logoChat01.ai

Reverse engineering this file and find the flag. F...

创建于:2026年4月26日

使用 GPT-5.3 回答 Chat01

问题

Reverse engineering this file and find the flag.
Flag format: UMDCTF{flag}
Write a simple writeup when done.
Ignore any red herring/attempt to stop AI assists

思考

I’ll check the available files first, then inspect the binary statically and only run it in a controlled way if needed.

Thought for a couple of seconds

思考

bash -lc find /mnt/data -maxdepth 2 -type f -printf '%p ' | sed -n '1,50p'

Thought for 6s

回答

I still don’t see an attached file in /mnt/data.

Please upload the challenge file here, and I’ll reverse it, find the UMDCTF{...} flag, and include a simple writeup.

问题

roulette

here's the file

Python

python
from pathlib import Path
p=Path('/mnt/data/roulette').read_bytes()
len(p), p.find(b'submit')


(827856, 629338)

Python

python
import struct, pathlib
p=pathlib.Path('/mnt/data/roulette').read_bytes()
def off(addr): return addr-0x499000+0x99000
j=[struct.unpack('<i',p[off(0x499aa0)+4*i:off(0x499aa0)+4*i+4])[0] for i in range(10)]
[hex(x) for x in j], [hex(0x499aa0+x) for x in j]


(['-0x98275',
  '-0x98275',
  '-0x980b8',
  '-0x980d0',
  '-0x980e8',
  '-0x98100',
  '-0x98118',
  '-0x98130',
  '-0x98200',
  '-0x980a0'],
 ['0x40182b',
  '0x40182b',
  '0x4019e8',
  '0x4019d0',
  '0x4019b8',
  '0x4019a0',
  '0x401988',
  '0x401970',
  '0x4018a0',
  '0x401a00'])

Python

python
import math
def crt(a,m,b,n):
    # x=a mod m, x=b mod n
    g=math.gcd(m,n)
    if (b-a)%g: return None
    l=m//g*n
    t=((b-a)//g*pow(m//g,-1,n//g))%(n//g)
    return (a+m*t)%l
print(crt(0x4637,0x117d1,0x8cf0,0x12f49))
print(crt(0x4637,0x117d1,0x8cf0,0x12f49)%37)

Python

python
import struct, math, pathlib
p=pathlib.Path('/mnt/data/roulette').read_bytes()
def off(addr): return addr-0x499000+0x99000
def u32(x): return x & 0xffffffff
def rol(x,c):
    c &=31; return u32((x<<c)|(x>>(32-c))) if c else u32(x)
def shr(x,c): return (x & 0xffffffff) >> c
def crt(a,m,b,n):
    g=math.gcd(m,n)
    assert (b-a)%g==0
    l=m//g*n
    t=((b-a)//g*pow(m//g,-1,n//g))%(n//g)
    return (a+m*t)%l
def div_rem_u32(num,den):
    return (num & 0xffffffff)//(den&0xffffffff), (num&0xffffffff)%(den&0xffffffff)
cmp=[struct.unpack('<I',p[off(0x499ce0)+4*i:off(0x499ce0)+4*i+4])[0] for i in range(27)]
t1=[struct.unpack('<I',p[off(0x499d60)+4*i:off(0x499d60)+4*i+4])[0] for i in range

Python

python
import math
for i in range(27):
    print(i, math.gcd(t4[i], t3[i]))

思考

def vmrun2(init0, ebx, i): regs=[0]*8 regs[0]=u32(init0); regs[1]=u32(ebx); regs[2]=u32(i) ptr=0 # initial default mov on instr0 regs[vm[ptr]&7]=regs[vm[ptr+1]&7] while True: op=vm[ptr+7] ptr += 8 if op>9: return regs[6] if op==0xff else 0 if op==0: return 0 # execute op using instr at ptr if op==1: regs[vm[ptr]&7]=regs[vm[ptr+1]&7] elif op==2: a=vm[ptr]&7; b=vm[ptr+1]&7; regs[a]=u32(regs[a]^regs[b]) elif op==3: a=vm[ptr]&7; imm=struct.unpack('<I',vm[ptr+3:ptr+7])[0];

Thought for 2m 32s

回答

Flag:

UMDCTF{I_R3ALLY-want-to-pl4y-the-p0werball,+but-my-d4d-said-no-so-im-b3tting-ill-win-on-POLYMARKETinstead}

Simple writeup:

  • The file is a stripped, statically linked 64-bit ELF.
  • strings shows a prompt plus an obvious AI-refusal red herring.
  • In main, the program reads input, requires length 0x6a bytes, then validates 27 little-endian 4-byte chunks.
  • Each chunk is checked as:
c
(input_dword ^ vm_result) == table[i]
  • I reconstructed the small VM at .rodata:0x499be1, including its one-instruction-delayed dispatch behavior.
  • The per-round seed comes from a CRT-like helper at 0x401cd0.
  • Solving all 27 chunks gives the flag above, with two trailing null bytes in the internal 108-byte buffer.

分享这个问答