{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-angstromctf-2021-en","result":{"data":{"markdownRemark":{"id":"31257fd5-d087-5f01-8298-dc36c4d0ae0f","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-angstromctf-2021\">original page</a>.</p>\n</blockquote>\n<p>I participated in ångstromCTF 2021.\nI joined with the goal of clearing all of the Reversing challenges again this time, but unfortunately I could solve only 3 of the 11 problems…</p>\n<p>This time, among the problems I somehow managed to solve, I’m writing a writeup for <code class=\"language-text\">Infinity Gauntlet</code>, which taught me especially a lot.</p>\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to encourage actions that violate public order.</strong></p>\n<p>Please note in advance that attempting attacks against environments you do not own or are not authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (Unauthorized Access Prohibition Act).</p>\n<p>Also, all opinions expressed here are my own and do not represent any organization I belong to.</p>\n<h3 id=\"about-the-ctf-writeup-series\" style=\"position:relative;\"><a href=\"#about-the-ctf-writeup-series\" aria-label=\"about the ctf writeup series permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About the CTF Writeup Series</h3>\n<p>I’m writing this series partly for my own study, and I’ll try to explain CTF challenges carefully enough that even beginners can follow along.</p>\n<p>To be honest, I think CTFs are a pretty difficult genre for someone to jump into cold.\nWhen I first entered a competition, I couldn’t solve a single problem, and even after reading writeups by veteran CTF players, I still understood nothing.</p>\n<p>So in this series, as part of my own learning, I aim to explain the steps to obtaining the flag as clearly and carefully as possible.</p>\n<p>At the same time, I’m still relatively new to CTFs myself, so if you notice any mistakes, I’d really appreciate it if you pointed them out.</p>\n<h2 id=\"challenge-overview\" style=\"position:relative;\"><a href=\"#challenge-overview\" aria-label=\"challenge overview permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Challenge Overview</h2>\n<blockquote>\n<p>All clam needs to do is snap and finite will turn into infinit…</p>\n<p><a href=\"https://2021.%C3%A5ngstromctf.com/challenges\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://2021.ångstromctf.com/challenges</a></p>\n</blockquote>\n<p>I don’t really understand what the prompt means, but when you run the downloaded executable, it displays the following challenge text and asks for input.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$./infinity_gauntlet \n\nWelcome to the infinity gauntlet<span class=\"token operator\">!</span>\nIf you complete the gauntlet, you'll get the flag<span class=\"token operator\">!</span>\n<span class=\"token operator\">==</span><span class=\"token operator\">=</span> ROUND <span class=\"token number\">1</span> <span class=\"token operator\">==</span><span class=\"token operator\">=</span>\nbar<span class=\"token punctuation\">(</span>?, <span class=\"token number\">108</span>, <span class=\"token number\">377</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">102484</span>\n<span class=\"token number\">100</span>\nWrong<span class=\"token operator\">!</span></code></pre></div>\n<p>There are seven possible patterns for the questions it asks.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">// foo <span class=\"token keyword\">function</span>\nfoo<span class=\"token punctuation\">(</span>?, %u<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> %u\nfoo<span class=\"token punctuation\">(</span>%u, ?<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> %u\nfoo<span class=\"token punctuation\">(</span>%u, %u<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> ?\n\n// bar <span class=\"token keyword\">function</span>\nbar<span class=\"token punctuation\">(</span>?, %u, %u<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> %u\nbar<span class=\"token punctuation\">(</span>%u, ?, %u<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> %u\nbar<span class=\"token punctuation\">(</span>%u, %u, ?<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> %u\nbar<span class=\"token punctuation\">(</span>%u, %u, %u<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> ?</code></pre></div>\n<p>When you answer one of these correctly, the ROUND value is updated and the next question is displayed.</p>\n<h2 id=\"what-i-learned-this-time\" style=\"position:relative;\"><a href=\"#what-i-learned-this-time\" aria-label=\"what i learned this time permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>What I Learned This Time</h2>\n<ol>\n<li>How to automate the execution of an interactive program with Python</li>\n<li>How to read a little assembly</li>\n</ol>\n<h2 id=\"solution\" style=\"position:relative;\"><a href=\"#solution\" aria-label=\"solution permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solution</h2>\n<p>I’ll describe the overall solution first.\nI especially struggled with step 3, obtaining the FLAG.</p>\n<ol>\n<li>Statically analyze the provided executable to understand where the FLAG string is stored and how it is stored</li>\n<li>Use GDB to understand the details of the <code class=\"language-text\">foo</code> and <code class=\"language-text\">bar</code> functions</li>\n<li>Statically analyze the provided executable to understand how to obtain the FLAG</li>\n<li>Write a solver that automates answering the questions and retrieving the FLAG</li>\n</ol>\n<h2 id=\"1-understand-where-the-flag-string-is-stored-and-how-it-is-stored\" style=\"position:relative;\"><a href=\"#1-understand-where-the-flag-string-is-stored-and-how-it-is-stored\" aria-label=\"1 understand where the flag string is stored and how it is stored permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>1. Understand where the FLAG string is stored and how it is stored</h2>\n<p>First, if you try to run the provided executable locally, you get the following error.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$./infinity_gauntlet \nCouldn't <span class=\"token function\">find</span> a flag file.</code></pre></div>\n<p>If you decompile it in Ghidra, you can see that it reads <code class=\"language-text\">flag.txt</code> from the same directory at runtime.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">local_40 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n__stream <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.txt\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token comment\">// If reading flag.txt fails</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>__stream <span class=\"token operator\">==</span> <span class=\"token punctuation\">(</span>FILE <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Couldn\\'t find a flag file.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar6 <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>When reading <code class=\"language-text\">flag.txt</code> succeeds, it seems to execute the following processing.\n<em>I renamed the variables arbitrarily.</em></p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">__s <span class=\"token operator\">=</span> FLAG<span class=\"token punctuation\">;</span>\n<span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>__s<span class=\"token punctuation\">,</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">,</span>__stream<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">fclose</span><span class=\"token punctuation\">(</span>__stream<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nsVar4 <span class=\"token operator\">=</span> <span class=\"token function\">strcspn</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>__s<span class=\"token punctuation\">,</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\niVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>sVar4<span class=\"token punctuation\">;</span>\nFLAG<span class=\"token punctuation\">[</span>iVar1<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  bVar7 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token operator\">*</span>__s <span class=\"token operator\">=</span> <span class=\"token operator\">*</span>__s <span class=\"token operator\">^</span> bVar7<span class=\"token punctuation\">;</span>\n    bVar7 <span class=\"token operator\">=</span> bVar7 <span class=\"token operator\">+</span> <span class=\"token number\">0x11</span><span class=\"token punctuation\">;</span>\n    __s <span class=\"token operator\">=</span> __s <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>bVar7 <span class=\"token operator\">!=</span> <span class=\"token punctuation\">(</span>byte<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token punctuation\">)</span>sVar4 <span class=\"token operator\">*</span> <span class=\"token char\">'\\x11'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n  <span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>As you can tell from the decompiled code, it appears to do the following.</p>\n<ol>\n<li>Take the string obtained from <code class=\"language-text\">flag.txt</code> one character at a time</li>\n<li>Compute <code class=\"language-text\">flag character XOR (0x11 * zero-based character index)</code></li>\n<li>Store the result in the buffer where the encrypted flag is kept</li>\n</ol>\n<p>The address of this storage location will show up again later, so it’s worth remembering.\nI think it’s helpful to give it a label name in Ghidra.</p>\n<h2 id=\"2-understand-the-details-of-the-foo-and-bar-functions\" style=\"position:relative;\"><a href=\"#2-understand-the-details-of-the-foo-and-bar-functions\" aria-label=\"2 understand the details of the foo and bar functions permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>2. Understand the details of the <code class=\"language-text\">foo</code> and <code class=\"language-text\">bar</code> functions</h2>\n<p>Next, to solve the questions it asks, we need to understand their nature.\nI’m calling them functions for convenience, but the logic itself was written inside <code class=\"language-text\">main()</code>.</p>\n<p>Tracing both of them directly from the assembly source is a lot of work, so I analyzed them with GDB.</p>\n<p>From the disassembly results, I found that the following code handles receiving the input and determining whether the answer is correct.\nSo I set a breakpoint at this address and analyzed it in GDB.</p>\n<div class=\"gatsby-highlight\" data-language=\"assembly\"><pre class=\"language-assembly\"><code class=\"language-assembly\">0010125a e8 71 fe        CALL       __isoc99_scanf                                   undefined __isoc99_scanf()\n          ff ff\n0010125f 39 5c 24 0c     CMP        dword ptr [RSP + local_14c],EBX\n00101263 0f 85 c7        JNZ        LAB_00101430\n          01 00 00\n00101269 83 c5 01        ADD        ebp,0x1\n0010126c 48 8d 3d        LEA        RDI,[s_Correct!_Maybe_round_%d_will_get_001021   = &quot;Correct! Maybe round %d will \n          bd 0e 00 00\n00101273 31 c0           XOR        EAX,EAX\n00101275 89 ee           MOV        ESI,ebp\n00101277 e8 e4 fd        CALL       printf                                           int printf(char * __format, ...)</code></pre></div>\n<p>By running it several times while bypassing the correct/incorrect branch by rewriting the zero flag, I learned the following in combination with the assembly above.</p>\n<ol>\n<li>At <code class=\"language-text\">0x0010125f</code>, it compares the input value with the value in the <code class=\"language-text\">EBX</code> register to determine whether the answer is correct.</li>\n<li>If the answer is correct, <code class=\"language-text\">1</code> is added to the value in the <code class=\"language-text\">EBP</code> register.</li>\n</ol>\n<p>At this point, by reading the value of the <code class=\"language-text\">EBX</code> register in GDB when the program checks the answer, you can learn the correct answer and use that as a clue to discover the rules of each function.\n(Unfortunately, the process of reverse-engineering each formula would make this article too long, so I’ll omit it.)</p>\n<p>After some trial and error, I was able to figure out the logic <code class=\"language-text\">foo</code> and <code class=\"language-text\">bar</code> use to determine each value in the problem statement.</p>\n<div class=\"gatsby-highlight\" data-language=\"text\"><pre class=\"language-text\"><code class=\"language-text\">foo(A, B) = C\nC = A ^ (B + 1) ^ 0x539</code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"text\"><pre class=\"language-text\"><code class=\"language-text\">bar(A, B, C) = D\nD = B * (C + 1) + A</code></pre></div>\n<p>Every question the program gives is a fill-in-the-blank version of either the <code class=\"language-text\">foo</code> or <code class=\"language-text\">bar</code> formula, so using these formulas lets you answer all of them correctly.</p>\n<p>I created an automation script and tried solving the questions.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">==</span><span class=\"token operator\">=</span> ROUND <span class=\"token number\">44</span> <span class=\"token operator\">==</span><span class=\"token operator\">=</span>\nbar<span class=\"token punctuation\">(</span><span class=\"token number\">1160</span>, ?, <span class=\"token number\">58</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">124529</span>\n<span class=\"token number\">2091</span>\nCorrect<span class=\"token operator\">!</span> Maybe round <span class=\"token number\">45</span> will get you the flag <span class=\"token punctuation\">;</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token operator\">==</span><span class=\"token operator\">=</span> ROUND <span class=\"token number\">45</span> <span class=\"token operator\">==</span><span class=\"token operator\">=</span>\nfoo<span class=\"token punctuation\">(</span>?, <span class=\"token number\">355</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">38988</span>\n<span class=\"token number\">39953</span>\nCorrect<span class=\"token operator\">!</span> Maybe round <span class=\"token number\">46</span> will get you the flag <span class=\"token punctuation\">;</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token operator\">==</span><span class=\"token operator\">=</span> ROUND <span class=\"token number\">46</span> <span class=\"token operator\">==</span><span class=\"token operator\">=</span>\nfoo<span class=\"token punctuation\">(</span><span class=\"token number\">39</span>, ?<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token number\">41440</span>\n<span class=\"token number\">42237</span>\nCorrect<span class=\"token operator\">!</span> Maybe round <span class=\"token number\">47</span> will get you the flag <span class=\"token punctuation\">;</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>However, even after answering more than 10,000 questions correctly, I still couldn’t get the FLAG. So I had to continue analyzing the program to figure out how the FLAG can actually be obtained.</p>\n<h2 id=\"3-understand-how-to-obtain-the-flag\" style=\"position:relative;\"><a href=\"#3-understand-how-to-obtain-the-flag\" aria-label=\"3 understand how to obtain the flag permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>3. Understand how to obtain the FLAG</h2>\n<p>Now let’s think about how the FLAG can be obtained.</p>\n<p>Earlier, we confirmed that the <code class=\"language-text\">ebp</code> register is incremented when you answer correctly, so I guessed that this was related and traced the code with that assumption in mind.</p>\n<p>Then I found that it compares the value in <code class=\"language-text\">ebp</code> with <code class=\"language-text\">0x31</code>, and jumps to <code class=\"language-text\">0x1504</code> when it is greater.</p>\n<div class=\"gatsby-highlight\" data-language=\"assembly\"><pre class=\"language-assembly\"><code class=\"language-assembly\">0x00001291      83fd31         cmp ebp, 0x31\n0x00001294      0f8f6a020000   jg 0x1504</code></pre></div>\n<p>So I looked at what happens after <code class=\"language-text\">0x1504</code>.\nIt turns out that once you solve more than 50 questions, the answer to the challenge that would normally be generated randomly (the value in the <code class=\"language-text\">EBX</code> register) stops being random and is instead created by the following processing!</p>\n<div class=\"gatsby-highlight\" data-language=\"assembly\"><pre class=\"language-assembly\"><code class=\"language-assembly\">0x00001504      99             cdq\n0x00001505      41f7fe         idiv r14d\n0x00001508      8d1c2a         lea ebx, [rdx + rbp]\n0x0000150b      4863d2         movsxd rdx, edx\n0x0000150e      0fb6441410     movzx eax, byte [rsp + rdx + 0x10]\n0x00001513      0fb6db         movzx ebx, bl\n0x00001516      c1e308         shl ebx, 8\n0x00001519      09c3           or ebx, eax\n0x0000151b      e98bfdffff     jmp 0x12ab ;start of the next problem setup</code></pre></div>\n<p>This is hard to read as-is, so let’s look at Ghidra’s decompiled output.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">EBX <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>FlagLength <span class=\"token operator\">%</span> iVar1 <span class=\"token operator\">+</span> current_correct_count <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">8</span> <span class=\"token operator\">|</span> \\\n<span class=\"token punctuation\">(</span>uint<span class=\"token punctuation\">)</span>FLAGARR<span class=\"token punctuation\">[</span>FlagLength <span class=\"token operator\">%</span> iVar1<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>It seems that the program stores a value in <code class=\"language-text\">EBX</code> using the flag string it encrypted at the beginning.\nMore specifically, <code class=\"language-text\">EBX</code> stores the result of OR-ing:</p>\n<ul>\n<li>the low 8 bits of <code class=\"language-text\">current number of correct answers + flag character position</code>, shifted left by 8 bits</li>\n<li>the encrypted flag converted to an <code class=\"language-text\">int</code></li>\n</ul>\n<p>In other words, if <code class=\"language-text\">EBX</code> is <code class=\"language-text\">0x9c3f</code> and the current number of correct answers is 152, you can recover the flag character as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"text\"><pre class=\"language-text\"><code class=\"language-text\">EBX   0x9c3f\nCorrect answers 0x98(152)\n\n1. `0x9c - 0x98 = 4`, so the low byte corresponds to the 4th character\n2. The low byte is `0x3f`, so you know the encrypted 4th flag character is `0x3f`\n3. The encryption is `flag character XOR (0x11 * zero-based flag index)`, so for the 4th character it is\n   `0x3f XOR 0x33`\n4. Therefore, you can tell that the 4th character of the FLAG is `{`</code></pre></div>\n<p>Once you get this far, the rest is easy: write a script that automatically solves the questions while keeping track of the <code class=\"language-text\">current number of correct answers</code>, and once the count exceeds 50, just run the decode process above to recover the FLAG string.</p>\n<p>…that was a lie!!\nIf you stop there, the 16th character onward gets garbled.</p>\n<p>I got pretty stuck here at first because I had no idea why this was happening.</p>\n<p>After thinking about it for a while, I realized that in this part where the flag characters are XOR-encrypted by multiples of <code class=\"language-text\">0x11</code>, the register actually used for the encryption is the <code class=\"language-text\">cl</code> register.</p>\n<div class=\"gatsby-highlight\" data-language=\"assembly\"><pre class=\"language-assembly\"><code class=\"language-assembly\">0x00001190      300a           xor byte [rdx], cl\n0x00001192      83c111         add ecx, 0x11</code></pre></div>\n<p>The <code class=\"language-text\">cl</code> register is the lower 8 bits of the <code class=\"language-text\">ecx</code> register, which means the value used in the XOR operation here is also just 1 byte.</p>\n<p>When I calculated the multiples of <code class=\"language-text\">0x11</code>, I found that the 15th multiple is exactly <code class=\"language-text\">0xFF</code>, and from the 16th multiple onward the value no longer fits in 8 bits.\nBy the time I first ran the solver, I already knew the FLAG was 26 characters long, so I fixed the solver so that it would also XOR with <code class=\"language-text\">256</code>, preventing the 16th through 26th characters from becoming garbled, and that finally gave me the FLAG.</p>\n<h2 id=\"4-write-a-solver-to-automate-answering-the-questions-and-retrieving-the-flag\" style=\"position:relative;\"><a href=\"#4-write-a-solver-to-automate-answering-the-questions-and-retrieving-the-flag\" aria-label=\"4 write a solver to automate answering the questions and retrieving the flag permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>4. Write a solver to automate answering the questions and retrieving the FLAG</h2>\n<p>From here on, this is completely extra as a writeup, but since this was my first time automating the interactive execution of an ELF with a Python script, I wanted to add it.</p>\n<p>To run a program interactively from Python, use <a href=\"https://pexpect.readthedocs.io/en/stable/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">pexpect</a>.</p>\n<p>Usage is very simple: start a process by specifying the CLI command to run, and when a particular string appears in the output, you can provide any input you want at that timing.</p>\n<p>Below is a summary of the tips I used this time.</p>\n<h3 id=\"start-the-program\" style=\"position:relative;\"><a href=\"#start-the-program\" aria-label=\"start the program permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Start the program</h3>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">child <span class=\"token operator\">=</span> pexpect<span class=\"token punctuation\">.</span>spawn <span class=\"token punctuation\">(</span><span class=\"token string\">'command to run'</span><span class=\"token punctuation\">,</span> logfile<span class=\"token operator\">=</span>sys<span class=\"token punctuation\">.</span>stdout<span class=\"token punctuation\">.</span><span class=\"token builtin\">buffer</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span>\nchild<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>In the <code class=\"language-text\">command to run</code> field, enter <code class=\"language-text\">nc shell.actf.co 21700</code> or <code class=\"language-text\">./executable_name</code> to launch a process for automating interactive command handling.</p>\n<p>At this time, setting <code class=\"language-text\">logfile=sys.stdout.buffer</code> sends the output to standard output, so you can automate the processing while keeping a feel close to running the program directly from the console.</p>\n<h3 id=\"send-input-at-an-arbitrary-timing\" style=\"position:relative;\"><a href=\"#send-input-at-an-arbitrary-timing\" aria-label=\"send input at an arbitrary timing permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Send input at an arbitrary timing</h3>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">child<span class=\"token punctuation\">.</span>expect<span class=\"token punctuation\">(</span><span class=\"token string\">r'string to wait for (regular expression)'</span><span class=\"token punctuation\">)</span>\nchild<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token string\">'string to send'</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><code class=\"language-text\">expect()</code> waits until a string matching the regular expression you passed in appears.</p>\n<p><code class=\"language-text\">sendline</code> sends a string followed by a newline to the process.</p>\n<p>When <code class=\"language-text\">expect()</code> finds a match, it gives you the following.</p>\n<ol>\n<li><code class=\"language-text\">before</code>: the string that had been written to standard output before the part that matched the regular expression</li>\n<li><code class=\"language-text\">after</code>: the string that matched the regular expression</li>\n<li><code class=\"language-text\">buffer</code>: the string that had been written to standard output after the part that matched the regular expression at the moment of the match</li>\n</ol>\n<p>In the solver I wrote this time, I matched every line with <code class=\"language-text\">\\n</code>, then branched based on whether the immediately preceding output (the challenge prompt) contained <code class=\"language-text\">foo</code> or <code class=\"language-text\">bar</code>, and handled it accordingly.</p>\n<h2 id=\"the-solver-i-created\" style=\"position:relative;\"><a href=\"#the-solver-i-created\" aria-label=\"the solver i created permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>The Solver I Created</h2>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> io\n<span class=\"token keyword\">import</span> os\n<span class=\"token keyword\">import</span> sys\n<span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">import</span> re\n<span class=\"token keyword\">import</span> pexpect\n\narr <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"-1\"</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">50</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\nx11 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>i <span class=\"token operator\">*</span> <span class=\"token number\">17</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">50</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">revflag</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">,</span> rounds<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    pos <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>ans <span class=\"token operator\">>></span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> rounds\n    pos <span class=\"token operator\">=</span> pos\n    flag <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>ans <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x00ff</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> pos <span class=\"token operator\">></span> <span class=\"token number\">15</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>flag <span class=\"token operator\">^</span> x11<span class=\"token punctuation\">[</span>pos<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token number\">256</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>flag <span class=\"token operator\">^</span> x11<span class=\"token punctuation\">[</span>pos<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ans {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"pos {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>pos<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    arr<span class=\"token punctuation\">[</span>pos<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> flag\n    <span class=\"token keyword\">return</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">getfoo</span><span class=\"token punctuation\">(</span>S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># foo(?, 13) = 11231</span>\n    reA <span class=\"token operator\">=</span> <span class=\"token string\">r\"^foo\\(([0-9]{1,9}|\\?),\"</span>\n    reB <span class=\"token operator\">=</span> <span class=\"token string\">r\",\\s([0-9]{1,9}|\\?)\\)\"</span>\n    reC <span class=\"token operator\">=</span> <span class=\"token string\">r\"=\\s([0-9]{1,9}|\\?)\"</span>\n\n    A <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>reA<span class=\"token punctuation\">,</span> S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    B <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>reB<span class=\"token punctuation\">,</span> S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    C <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>reC<span class=\"token punctuation\">,</span> S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n\n    <span class=\"token keyword\">return</span> A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">getbar</span><span class=\"token punctuation\">(</span>S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># bar(?, 305, 449) = 138744</span>\n    reA <span class=\"token operator\">=</span> <span class=\"token string\">r\"^bar\\(([0-9]{1,9}|\\?),\"</span>\n    reB <span class=\"token operator\">=</span> <span class=\"token string\">r\",\\s([0-9]{1,9}|\\?),\"</span>\n    reC <span class=\"token operator\">=</span> <span class=\"token string\">r\",\\s([0-9]{1,9}|\\?)\\)\"</span>\n    reD <span class=\"token operator\">=</span> <span class=\"token string\">r\"=\\s([0-9]{1,9}|\\?)\"</span>\n\n    A <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>reA<span class=\"token punctuation\">,</span> S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    B <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>reB<span class=\"token punctuation\">,</span> S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    C <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>reC<span class=\"token punctuation\">,</span> S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n    D <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>reD<span class=\"token punctuation\">,</span> S<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n\n    <span class=\"token keyword\">return</span> A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">,</span> D\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">foo</span><span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    ans <span class=\"token operator\">=</span> <span class=\"token number\">0</span>    \n    <span class=\"token keyword\">if</span> A <span class=\"token operator\">==</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">:</span>\n        cd <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>C<span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> <span class=\"token number\">1337</span>\n        ans <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> cd\n         \n    <span class=\"token keyword\">if</span> B <span class=\"token operator\">==</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">:</span>\n        cd <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>C<span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> <span class=\"token number\">1337</span>\n        ans <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> cd<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span>\n\n    <span class=\"token keyword\">if</span> C <span class=\"token operator\">==</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">:</span>\n        ans <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> <span class=\"token number\">1337</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span>  \n\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">bar</span><span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">,</span> D<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    ans <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    <span class=\"token keyword\">if</span> A <span class=\"token operator\">==</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">:</span>\n        bd <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>C<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n        ans <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>D<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> bd\n         \n    <span class=\"token keyword\">if</span> B <span class=\"token operator\">==</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">:</span>\n        dd <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>D<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">)</span>\n        ans <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>dd <span class=\"token operator\">//</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>C<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n         \n    <span class=\"token keyword\">if</span> C <span class=\"token operator\">==</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">:</span>\n        dd <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>D<span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">)</span>\n        ans <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>dd <span class=\"token operator\">//</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>B<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span>\n         \n    <span class=\"token keyword\">if</span> D <span class=\"token operator\">==</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">:</span>\n        ans <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>C<span class=\"token punctuation\">)</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span>\n\n\nchild <span class=\"token operator\">=</span> pexpect<span class=\"token punctuation\">.</span>spawn <span class=\"token punctuation\">(</span><span class=\"token string\">'nc shell.actf.co 21700'</span><span class=\"token punctuation\">,</span> logfile<span class=\"token operator\">=</span>sys<span class=\"token punctuation\">.</span>stdout<span class=\"token punctuation\">.</span><span class=\"token builtin\">buffer</span><span class=\"token punctuation\">)</span>\n\ncounter <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n<span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        child<span class=\"token punctuation\">.</span>expect<span class=\"token punctuation\">(</span><span class=\"token string\">r'\\n'</span><span class=\"token punctuation\">)</span>\n        S <span class=\"token operator\">=</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>child<span class=\"token punctuation\">.</span>before<span class=\"token punctuation\">)</span>\n        <span class=\"token comment\"># print(S[2:-3])</span>\n\n        <span class=\"token keyword\">if</span> counter <span class=\"token operator\">&lt;</span> <span class=\"token number\">50</span><span class=\"token punctuation\">:</span>            \n            <span class=\"token keyword\">if</span> <span class=\"token string\">\"bar\"</span> <span class=\"token keyword\">in</span> S<span class=\"token punctuation\">:</span>\n                counter <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n                A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">,</span> D <span class=\"token operator\">=</span> getbar<span class=\"token punctuation\">(</span>S<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n                <span class=\"token comment\"># print(A, B, C, D)</span>\n\n                ans <span class=\"token operator\">=</span> bar<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">,</span> D<span class=\"token punctuation\">)</span>\n                child<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                \n            <span class=\"token keyword\">if</span> <span class=\"token string\">\"foo\"</span> <span class=\"token keyword\">in</span> S<span class=\"token punctuation\">:</span>\n                counter <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n                A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C <span class=\"token operator\">=</span> getfoo<span class=\"token punctuation\">(</span>S<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n                ans <span class=\"token operator\">=</span> foo<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">)</span>\n                child<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        \n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> <span class=\"token string\">\"bar\"</span> <span class=\"token keyword\">in</span> S<span class=\"token punctuation\">:</span>\n                A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">,</span> D <span class=\"token operator\">=</span> getbar<span class=\"token punctuation\">(</span>S<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n                <span class=\"token comment\"># print(A, B, C, D)</span>\n\n                ans <span class=\"token operator\">=</span> bar<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">,</span> D<span class=\"token punctuation\">)</span>\n                revflag<span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">,</span> counter<span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Count : {} Ans : {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>counter<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n                child<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                counter <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n                \n            <span class=\"token keyword\">if</span> <span class=\"token string\">\"foo\"</span> <span class=\"token keyword\">in</span> S<span class=\"token punctuation\">:</span>\n                A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C <span class=\"token operator\">=</span> getfoo<span class=\"token punctuation\">(</span>S<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n                ans <span class=\"token operator\">=</span> foo<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span> B<span class=\"token punctuation\">,</span> C<span class=\"token punctuation\">)</span>\n                revflag<span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">,</span> counter<span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Count : {} Ans : {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>counter<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n                child<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>ans<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                counter <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">if</span> counter <span class=\"token operator\">></span> <span class=\"token number\">254</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">break</span>\n\n    <span class=\"token keyword\">except</span> Exception <span class=\"token keyword\">as</span> e<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>e<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">break</span>\n\nchild<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>arr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>So, from the Reversing challenges in ångstromCTF 2021, I wrote up my attempt at <code class=\"language-text\">Infinity Gauntlet</code>.</p>\n<p>It took quite a while to solve completely (about 5 hours), but by taking the time to work through this problem carefully, I feel like I deepened my knowledge and understanding of assembly and registers quite a bit.</p>\n<p>I plan to keep challenging myself with various Reversing problems in the future.</p>\n<h3 id=\"references--books-i-used-while-solving-the-challenge\" style=\"position:relative;\"><a href=\"#references--books-i-used-while-solving-the-challenge\" aria-label=\"references  books i used while solving the challenge permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>References &#x26; Books I Used While Solving the Challenge</h3>\n<h3 id=\"books\" style=\"position:relative;\"><a href=\"#books\" aria-label=\"books permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Books</h3>\n<ul>\n<li>\n<p><a href=\"https://amzn.to/3mceJHH\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">大熱血！ アセンブラ入門</a></p>\n<ul>\n<li>When I’m reading assembly, this is the book I refer to as needed.</li>\n</ul>\n</li>\n<li>\n<p><a href=\"https://amzn.to/2PsWQbI\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">解析魔法少女 美咲ちゃん マジカル・オープン!</a></p>\n<ul>\n<li>It’s aimed at PE modules, but I always use it as a reference when tracing program flow.</li>\n<li>Since it’s a 2004 book, note that some of the content is a little outdated.</li>\n</ul>\n</li>\n<li>\n<p><a href=\"https://amzn.to/3t4Lolh\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">リバースエンジニアリングツールGhidra実践ガイド ~セキュリティコンテスト入門からマルウェア解析まで~</a></p>\n<ul>\n<li>This is almost the only book written in Japanese about Ghidra.</li>\n<li>It was written by members who are extremely strong at CTFs, and the content is also very easy to understand (not that I’m saying I fully understand it).</li>\n</ul>\n</li>\n</ul>\n<h3 id=\"web\" style=\"position:relative;\"><a href=\"#web\" aria-label=\"web permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Web</h3>\n<ul>\n<li><a href=\"https://takuzoo3868.hatenablog.com/entry/radare2_love\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">radare2 覚書 - /var/log/Sawada.log</a></li>\n<li><a href=\"https://pexpect.readthedocs.io/en/stable/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Pexpect version 4.8 — Pexpect 4.8 documentation</a></li>\n</ul>","fields":{"slug":"/ctf-angstromctf-2021-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-04","description":"This time, I'm writing a writeup for Infinity Gauntlet, the challenge I learned the most from among the problems I managed to solve.","tags":["CTF (en)","Reversing (en)","English"],"title":"[Reversing Writeup] Infinity Gauntlet (ångstromCTF 2021)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-angstromctf-2021-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}