✨ 크립토 공짜 다운로드 ✨

TL;DR The Binary prints Flag: , then enforces a 30s input timeout and a strict length check of 37 bytes.

The real verifier is JIT-generated x86-64 code (Xbyak) called via call [rsp+0xc8]

JIT checks a 37 byte input against a 37*uint32_t table at VA 0x21EDA0 using a rolling 32bit state and 4byte key 42 19 66 99.

Analysis

Binary

1. Validate the process filename via /proc/self/exe (anti-rename gate).
2. Compute a runtime seed from several environment probes.
3. Print Flag: , enforce a timeout, read a string, require length 37.
4. Build an executable JIT function and call it as f(input_ptr, len, table_ptr).
5. Print Correct! if the JIT returns 1, else Wrong.

Filename gate (“Bad filename”)

sub_251F10:

• Reads /proc/self/exe into a buffer.
• Takes the basename (searches for ’/’ and uses the tail).
• Computes a CRC32-like value over that basename using polynomial 0xEDB88320.
• Compares the result against 0xC50018F7.

The important detail: the code initializes the CRC accumulator as 0xFFFFFFFF and does not XOR with 0xFFFFFFFF at the end. That means the computed value is the bitwise complement of the standard CRC32 output

$v$ = $CRC32_{init}$ =0xffffffff, xorout=0(s) = ~crc32(s)

For s = "crown_flash"

• crc32(“crown_flash”)=0x3affe708
• ~0x3affe708 = 0xc50018f7

Anti-debugging via IFUNC ptrace

There is an IFUNC resolver (ifunc_2450F0)

• ptrace(PTRACE_TRACEME, 0, 0, 0) via syscall
• Writes a global dword_381810
  • 0 if ptrace succeeds
  • 0xDEAD if ptrace fails

Later, the program computes a value that will be passed into the JIT generator, and it explicitly forces/clears the sign bit depending on this anti-debug state. The net effect

• Normal: sign bit cleared, JIT uses a simple check
• Debugging detected: sign bit set, JIT adds an extra per-index perturbation, making the verification mismatch unless

Prompt, timeout, and length check

Inside the main check function (the large sub_24EE10 region):

1. Prints Flag: .
2. Uses poll() with timeout = 0x7530 = 30000 milliseconds.
   • If timeout occurs, prints Too slow!.
3. Reads input into a std::string and checks:
   • len == 0x25 (37 bytes), else prints Wrong.

Only then it runs the JIT verifier.

IDA shows a global string: ourhardworkbythesewordsguardedpleasedontsteal

This is referenced from inside the big function (sub_24EE10), where it is used to construct a std::string object (via a routine that matches std::basic_string::_S_construct-style behavior).

It is not the flag and it is not used as the flag input. It appears to be:

• a flavor string / easter egg,
• and/or a value used during internal setup (allocator / exception / JIT scaffolding), but it is not part of the final byte-by-byte verifier that decides Correct!.

Locating the real verifier (JIT call site)

After the input passes length checks, the code does:

• Build a callable at runtime.
• Then calls it via an indirect call:
  • call qword ptr [rsp + 0xc8]

Right before this call, registers are set up as:

• rdi = input_ptr
• rsi = input_len (must be 37)
• rdx = 0x21EDA0 (pointer to a 37 * uint32_t table)

The JIT returns eax, and the program checks:

• return value == 1: Correct!

• else: Wrong

• Then reconstructing the JIT algorithm

1
static inline uint32_t rol32(uint32_t x, int r) {
2
    return (x << r) | (x >> (32 - r));
3
}
4
int verify(const uint8_t *in, size_t n, const uint32_t *T) {
5
    if (n != 0x25) return 0;
6
    const uint8_t key[4] = { 0x42, 0x19, 0x66, 0x99 };
7
    uint32_t acc = 0x72616e64; // 'dnar'
8

9
    for (uint32_t i = 0; i < 0x25; i++) {
10
        uint32_t x = (uint8_t)(in[i] ^ key[i & 3]);
11
        x = x + i * 0x9e3779b9;
12
        acc = acc + x;
13
        acc = acc * 0x045d9f3b;
14
        acc = acc + rol32(acc, 7);
15
        uint32_t mixed  = acc ^ (acc >> 16);
16
        uint32_t rconst = (i + 1) * 0x7ed55d16 + 0xc761c23c;
17

18
    if (mixed != (T[i] ^ rconst)) return 0;
19
    }
20
    return 1;
21
}

Recurrence with $2^{32}$ wraparound

• $a_0$ = 0x72616e64
• $x_i=(b_i \oplus k_i mod 4)+i * 0x9e3779b9 (mod 2^{32})$
• $a_i+1=((a_i+x_i) * 0x045d9f3b + rol32((a_i+x_i) 0x045d9f3b7, 7) mod 2^{32})$
• $m_i=a_i+1(a_i+116)$
• $r_i=(i+1) * 0x7ed55d16 + 0xc761c23c (mod 2^{32})$
• $m_i=T_i \oplus r_i$

If the sign bit is set $m_i = m_i + ((i * 0x632be5c9) \oplus seed)$ Normal execution, the code forces the sign bit clear, so this branch is skipped

Exploit

1. Compute the target $t_i=T_i \oplus ri$
2. Try all 256 bytes $( b_i {0, .. , 255} )$, simulate one step, compute mixed
3. The byte that makes mixed == $t_i$ is the correct $b_i$
4. Commit the new acc and move to the next index.

This is only 37256 iterations, i.e. trivial

1
FLAG_LEN = 0x25
2
TABLE_VA = 0x21EDA0
3
KEY = bytes([0x42, 0x19, 0x66, 0x99])
4
ELF64_EHDR = struct.Struct("<16sHHIQQQIHHHHHH")
5
ELF64_PHDR = struct.Struct("<IIQQQQQQ")
6
PT_LOAD = 1
7

8
def rol32(x, r):
9
    x &= 0xffffffff
10
    return ((x << r) | (x >> (32 - r))) & 0xffffffff
11

12
def va_to_off(f, va):
13
    f.seek(0)
14
    eh = ELF64_EHDR.unpack(f.read(ELF64_EHDR.size))
15
    e_phoff = eh[5]
16
    e_phentsize = eh[9]
17
    e_phnum = eh[10]
18
    f.seek(e_phoff)
19
    for _ in range(e_phnum):
20
        ph = ELF64_PHDR.unpack(f.read(e_phentsize))
21
        p_type, p_flags, p_offset, p_vaddr, p_paddr, p_filesz, p_memsz, p_align = ph
22
        if p_type != PT_LOAD:
23
            continue
24
        if p_vaddr <= va < p_vaddr + p_memsz:
25
            return p_offset + (va - p_vaddr)
26
    raise ValueError("VA not in any PT_LOAD segment")
27

28
def main():
29
    with open("crown_flash", "rb") as f:
30
        off = va_to_off(f, TABLE_VA)
31
        f.seek(off)
32
        raw = f.read(FLAG_LEN * 4)
33
    T = list(struct.unpack("<" + "I" * FLAG_LEN, raw))
34
    acc = 0x72616e64
35
    out = bytearray()
36
    for i in range(FLAG_LEN):
37
        r14 = (((i + 1) * 0x7ed55d16) + 0xc761c23c) & 0xffffffff
38
        target = (T[i] ^ r14) & 0xffffffff
39
        found = None
40
        for b in range(256):
41
            x = (b ^ KEY[i & 3]) & 0xff
42
            x = (x + ((i * 0x9e3779b9) & 0xffffffff)) & 0xffffffff
43
            acc2 = (acc + x) & 0xffffffff
44
            acc2 = (acc2 * 0x045d9f3b) & 0xffffffff
45
            acc2 = (acc2 + rol32(acc2, 7)) & 0xffffffff
46
            mixed = (acc2 ^ (acc2 >> 16)) & 0xffffffff
47
            if mixed == target:
48
                found = b
49
                acc = acc2
50
                break
51
        if found is None:
52
            raise RuntimeError(f"no solution at i={i}")
53
        out.append(found)
54
    print(out.decode())
55

56
if __name__ == "__main__":
57
    main()