Crypto?

Reversing | Hard

PART 0 : CHALLENGE

0.1 DESCRIPTION

Not sure but there is a hidden message. Can you get it?

0.2 GIVEN

^ISP{(?=.*4.0.*R.*G.*)(?=.*(?=\d\D{6}\d.+\d{2}\D\d.$))(?=[^}]{42}5}$)(?=.+\Dn0\D(?:.*[A-Z][2-8][A-Z]){1,}.*\D4r.[^_]+$)(?=.*u.{5}u.+ss[n0-5]+})(?=(?=[NC0-9]{3}\W).*(?=[ale].._[n-x301]{10}.{2}$))(?=[^689ABDEFH-MO-QS-Z]{43})(?=(?:[^_]+_){6}[^_]+})(?=[A-Z4]+'[b-w_0-7]+\+[l-xG_R0-5]+.$)(?=[C3P0]+4[NSA].[7of9]_.+_[um]+[abc][help](?:_[^_]{5}.*){3}})(?=.+\w\w\dw(?:_\d_).*(?=.3[r4-9_xp]{3}3\w{2}[15][40].{2}}))(?=.+\D2.[mango][rum][hooch]+\w\d.{13}\dxp[^_xp]{9})(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6}).*}$

0.3 FLAG

ISP{C4N'7_kn0w_2_much_4b0u+_R3Gul4r_3xpr3ss10n5}

PART 1 : POSITIVE LOOKAHEADS

There are 13 lookaheads that must be matched to verify the flag:

(?=.*4.0.*R.*G.*)
(?=.*(?=\d\D{6}\d.+\d{2}\D\d.$))
(?=[^}]{42}5}$)
(?=.+\Dn0\D(?:.*[A-Z][2-8][A-Z]){1,}.*\D4r.[^_]+$)
(?=.*u.{5}u.+ss[n0-5]+})
(?=(?=[NC0-9]{3}\W).*(?=[ale].._[n-x301]{10}.{2}$))
(?=[^689ABDEFH-MO-QS-Z]{43})
(?=(?:[^_]+_){6}[^_]+})
(?=[A-Z4]+'[b-w_0-7]+\+[l-xG_R0-5]+.$)
(?=[C3P0]+4[NSA].[7of9]_.+_[um]+[abc][help](?:_[^_]{5}.*){3}})
(?=.+\w\w\dw(?:_\d_).*(?=.3[r4-9_xp]{3}3\w{2}[15][40].{2}}))
(?=.+\D2.[mango][rum][hooch]+\w\d.{13}\dxp[^_xp]{9})
(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

Each and every one of them should match all the succeeding characters of ISP{ including }.

PART 2 : MESSAGE STRUCTURE

2.1 MESSAGE LENGTH

For this one, we can use the following lookahead:

(?=[^}]{42}5}$)

This simply indicates that from the substring ISP{ there are 42 characters before ending the entire message with 5}.

With that, the hidden message should look like something like this for the time being:

ISP{??????????????????????????????????????????5}

2.2 WORD COUNT

The word count could be determined from the following lookahead:

(?=(?:[^_]+_){6}[^_]+})

Expanding this expression gives us:

[^_]+_[^_]+_[^_]+_[^_]+_[^_]+_[^_]+_[^_]+}

Or simply something like this which means there are 7 "words" separated by underscores forming the flag:

<word>_<word>_<word>_<word>_<word>_<word>_<word>}

2.3 CHARACTER SET

The character set to work with when deducing the message has been quite limited by the following lookahead:

(?=[^689ABDEFH-MO-QS-Z]{43})

The hidden message is simply formed by the characters not contained within the square brackets; leaving us with 0-5, 7, a-z, C, G, N, P, and all special characters to work with.

PART 3 : THE FIRST WORD

Positive lookaheads in this scenario are only concerned with what comes after the substring ISP{ even if they are lined up consecutively. That's why each and every one can be used to verify the entire flag.

The following lookaheads give valuable insight on what the first word might be:

(?=(?=[NC0-9]{3}\W).*(?=[ale].._[n-x301]{10}.{2}$))
(?=[A-Z4]+'[b-w_0-7]+\+[l-xG_R0-5]+.$)
(?=[C3P0]+4[NSA].[7of9]_.+_[um]+[abc][help](?:_[^_]{5}.*){3}})
(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

Looking at the following lookahead, it can be determined that there are five characters before the underscore. That means the first word must consist of five characters:

(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

So that means the flag will look like this for the time being:

ISP{11111_????????????????????????????????????5}

Now, to determine what those characters actually, let's look at the other lookaheads in this section that show indication of being part of the first word (regular expressions that end with the possibility of an underscore):

[NC0-9]{3}\W
[A-Z4]+'[b-w_0-7]+
[C3P0]+4[NSA].[7of9]_

It seems to be hard to narrow down but the actual character set has been severely limited for uppercase letters and numbers. The only ones left are C, G, N, R, 0-5, and 7. So we can narrow down the options to the following:

With all that, C4N'7 or simply CAN'T is the most acceptable choice for the first word and the flag should now be something like this:

ISP{C4N'7_????????????????????????????????????5}

PART 4 : THE SEVENTH WORD

Following a similar approach to the previous section, we can take lookaheads that give understanding on what the characters or word will be:

(?=.*(?=\d\D{6}\d.+\d{2}\D\d.$))
(?=(?=[NC0-9]{3}\W).*(?=[ale].._[n-x301]{10}.{2}$))
(?=.+\w\w\dw(?:_\d_).*(?=.3[r4-9_xp]{3}3\w{2}[15][40].{2}}))

Starting with this one, we see that the last word is 11 characters long plus the closing curly brace of the flag:

(?=(?=[NC0-9]{3}\W).*(?=[ale].._[n-x301]{10}.{2}$))

The last 2 characters are 5} and the preceding characters could be anywhere in n-x, 0, 1, and 3. It could be further narrowed down with this one:

(?=.*(?=\d\D{6}\d.+\d{2}\D\d.$))

This indicates that the character before 5} is not a number since it is denoted by \D near the end and there are two numbers before it as supported by the following wherein the first and second number could be 1 or 5 and 4 or 0 respectively but due to the previous lookahead, only 0 or 1 is allowed:

(?=.+\w\w\dw(?:_\d_).*(?=.3[r4-9_xp]{3}3\w{2}[15][40].{2}}))

Now we can begin to deduce the final word:

n-x

0-1

4-5

Although it seems to be quite obvious, it could further be made easier by the following lookahead:

(?=.*u.{5}u.+ss[n0-5]+})

The 8th, 9th, 10th, and 11th characters fall within the allowed characters [n0-5]+ as well as succeeded by a } which means that the 6th and 7th characters are both the letter, s, leaving us with:

4-5

Deciding on the 2nd, 3rd, and 4th character could be further narrowed down when looking at the following lookahead with the expression, \dxp[^_xp]{9}:

(?=.+\D2.[mango][rum][hooch]+\w\d.{13}\dxp[^_xp]{9})

The mentioned expression fits well with the character options left for the 7th word having a number followed by xp then nine characters (including the closing curly brace of the flag) that is not p, x, or _:

4-5

Leaving us with the highly probable word, 3xpr3ss10n5, which is just the same as EXPRESSIONS; updating the flag:

ISP{C4N'7_?????????????????????????_3xpr3ss10n5}

PART 5 : THE SIXTH WORD

The last word has been determined and looking at the following lookaheads, it seems to be connected:

(?=.+\Dn0\D(?:.*[A-Z][2-8][A-Z]){1,}.*\D4r.[^_]+$)
(?=(?=[NC0-9]{3}\W).*(?=[ale].._[n-x301]{10}.{2}$))
(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

Starting with the following, it can be determined that the expression, .[^_]+$, is a pattern match to the previous section which means that the last 2 characters of the sixth word is 4r and is preceded by a non-numerical character:

(?=.+\Dn0\D(?:.*[A-Z][2-8][A-Z]){1,}.*\D4r.[^_]+$)

But the looking at the following, we get to see an expression before the pattern match for the seventh word -- [ale]..:

(?=(?=[NC0-9]{3}\W).*(?=[ale].._[n-x301]{10}.{2}$))

Looking at the current determined character sets for the sixth word:

Most of which could be seen in the expression, [l4ser]{3,6}, in the following lookahead:

(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

This must be the actual pattern match for the sixth word and going with the minimum of 7 characters:

The sixth word is highly probable to be R3Gul4r which is just the same as REGULAR and it makes quite a lot of sense when looking at the currently decoded hidden message:

ISP{C4N'7_?????????????????_R3Gul4r_3xpr3ss10n5}

PART 6 : THE FOURTH WORD

Determining this word is fairly easy by looking at the following lookaheads:

(?=[C3P0]+4[NSA].[7of9]_.+_[um]+[abc][help](?:_[^_]{5}.*){3}})
(?=.+\D2.[mango][rum][hooch]+\w\d.{13}\dxp[^_xp]{9})

But before moving forward, we can see that the 5th, 6th, and 7th word should have at least 5 characters based on the expression, (_[^_]{5}.*){3}}:

(?=[C3P0]+4[NSA].[7of9]_.+_[um]+[abc][help](?:_[^_]{5}.*){3}})

And with the expressions, _[um]+[abc][help] and .[mango][rum][hooch]+ , it can be inferred that the fourth word is only around four characters. Supported by the fact that the stated allowed characters seems to have a lot of similarities and that the succeeding words should have more characters.

Now, mapping potential characters for a four letter word:

With this, the fourth word should be much.

PART 7 : THE FIFTH WORD

Looking at the following lookahead, it could be determined that the fifth word ends with the character +:

(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

The following could also be used to determine the length of the fifth word:

(?=.+\D2.[mango][rum][hooch]+\w\d.{13}\dxp[^_xp]{9})

So far it's been known that the fourth word is much and the hidden message decoded so far is:

ISP{C4N'7_?????????????????_R3Gul4r_3xpr3ss10n5}

And based on the expression, \w\d.{13}\dxp, from the previously mentioned lookahead, it should look liek the following:

_<number>???+_R3Gul4r_3xp

Meaning that the 5th word is five characters long and its character set could be narrowed down with the following:

(?=[A-Z4]+'[b-w_0-7]+\+[l-xG_R0-5]+.$)
(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

And all characters except one should be within b-w, 0-5, and 7 based on the following. The last character of which should be +:

(?=[A-Z4]+'[b-w_0-7]+\+[l-xG_R0-5]+.$)

If we treat the expression, \db\d.++, as part of the fifth word supported by the fact the the first character of the word is a number, we are left with the following options:

0-5

b-w

0-5

There should be already a few probable candidates for the fifth word but to further narrow down the options, the following lookahead could be used:

(?=.*u.{5}u.+ss[n0-5]+})

Two words has already been determined to have the letter, u -- much and R3Gul4r. Knowing that they are the 4th and 6th words respectively and the fact that the 5th word has been determined to be five characters long, the expression, u.{5}u, will not stand. Therefore, the hidden message should have something like this:

u+_R3Gu

Leaving us with the following options:

0-5

Using the the following lookahead, the definite word could be revealed:

(?=.*4.0.*R.*G.*)

The first and third characters of the 5th word could now be reduced to just 4 and 0 respectively and should now just be 4b0u+ or simply, ABOUT. Combining with the 4th word, the hidden message should now look like this:

ISP{C4N'7_??????_much_4b0u+_R3Gul4r_3xpr3ss10n5}

PART 8 : THE SECOND WORD

There are only six unknown characters left; one of which is an _ that separates the second and third word. There are also only a few lookaheads that haven't been relevant and maybe could now be used like the following:

(?=.+\Dn0\D(?:.*[A-Z][2-8][A-Z]){1,}.*\D4r.[^_]+$)
(?=[A-Z4]+'[b-w_0-7]+\+[l-xG_R0-5]+.$)
(?=.+\w\w\dw(?:_\d_).*(?=.3[r4-9_xp]{3}3\w{2}[15][40].{2}}))

Looking at the expression, \w\w\dw(?:_\d_), from the following lookahead:

(?=.+\w\w\dw(?:_\d_).*(?=.3[r4-9_xp]{3}3\w{2}[15][40].{2}}))

There seems to be a four character word ending with a w followed by a word with a single numerical character. This seems to be the second and third words respectively. Focusing on the second word, the options are still quite broad but looking at the expression, \Dn0\D, there still hasn't been a match from the following lookahead:

(?=.+\Dn0\D(?:.*[A-Z][2-8][A-Z]){1,}.*\D4r.[^_]+$)

The options left should now be something like this:

b-w

0-5

But still this could be reduced by the expression, [ak47], which is the character that immediately comes after the first word from the following lookahead:

(?=.{5}_[ak47].*\db\d.+\+_[D-Z3]{3}[BuMP69][l4ser]{3,6})

Meaning that the options should now just be:

The second word should know be fairly obvious to be kn0w or simply just KNOW leaving us with the current decoded message:

ISP{C4N'7_kn0w_?_much_4b0u+_R3Gul4r_3xpr3ss10n5}

PART 9 : THE THIRD WORD

The lookahead that will be relevant for this final step will be the one having the expression, \D2.:

(?=.+\D2.[mango][rum][hooch]+\w\d.{13}\dxp[^_xp]{9})

The expression identified could be interpreted as the following; moreover, it comes before the pattern match for the 4th word making it the ideal solution:

_2_

Now, the entire hidden message has been recovered:

ISP{C4N'7_kn0w_2_much_4b0u+_R3Gul4r_3xpr3ss10n5}

PreviousInfoSec Philippines NextROOTCON

Last updated 4 years ago