Home Hackvent 2017 Dec 8: True 1337s
Writeup
Cancel

Dec 8: True 1337s

… can read this instantly

Challenge

I found this obfuscated code on a public FTP-Server. But I don’t understand what it’s doing…

File

Solution

The file looks like (truncated):

1
2
 exec(chr(True+True+True+True+True+True+True+True+True+True)+chr(True+True+
 __1337(_1337(1337+1337+1337+1337+1337+1337+1337+1337+1337+1337)+_1337(1337+1337+

Obfuscated python. The following snippet cleans up the code significantly:

1
2
3
4
5
6
7
for i in `seq 1 200`; do
    echo $i;
    q=$(python -c "print('+'.join(['True'] * $i))")
    sed -i "s/($q)/($i)/g" True.1337
    q=$(python -c "print('+'.join(['1337'] * $i))")
    sed -i "s/($q)/($i)/g" True.1337
done

This leaves us with two functions, one on each line, calling a bunch of chrs.

1
2
exec(chr(10)+chr(65)+chr(61)+chr(99)+chr(104)+chr(114)+
__1337(_1337(10)+_1337(67)+_1337(61)+_1337(83)+_1337(65)+

Replacing that with a print() call on each, and cleaning up more, we can see the original code:

1
2
3
4
5
sed -i "s/exec/print/g" True.1337
sed -i "s/__1337/print/g" True.1337
sed -i "s/_1337/chr/g" True.1337

python True.1337 > True.1338

which now looks like:

1
2
3
4
5
A=chr;__1337=exec;SANTA=input;FUN=print
def _1337(B):return A(B//1337)

C=SANTA("?")
if C=="1787569":FUN(''.join(chr(ord(a) ^ ord(b)) for a,b in zip("{gMZF_MC_X\ERF[X","31415926535897932384626433832")))

Running it (or the original) with py3k + inputting the magic number 1787569 results in our flag:

1
2
3
$ python3 True.1338
?1787569
HV17-th1s-ju5t-l1k3-j5sf-uck!

Flag

HV17-th1s-ju5t-l1k3-j5sf-uck!