Reverse

FSMir

We managed to intercept description of some kind of a security module, but our intern does not know this language. Hopefully you know how to approach this problem.

We get a file fsmir.sv.

Local Picture

In the file, we get these contents. It is written in SystemVerilog. It starts at c = 8'b0, and ends when c = 8'd59. We notice that everytime a case is done, c will increase 1. di should be our flag.

I write a script in python to collect di.

1
2
3
4
5
6
data = {"0b1001": "0b1110000", "0b101001": "0b1010000", "0b11100": "0b1101000", "0b1010": "0b1111001", "0b1100": "0b1101001", "0b110000": "0b1011001", "0b111001": "0b110", "0b11000": "0b1000111", "0b11110": "0b1011101", "0b10": "0b1110001", "0b10100": "0b1110011", "0b101011": "0b1000101", "0b10000": "0b1100010", "0b101010": "0b1110101", "0b100111": "0b1001001", "0b10111": "0b1100100", "0b11": "0b1110111", "0b1111": "0b1101010", "0b101101": "0b1011001", "0b101000": "0b1001011", "0b101": "0b1010001", "0b110110": "0b1010001", "0b1110": "0b1011000", "0b100010": "0b1010110", "0b100101": "0b1000011", "0b100": "0b1000111", "0b10010": "0b1111110", "0b1101": "0b1100000", "0b110001": "0b1011110", "0b110101": "0b1011100", "0b110011": "0b1101100", "0b101111": "0b1011011", "0b1": "0b1110100", "0b11001": "0b1110011", "0b100000": "0b1010111", "0b100011": "0b1001011", "0b100100": "0b1111011", "0b110111": "0b1011111", "0b100001": "0b1001000", "0b11101": "0b1000010", "0b110": "0b1000000", "0b1000": "0b1011011", "0b110010": "0b1011100", "0b10011": "0b1111100", "0b100110": "0b1000111", "0b111010": "0b1000111", "0b10001": "0b1111000", "0b10101": "0b1001010", "0b0": "0b1101010", "0b111000": "0b1001100", "0b110100": "0b1000110", "0b1011": "0b1111111", "0b11011": "0b1101000", "0b11111": "0b1000000", "0b101110": "0b1001111", "0b10110": "0b1111111", "0b11010": "0b1101111", "0b111": "0b1111100", "0b101100": "0b1000011"}

flag = ""
for i in range(59):
	flag += chr(int(data[bin(i)], 2) ^ i)
print(flag)

And we can get the flag justCTF{SystemVerilog_is_just_C_with_fancy_notation_right?}.


FSMir2

We intercepted yet another security module, this time our intern fainted from just looking at the source code, but it’s a piece of cake for a hacker like yourself, right?

We get a file fsmir2.sv.

Local Picture

In the file, we get these contents. It is written in SystemVerilog. It starts at c = 9'b0, and ends when c = 9'b101001101. There are two cases, the first one takes c as input, and the second one takes di as input.

Character j is 0b1101010 in binary. When c is 9'b0, there is a line 8'b1101010: c <= 9'b111110010;, and c = 9'b111110010 is the next case after c = 9'b0. We need to find the right di so that c can equals to the next case. When c = 9'b101001101, it finishes.

I write a script in python to collect di

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
f = open("fsmir2.sv", "r")
lines = f.readlines()

stop = "9\'b101001101"

tmp = []
flag = ""

for l in lines[15:]:
	if 'case(' in l:
		l = l.strip('\t').split(' ')
		if len(tmp) != 0:
			for i in tmp:
				if l[0] == i.split(' ')[3][:-2]:
					flag += chr(int("0" + i.split(' ')[0][2:-1], 2))
					break
			del tmp[:]
		if l[0] == stop:
			break
	elif '<=' in l:
		l = l.strip('\t')
		tmp.append(l)

print(flag)

And we can get the flag justCTF{I_h0p3_y0u_us3d_v3r1L4t0r_0r_sth...}.


MISC, PPC

Dominoes

I found a very old set of dominoes: puzzles.txt
The hidden inscription scrapped on the box says:
The truth split into the pieces is the key.
But remember, there is only one true truth!

I suspect the key to be a semantically correct and meaningful sentence consisted of lowercase english words only. Can you help me uncover the key?
The flag is the recovered sentence wrapped into justCTF{} format.

We get a file puzzles.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
ou_
_pl
_th
ind
gre
y_m
_my
sol
_gr
all
olv
_wa
ll_
as_
in_
sha
at_
e_t
ike
d_t
e_p
ubt
you
zle
ke_
zzl
oub
aye
u_s
_yo
_mi
l_s
gle
nd_
_do
lay
eat
_no
bt_
e_y
uzz
t_g
the
r_l
no_
the
_in
at_
n_m
_th
dou
t_i
her
hat
ngl
er_
ere
rea
e_d
lik
le_
puz
yer
was
ing
o_s
e_w
hal
_pu
_sh
s_n
pla
sin
my_
re_
_so
lve
tha
_li
min
t_p
ve_
he_
_si

I solve it by hand. E.g. there is zzl. I thought it is the word puzzle, and I find segments _pu, puz, uzz, zzl, zle in the file to create puzzle. There is olv, and I find segments l_s, _so, sol, olv, lve, ve_ to create solve.

At last, we can get the string there_was_no_single_doubt_in_my_mind_that_great_player_like_you _shall_solve_the_puzzle.