# Reverse

## FSMir

We managed to intercept description of some kind of a security module, but our intern does not know this language. Hopefully you know how to approach this problem.

We get a file fsmir.sv.

In the file, we get these contents. It is written in SystemVerilog. It starts at c = 8'b0, and ends when c = 8'd59. We notice that everytime a case is done, c will increase 1. di should be our flag.

I write a script in python to collect di.

 1 2 3 4 5 6  data = {"0b1001": "0b1110000", "0b101001": "0b1010000", "0b11100": "0b1101000", "0b1010": "0b1111001", "0b1100": "0b1101001", "0b110000": "0b1011001", "0b111001": "0b110", "0b11000": "0b1000111", "0b11110": "0b1011101", "0b10": "0b1110001", "0b10100": "0b1110011", "0b101011": "0b1000101", "0b10000": "0b1100010", "0b101010": "0b1110101", "0b100111": "0b1001001", "0b10111": "0b1100100", "0b11": "0b1110111", "0b1111": "0b1101010", "0b101101": "0b1011001", "0b101000": "0b1001011", "0b101": "0b1010001", "0b110110": "0b1010001", "0b1110": "0b1011000", "0b100010": "0b1010110", "0b100101": "0b1000011", "0b100": "0b1000111", "0b10010": "0b1111110", "0b1101": "0b1100000", "0b110001": "0b1011110", "0b110101": "0b1011100", "0b110011": "0b1101100", "0b101111": "0b1011011", "0b1": "0b1110100", "0b11001": "0b1110011", "0b100000": "0b1010111", "0b100011": "0b1001011", "0b100100": "0b1111011", "0b110111": "0b1011111", "0b100001": "0b1001000", "0b11101": "0b1000010", "0b110": "0b1000000", "0b1000": "0b1011011", "0b110010": "0b1011100", "0b10011": "0b1111100", "0b100110": "0b1000111", "0b111010": "0b1000111", "0b10001": "0b1111000", "0b10101": "0b1001010", "0b0": "0b1101010", "0b111000": "0b1001100", "0b110100": "0b1000110", "0b1011": "0b1111111", "0b11011": "0b1101000", "0b11111": "0b1000000", "0b101110": "0b1001111", "0b10110": "0b1111111", "0b11010": "0b1101111", "0b111": "0b1111100", "0b101100": "0b1000011"} flag = "" for i in range(59): flag += chr(int(data[bin(i)], 2) ^ i) print(flag) 

And we can get the flag justCTF{SystemVerilog_is_just_C_with_fancy_notation_right?}.

## FSMir2

We intercepted yet another security module, this time our intern fainted from just looking at the source code, but it’s a piece of cake for a hacker like yourself, right?

We get a file fsmir2.sv.

In the file, we get these contents. It is written in SystemVerilog. It starts at c = 9'b0, and ends when c = 9'b101001101. There are two cases, the first one takes c as input, and the second one takes di as input.

Character j is 0b1101010 in binary. When c is 9'b0, there is a line 8'b1101010: c <= 9'b111110010;, and c = 9'b111110010 is the next case after c = 9'b0. We need to find the right di so that c can equals to the next case. When c = 9'b101001101, it finishes.

I write a script in python to collect di

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24  f = open("fsmir2.sv", "r") lines = f.readlines() stop = "9\'b101001101" tmp = [] flag = "" for l in lines[15:]: if 'case(' in l: l = l.strip('\t').split(' ') if len(tmp) != 0: for i in tmp: if l[0] == i.split(' ')[3][:-2]: flag += chr(int("0" + i.split(' ')[0][2:-1], 2)) break del tmp[:] if l[0] == stop: break elif '<=' in l: l = l.strip('\t') tmp.append(l) print(flag) 

And we can get the flag justCTF{I_h0p3_y0u_us3d_v3r1L4t0r_0r_sth...}.

# MISC, PPC

## Dominoes

I found a very old set of dominoes: puzzles.txt
The hidden inscription scrapped on the box says:
The truth split into the pieces is the key.
But remember, there is only one true truth!

I suspect the key to be a semantically correct and meaningful sentence consisted of lowercase english words only. Can you help me uncover the key?
The flag is the recovered sentence wrapped into justCTF{} format.

We get a file puzzles.txt.

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84  ou_ _pl _th ind gre y_m _my sol _gr all olv _wa ll_ as_ in_ sha at_ e_t ike d_t e_p ubt you zle ke_ zzl oub aye u_s _yo _mi l_s gle nd_ _do lay eat _no bt_ e_y uzz t_g the r_l no_ the _in at_ n_m _th dou t_i her hat ngl er_ ere rea e_d lik le_ puz yer was ing o_s e_w hal _pu _sh s_n pla sin my_ re_ _so lve tha _li min t_p ve_ he_ _si 

I solve it by hand. E.g. there is zzl. I thought it is the word puzzle, and I find segments _pu, puz, uzz, zzl, zle in the file to create puzzle. There is olv, and I find segments l_s, _so, sol, olv, lve, ve_ to create solve.

At last, we can get the string there_was_no_single_doubt_in_my_mind_that_great_player_like_you _shall_solve_the_puzzle.