lines changed: 29 additions & 0 deletions b/‎crackme/writeups/author/README.md
Lines changed: 29 additions & 0 deletions
diff --git a/‎crackme/writeups/author/img/001.PNG
19.6 KB b/‎crackme/writeups/author/img/001.PNG
19.6 KB
diff --git a/‎crackme/writeups/author/img/002.PNG
83 KB b/‎crackme/writeups/author/img/002.PNG
83 KB
diff --git a/‎crackme/writeups/author/img/003.PNG
222 KB b/‎crackme/writeups/author/img/003.PNG
222 KB
diff --git a/‎crackme/writeups/author/sol.py
Lines changed: 41 additions & 0 deletions b/‎crackme/writeups/author/sol.py
Lines changed: 41 additions & 0 deletions
diff --git a/‎dns/writeups/author/README.md
Lines changed: 22 additions & 0 deletions b/‎dns/writeups/author/README.md
Lines changed: 22 additions & 0 deletions
diff --git a/‎jpg-as-key/writeups/author/README.md
Lines changed: 66 additions & 0 deletions b/‎jpg-as-key/writeups/author/README.md
Lines changed: 66 additions & 0 deletions
diff --git a/‎keystroke/writeups/author/README.md
Lines changed: 26 additions & 0 deletions b/‎keystroke/writeups/author/README.md
Lines changed: 26 additions & 0 deletions
diff --git a/‎missing-disk/writeups/author/README.md
Lines changed: 22 additions & 0 deletions b/‎missing-disk/writeups/author/README.md
Lines changed: 22 additions & 0 deletions
diff --git a/‎ram/writeups/author/001.png
-180 KB b/‎ram/writeups/author/001.png
-180 KB
@@ -0,0 +1,29 @@
+# Crackme
+
+## Prologue 
+
+Trying to design a chal with medium level for secondary school.
+
+## Walk-through
+
+Use `dex-tool` to convert APK to jar.
+![](./img/01.PNG)
+
+Use `jd-gui` for decompiling jar, you may see the logic handling flag checking
+![](./img/02.PNG)
+
+Use `z3` to solve the SMT, or it's simple enough to do it by hand. Check out `sol.py` for z3 usage.
+![](./img/03.PNG)
+
+## Flag
+`hkcert20{ar3_y0u_us1ng_z3}`
+
+## Epilogue
+Solve: 13/84 (Secondary)
+Solve: 34/81 (Tertiary)
+
+Unlike Doom, you can really run the apk on device with Andriod 7.0+. Why are you expecting that the chals can be run on machines?
+
+## Reference
+<https://github.com/Z3Prover/z3>
+
@@ -0,0 +1,41 @@
+from z3 import *
+s=[Int('serial%d' % i) for i in range(26)]
+solver = Solver()
+
+solver.add(s[0] + s[1] - s[2] == 112)
+solver.add(s[1] + s[2] - s[3] == 105)
+solver.add(s[2] + s[3] - s[4] == 86)
+solver.add(s[3] + s[4] - s[5] == 99)
+solver.add(s[4] + s[5] - s[6] == 180)
+solver.add(s[5] + s[6] - s[7] == 118)
+solver.add(s[6] + s[7] - s[8] == -25)
+solver.add(s[7] + s[8] - s[9] == 74)
+solver.add(s[8] + s[9] - s[10] == 106)
+solver.add(s[9] + s[10] - s[11] == 160)
+solver.add(s[10] + s[11] - s[12] == 70)
+solver.add(s[11] + s[12] - s[13] == 25)
+solver.add(s[12] + s[13] - s[14] == 168)
+solver.add(s[13] + s[14] - s[15] == 52)
+solver.add(s[14] + s[15] - s[16] == 70)
+solver.add(s[15] + s[16] - s[17] == 95)
+solver.add(s[16] + s[17] - s[18] == 97)
+solver.add(s[17] + s[18] - s[19] == 183)
+solver.add(s[18] + s[19] - s[20] == 54)
+solver.add(s[19] + s[20] - s[21] == 56)
+solver.add(s[20] + s[21] - s[22] == 118)
+solver.add(s[21] + s[22] - s[23] == 76)
+solver.add(s[22] + s[23] - s[24] == 166)
+solver.add(s[23] + s[24] - s[25] == 48)
+solver.add(s[24] + s[25] - s[0] == 72)
+solver.add(s[25] + s[0] - s[1] == 122)
+
+
+print(solver.check())
+answer=solver.model()
+print(answer)
+
+tidy_answer = ""
+for each in s :
+	tidy_answer += str(chr(int(str(answer[each]))))
+
+print(tidy_answer)
@@ -0,0 +1,22 @@
+# DNS
+
+## Prologue
+
+I sorry that the trash has cost you 10 points.
+
+## Walk-through
+(Over 15 solve, omitted)
+
+## Flag
+
+`hkcert20{DNS_r3c0rd_c4n_hid3_inf0rm4ti0ns}`
+
+## Epilogue
+Solve: 20/84 (Secondary)
+Solve: 39/81 (Tertiary)
+
+Some competitors said that the tools cannot decode Chinese character, or their teammates cannot read Chinese.
+I am creating this challenge all in Chinese to arouse the attention of secondary school students, which is requested by some co-ogranisers.
+
+## Reference
+<https://en.wikipedia.org/wiki/TXT_record>
@@ -0,0 +1,66 @@
+# JPG as Key
+
+## Prologue
+Just a normal secondary school trick to hide zip with known plaintext attack.
+
+## Walk-through
+
+### File Extraction
+Extract the zip using the command below
+```console
+$ binwalk ./left_exit.jpg  --dd='.*'
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+0             0x0             JPEG image data, JFIF standard 1.01
+51405         0xC8CD          Zip archive data, encrypted at least v2.0 to extract, compressed size: 3007, uncompressed size: 3048, name: flag.png
+54450         0xD4B2          Zip archive data, encrypted at least v2.0 to extract, compressed size: 51376, uncompressed size: 51405, name: left_exit.jpg
+106054        0x19E46         End of Zip archive, footer length: 22
+```
+
+Use the command below will extract the original pic. Otherwise, use 7zip split function.
+I'm also seeing team using foremost to extract the pic but it's not necessary. Use binwalk wisely.
+```console
+$ binwalk ./left_exit.jpg -o 0 -l 51405 --dd='.*'
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+0             0x0             JPEG image data, JFIF standard 1.01
+```
+
+Rename `0` as `left_exit.jpg`, and zip it under 7zip. This move is to generate a zip matches the CRC value.
+
+### Plain-text attack
+After getting the plain text (`left_exit.jpg`), we can move on to attack stage. `pkzip` or `AZPK` should work.
+Here I've use `bkzip`:
+
+```console
+$ ./bkcrack -C ~/Desktop/C8CD -c left_exit.jpg -P ~/Desktop/plain-text/left_exit.zip -p left_exit.jpg
+Generated 4194304 Z values.
+[13:04:10] Z reduction using 51356 bytes of known plaintext
+100.0 % (51356 / 51356)
+271 values remaining.
+[13:04:19] Attack on 271 Z values at index 45903
+13.3 % (36 / 271)
+[13:04:19] Keys
+3e96cca9 6c2a40c9 7c4d40e4 
+
+$ ./bkcrack -C '/home/byronwai/Desktop/C8CD' -c flag.png -k 3e96cca9 6c2a40c9 7c4d40e4 -d ~/Desktop/deflate_flag
+Wrote deciphered text.
+
+$ ../tools/inflate.py < ~/Desktop/deflate_flag > ~/Desktop/flag.png
+```
+
+The flag is in QR code, scan and get the flag directly.
+
+## Flag
+`hkcert20{n0w_y0u_can_crack_z1p}`
+
+## Epilogue
+Solve: 11/81 (Tertiary)
+
+There exist competitor(s) saying that ["its stupid to put native file format tricks into challenges"] (https://www.youtube.com/watch?v=VVdmmN0su6E&feature=youtu.be&t=690&ab_channel=LiveOverflow).
+Yes, I admit that this chal is stupid but I expect having at least 20 solves.
+
+## Refernce
+<https://zhuanlan.zhihu.com/p/129855130>
@@ -0,0 +1,26 @@
+# DNS
+
+## Prologue
+
+This chal is a trash. I will not make this type of chal again.
+
+## Walk-through
+
+(Over 15 solve, omitted)
+
+## Flag
+
+`hkcert20{The_answer_is_8_6}`
+
+## Epilogue
+
+Solve: 16/84 (Secondary)
+Solve: 28/81 (Tertiary)
+
+Some competetors said that they forgot all the chemistry and hate this chal a lot. But it's based on a DSE physics past paper. LMGTFY.
+
+## Reference
+
+<https://usb.org/sites/default/files/hut1_2.pdf>
+<https://dsepp.com/wp-content/uploads/2018/10/2016-DSE-PHY-1B.pdf>
+<https://dsepp.com/wp-content/uploads/2018/10/2016-DSE-PHY-1-MS-1.pdf>
@@ -0,0 +1,22 @@
+# Missing Disk
+
+## Prologue
+
+(Omitted)
+
+## Walk-through
+
+(Over 15 solve, omitted)
+
+## Flag
+
+`hkcert20{w0rk_1n_t3nc3nt_f0r_t3nc3nts}`
+
+## Epilogue
+Solve: 19/81 (Tertiary)
+
+I was trying to build a complicated challenge, but there are unintended solutions making this chal much more easy than expected.
+
+## Reference
+
+(Omitted)