Post

PicklySituations

Posted
By Mohamed Alzhrani 2 min read

Description:

Reverse

Difficulty:

easy

Flag:

Flag: AtHackCTF{w0wza_p1ckl3s_4r3_c3w1!}

Solve:

After taking a look at the code. I tried to decode it by base64 and base64 URL and i found something interesting

image

first time for me to see marshal module so I googled it and found some interesting information about marshal module that says that it contains functions that can read and write Python values in binary format. The format is specific to Python. and then I had the idea, we needed to decrypt the base64 and loads the marshal code by using pickle and then we disassembled it. I wrote python script to automate this task.

1
2
3
4
5
6
7
8
9
10

import base64
import pickletools
import pickle
import dis
import types
import marshal, base64


mar = base64.urlsafe_b64decode(b'gANjYnVpbHRpbnMKZXZhbApxAELRAgAAZXhlYyhfX2ltcG9ydF9fKCdtYXJzaGFsJykubG9hZHMoX19pbXBvcnRfXygnYmFzZTY0JykudXJsc2FmZV9iNjRkZWNvZGUoIjR3QUFBQUFBQUFBQUJBQUFBQ0lBQUFCREFBQUFjNm9BQUFCMEFHUUJnd0Y5QUdRQ1pBTmtCR1FGWkFaa0IyUUlaQWxrQ21RTFpBTmtER1FOWkF0a0JXUU9aQTFrRDJRR1pBZGtFR1FSWkJKa0UyUVVaQlZrRm1RWFpBMWtHR1FaWkE5a0dtUWJaeUo5QVdRY2ZRSjRTSFFCZEFKOEFJTUJnd0ZFQUYwNGZRTjBBM3dBZkFNWkFJTUJkQU44QW53RGRBSjhBb01CRmdBWkFJTUJRUUI4QVh3REdRQnJBM0ppZEFSa0hZTUJBUUJrSGxNQWNXSlhBSFFFWkItREFRRUFaQ0JUQUNraFR2b1JWMmhoZENCcGN5QjBhR1VnWm14aFp6X3BBQUFBQU9rMkFBQUE2Um9BQUFEcElBQUFBT2s3QUFBQTZUNEFBQURwRUFBQUFPa1ZBQUFBNlFRQUFBRHBLUUFBQU9sb0FBQUE2U0lBQUFEcEhRQUFBT2x3QUFBQTZUOEFBQURwY2dBQUFPa3hBQUFBNlEwQUFBRHBkUUFBQU9rcUFBQUE2V1lBQUFEcERBQUFBT2x4QUFBQTZTVUFBQURwZVFBQUFPa29BQUFBMmdkQlFsSkJXRlZUMmdsSmJtTnZjbkpsWTNSRzJnZERiM0p5WldOMFZDa0YyZ1ZwYm5CMWROb0ZjbUZ1WjJYYUEyeGxidG9EYjNKazJnVndjbWx1ZENrRTJnRjQyZ1JtYkdGbjJnTnJaWG5hQVdtcEFISW9BQUFBLWdwd2FXTnJiR1Y1TG5CNTJnTm1iMjhTQUFBQWN4SUFBQUFBQVFnQ1NBSUVBaElCS0FFSUFRZ0JDQUU9IikpKXEBhXECUnEDLg==')
pickletools.dis(mar, annotate=30)

image

and I got the output with another marshal code, I wrote another script to load the marshal code and disassemble it

1
2
3
4
5
6
7
8
9
10
11

import base64
import pickletools
import pickle
import dis
import types
import marshal, base64

haha = '''4wAAAAAAAAAABAAAACIAAABDAAAAc6oAAAB0AGQBgwF9AGQCZANkBGQFZAZkB2QIZAlkCmQLZANkDGQNZAtkBWQOZA1kD2QGZAdkEGQRZBJkE2QUZBVkFmQXZA1kGGQZZA9kGmQbZyJ9AWQcfQJ4SHQBdAJ8AIMBgwFEAF04fQN0A3wAfAMZAIMBdAN8AnwDdAJ8AoMBFgAZAIMBQQB8AXwDGQBrA3JidARkHYMBAQBkHlMAcWJXAHQEZB-DAQEAZCBTACkhTvoRV2hhdCBpcyB0aGUgZmxhZz_pAAAAAOk2AAAA6RoAAADpIAAAAOk7AAAA6T4AAADpEAAAAOkVAAAA6QQAAADpKQAAAOloAAAA6SIAAADpHQAAAOlwAAAA6T8AAADpcgAAAOkxAAAA6Q0AAADpdQAAAOkqAAAA6WYAAADpDAAAAOlxAAAA6SUAAADpeQAAAOkoAAAA2gdBQlJBWFVT2glJbmNvcnJlY3RG2gdDb3JyZWN0VCkF2gVpbnB1dNoFcmFuZ2XaA2xlbtoDb3Jk2gVwcmludCkE2gF42gRmbGFn2gNrZXnaAWmpAHIoAAAA-gpwaWNrbGV5LnB52gNmb28SAAAAcxIAAAAAAQgCSAIEAhIBKAEIAQgBCAE='''
nope = base64.urlsafe_b64decode(haha)
gotIt = marshal.loads(nope)
dis.dis(gotIt)

and this script disassembles the code as follows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

             10 LOAD_CONST               3 (54)
             12 LOAD_CONST               4 (26)
             14 LOAD_CONST               5 (32)
             16 LOAD_CONST               6 (59)
             18 LOAD_CONST               7 (62)
             20 LOAD_CONST               8 (16)
             22 LOAD_CONST               9 (21)
             24 LOAD_CONST              10 (4)
             26 LOAD_CONST              11 (41)
             28 LOAD_CONST               3 (54)
             30 LOAD_CONST              12 (104)
             32 LOAD_CONST              13 (34)
             34 LOAD_CONST              11 (41)
             36 LOAD_CONST               5 (32)
             38 LOAD_CONST              14 (29)
             40 LOAD_CONST              13 (34)
             42 LOAD_CONST              15 (112)
             44 LOAD_CONST               6 (59)
             46 LOAD_CONST               7 (62)
             48 LOAD_CONST              16 (63)
             50 LOAD_CONST              17 (114)
             52 LOAD_CONST              18 (49)
             54 LOAD_CONST              19 (13)
             56 LOAD_CONST              20 (117)
             58 LOAD_CONST              21 (42)
             60 LOAD_CONST              22 (102)
             62 LOAD_CONST              23 (12)
             64 LOAD_CONST              13 (34)
             66 LOAD_CONST              24 (113)
             68 LOAD_CONST              25 (37)
             70 LOAD_CONST              15 (112)
             72 LOAD_CONST              26 (121)
             74 LOAD_CONST              27 (40)
             76 BUILD_LIST              34
             78 STORE_FAST               1 (flag)

             80 LOAD_CONST              28 ('ABRAXUS')
             82 STORE_FAST               2 (key)

there is an LOAD_CONST(key) so we need to xor the key with they LOAD_CONST(flag)

again i wrote another python script to do this task for me :)

1
2
3
4
5
6

arr = [0,54,26,32,59,62,16,21,4,41,54,104,34,41,32,29,34,112,59,62,63,114,49,13,117,42,102,12,34,113,37,112,121,40]
key = b"ABRAXUS"
flag = ""
for i in range(len(arr)):
       hahah += chr(key[i%len(key)] ^ arr[i])
print (hahah)

and we will got the flag :D

image

Writeup, AtHackCTF
AtHackCTF
This post is licensed under CC BY 4.0 by the author.