{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-angstromctf-2023-en","result":{"data":{"markdownRemark":{"id":"2884244a-195d-5aaa-8c62-32fd5d83b06e","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-angstromctf-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in ångstrom CTF 2023 in April with team 0nePadding.</p>\n<p>We scored 920 points and finished in 151st place out of 1429 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 863px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bd39d9b5770714eaa6151c583c7d45ba/ee455/image-20230429174138393.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAIAAAABPYjBAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA60lEQVQI1w3O206DMAAAUH5LuZTSlpaNwujKTZ0+LGYXNzZEhiEjZCMzzgejzjd/VpLzAUf5Esl+4HWBbHmQqWClGktVn11pC8OcAfioG3MTPiG06kFrg/AzoS82PcZJJ0PlL558hunPzeTsiQazPWY1tncWrl2/9keVy5uxbGV0kGEzdFvudX5wGonLdHq5f1B+RdpxcR5HbyLcQVIAlAMrM+CW0A1lOXXW0MqglSNS2vSVOfVg2Lj8/fbuI06Vb5H04aMvKsJyHWa6udbA4loruVdHceH5cwMsgdmftwgXNi4prZjTJclJhv84vlRQuKsQtAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bd39d9b5770714eaa6151c583c7d45ba/8ac56/image-20230429174138393.webp 240w,\n/static/bd39d9b5770714eaa6151c583c7d45ba/d3be9/image-20230429174138393.webp 480w,\n/static/bd39d9b5770714eaa6151c583c7d45ba/8e594/image-20230429174138393.webp 863w\"\n              sizes=\"(max-width: 863px) 100vw, 863px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bd39d9b5770714eaa6151c583c7d45ba/8ff5a/image-20230429174138393.png 240w,\n/static/bd39d9b5770714eaa6151c583c7d45ba/e85cb/image-20230429174138393.png 480w,\n/static/bd39d9b5770714eaa6151c583c7d45ba/ee455/image-20230429174138393.png 863w\"\n            sizes=\"(max-width: 863px) 100vw, 863px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bd39d9b5770714eaa6151c583c7d45ba/ee455/image-20230429174138393.png\"\n            alt=\"image-20230429174138393\"\n            title=\"image-20230429174138393\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I solved several Rev challenges this time, so I’ll write a brief writeup for each.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#zazarev\">zaza (Rev)</a></li>\n<li><a href=\"#bananasrev\">Bananas (Rev)</a></li>\n<li><a href=\"#moonrev\">moon (Rev)</a></li>\n<li><a href=\"#physics-hwmisc\">Physics HW (Misc)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"zaza-rev\" style=\"position:relative;\"><a href=\"#zaza-rev\" aria-label=\"zaza rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>zaza (Rev)</h2>\n<p>Decompiling with Ghidra produced the following simple code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> iVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">size_t</span> sVar2<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> in_FS_OFFSET<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> local_60<span class=\"token punctuation\">;</span>\n  uint local_5c<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> local_58 <span class=\"token punctuation\">[</span><span class=\"token number\">72</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> local_10<span class=\"token punctuation\">;</span>\n  \n  local_10 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_60 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  local_5c <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"I\\'m going to sleep. Count me some sheep: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">__isoc99_scanf</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_00102092<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_60<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_60 <span class=\"token operator\">!=</span> <span class=\"token number\">0x1337</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"That\\'s not enough sheep!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Nice, now reset it. Bet you can\\'t: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">__isoc99_scanf</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_00102092<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_5c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_5c <span class=\"token operator\">*</span> local_60 <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d %d\"</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span>local_5c<span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>local_60 <span class=\"token operator\">+</span> local_5c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Not good enough for me.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Okay, what\\'s the magic word?\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">getchar</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">,</span><span class=\"token number\">0x40</span><span class=\"token punctuation\">,</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  sVar2 <span class=\"token operator\">=</span> <span class=\"token function\">strcspn</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">,</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_58<span class=\"token punctuation\">[</span>sVar2<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token char\">'\\0'</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">xor_</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strncmp</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">,</span><span class=\"token string\">\"2&amp; =$!-( &lt;*+*( ?!&amp;$$6,. )\\' $19 , #9=!1 &lt;*=6 &lt;6;66#\"</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x32</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Nope\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_10 <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The key section is this:</p>\n<p>It reads up to 0x40 bytes of user input, passes it to the <code class=\"language-text\">xor_</code> function, and if the result matches <code class=\"language-text\">2&amp; =$!-( &lt;*+*( ?!&amp;$$6,. )\\' $19 , #9=!1 &lt;*=6 &lt;6;66#</code>, the flag is displayed.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Okay, what\\'s the magic word?\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">getchar</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">,</span><span class=\"token number\">0x40</span><span class=\"token punctuation\">,</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nsVar2 <span class=\"token operator\">=</span> <span class=\"token function\">strcspn</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">,</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nlocal_58<span class=\"token punctuation\">[</span>sVar2<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token char\">'\\0'</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">xor_</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\niVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strncmp</span><span class=\"token punctuation\">(</span>local_58<span class=\"token punctuation\">,</span><span class=\"token string\">\"2&amp; =$!-( &lt;*+*( ?!&amp;$$6,. )\\' $19 , #9=!1 &lt;*=6 &lt;6;66#\"</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x32</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n<span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Nope\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n<span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>The <code class=\"language-text\">xor_</code> function is implemented as follows.</p>\n<p>It checks that the input string length matches that of <code class=\"language-text\">anextremelycomplicatedkeythatisdefinitelyuselessss</code>, then XORs each input character with the corresponding key character.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">xor_</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> param_1<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token class-name\">size_t</span> sVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> local_24<span class=\"token punctuation\">;</span>\n  \n  local_24 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    sVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"anextremelycomplicatedkeythatisdefinitelyuselessss\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>sVar1 <span class=\"token operator\">&lt;=</span> <span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">+</span> local_24<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span>\n         <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">+</span> local_24<span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span>\n         <span class=\"token string\">\"anextremelycomplicatedkeythatisdefinitelyuselessss\"</span><span class=\"token punctuation\">[</span>local_24<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    local_24 <span class=\"token operator\">=</span> local_24 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>So XOR-ing <code class=\"language-text\">anextremelycomplicatedkeythatisdefinitelyuselessss</code> with <code class=\"language-text\">2&amp; =$!-( &lt;*+*( ?!&amp;$$6,. )\\' $19 , #9=!1 &lt;*=6 &lt;6;66#</code> reveals that the magic word needed is <code class=\"language-text\">SHEEPSHEEPSHEEPSHEEPSHEEP(OAPXJDIFJWTUTLE_NSLYEHEEB</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 813px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/fa70c83954163a18f6488d3bb8368a2d/baaa6/image-20230429175845337.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 29.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAIAAABM9SnKAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7ElEQVQY001QaW/DIAzl//+xfag0dWt2pLeWkAsMJRwmy5LMpWq3pyfrPWyMDavrJsY43IGI2902z3MppZAihPBIxeGv7GbZW/XC7bkwR2JpTrw/HbqP92LN4cv2FjHS/d6YIcaA6L2n7s45OpymiTWWS99qFOA74avSnFvLTQRwLaV/EsZxfOibpTjPM+tM06hKeyCCb2tTVlDaQUvXKqXoESr9/gca+CHYc/G06VavzepTZDuV7fVmf8lytS70kZccQNGE/g7SmCwNT02ZCh0kKq81wgWlJkbRo07reXeFTfG6akg709cty/ILHZNTCFyUZxcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/fa70c83954163a18f6488d3bb8368a2d/8ac56/image-20230429175845337.webp 240w,\n/static/fa70c83954163a18f6488d3bb8368a2d/d3be9/image-20230429175845337.webp 480w,\n/static/fa70c83954163a18f6488d3bb8368a2d/90602/image-20230429175845337.webp 813w\"\n              sizes=\"(max-width: 813px) 100vw, 813px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/fa70c83954163a18f6488d3bb8368a2d/8ff5a/image-20230429175845337.png 240w,\n/static/fa70c83954163a18f6488d3bb8368a2d/e85cb/image-20230429175845337.png 480w,\n/static/fa70c83954163a18f6488d3bb8368a2d/baaa6/image-20230429175845337.png 813w\"\n            sizes=\"(max-width: 813px) 100vw, 813px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/fa70c83954163a18f6488d3bb8368a2d/baaa6/image-20230429175845337.png\"\n            alt=\"image-20230429175845337\"\n            title=\"image-20230429175845337\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Sending this to the challenge server obtained the flag.</p>\n<h2 id=\"bananas-rev\" style=\"position:relative;\"><a href=\"#bananas-rev\" aria-label=\"bananas rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bananas (Rev)</h2>\n<p>The challenge binary <code class=\"language-text\">Elixir.Bananas.beam</code> is clearly compiled from Elixir.</p>\n<p>I used the following tool to decompile it.</p>\n<p>Reference: <a href=\"https://github.com/michalmuskala/decompile\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GitHub - michalmuskala/decompile</a></p>\n<p>To use the tool you need Elixir installed and the <code class=\"language-text\">mix</code> command available.</p>\n<p>Multiple output formats are available:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">mix decompile ElixirModule --to expanded\nmix decompile ElixirModule --to erlang\nmix decompile ElixirModule --to asm\nmix decompile ElixirModule --to core</code></pre></div>\n<p><code class=\"language-text\">expanded</code> was the most readable, so I used that. The output is:</p>\n<div class=\"gatsby-highlight\" data-language=\"elixir\"><pre class=\"language-elixir\"><code class=\"language-elixir\"><span class=\"token keyword\">defmodule</span> <span class=\"token module class-name\">Bananas</span> <span class=\"token keyword\">do</span>\n  <span class=\"token keyword\">defp</span> <span class=\"token function\">to_integer</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>num<span class=\"token punctuation\">,</span> string<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token punctuation\">[</span><span class=\"token atom symbol\">:erlang</span><span class=\"token punctuation\">.</span><span class=\"token function\">binary_to_integer</span><span class=\"token punctuation\">(</span>num<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> string<span class=\"token punctuation\">]</span>\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">defp</span> <span class=\"token function\">to_integer</span><span class=\"token punctuation\">(</span>list<span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    list\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">defp</span> <span class=\"token function\">print_flag</span><span class=\"token punctuation\">(</span><span class=\"token boolean\">false</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token module class-name\">IO</span><span class=\"token punctuation\">.</span><span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Nope\"</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">defp</span> <span class=\"token function\">print_flag</span><span class=\"token punctuation\">(</span><span class=\"token boolean\">true</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token module class-name\">IO</span><span class=\"token punctuation\">.</span><span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token module class-name\">File</span><span class=\"token punctuation\">.</span><span class=\"token function\">read!</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.txt\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span>args<span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token function\">print_flag</span><span class=\"token punctuation\">(</span><span class=\"token function\">check</span><span class=\"token punctuation\">(</span><span class=\"token function\">convert_input</span><span class=\"token punctuation\">(</span><span class=\"token module class-name\">IO</span><span class=\"token punctuation\">.</span><span class=\"token function\">gets</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"How many bananas do I have?\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token function\">super</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">defp</span> <span class=\"token function\">convert_input</span><span class=\"token punctuation\">(</span>string<span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token function\">to_integer</span><span class=\"token punctuation\">(</span><span class=\"token module class-name\">String</span><span class=\"token punctuation\">.</span><span class=\"token function\">split</span><span class=\"token punctuation\">(</span><span class=\"token module class-name\">String</span><span class=\"token punctuation\">.</span><span class=\"token function\">trim</span><span class=\"token punctuation\">(</span>string<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">defp</span> <span class=\"token function\">check</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>num<span class=\"token punctuation\">,</span> <span class=\"token string\">\"bananas\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token atom symbol\">:erlang</span><span class=\"token punctuation\">.</span><span class=\"token operator\">==</span><span class=\"token punctuation\">(</span><span class=\"token atom symbol\">:erlang</span><span class=\"token punctuation\">.</span><span class=\"token operator\">-</span><span class=\"token punctuation\">(</span><span class=\"token atom symbol\">:erlang</span><span class=\"token punctuation\">.</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token atom symbol\">:erlang</span><span class=\"token punctuation\">.</span><span class=\"token operator\">+</span><span class=\"token punctuation\">(</span>num<span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">971</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">end</span>\n\n  <span class=\"token keyword\">defp</span> <span class=\"token function\">check</span><span class=\"token punctuation\">(</span>_asdf<span class=\"token punctuation\">)</span> <span class=\"token keyword\">do</span>\n    <span class=\"token boolean\">false</span>\n  <span class=\"token keyword\">end</span>\n<span class=\"token keyword\">end</span></code></pre></div>\n<p>This code can be run directly (with minor modifications) on an online service such as AtCoder, which made testing very easy.</p>\n<p>As you can see, only input in the format <code class=\"language-text\">&lt;number> bananas</code> proceeds to validation by the <code class=\"language-text\">check</code> function.</p>\n<p>The equation <code class=\"language-text\">(number + 5) * 9 - 1 = 971</code> gives 103 as the correct answer.</p>\n<p>Sending <code class=\"language-text\">103 bananas</code> to the challenge server obtained the flag.</p>\n<h2 id=\"moon-rev\" style=\"position:relative;\"><a href=\"#moon-rev\" aria-label=\"moon rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>moon (Rev)</h2>\n<p>Reading the problem statement, the correct sequence of inputs to the binary is the flag in ASCII.</p>\n<blockquote>\n<p>To the moon! The correct sequence of inputs is the flag in ASCII.</p>\n</blockquote>\n<p>Analyzing the binary, there are 1293 functions defined — <code class=\"language-text\">func0</code> through <code class=\"language-text\">func1292</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 184px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/66616a3dbdc09da9d8188f795a776682/5a64f/image-20230429182044810.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 236.9565217391304%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAvCAIAAABsVn00AAAACXBIWXMAAAsTAAALEwEAmpwYAAAFOUlEQVRIx4VWWY/bVBSeX8IP4MfwC5AQL33ghVKEeAAJEA8UJCSQgCIqlVa0AqmIlmEqZmCmaTLJLIkncTJZvMTxFi/xGideb2JfTpxKTNsZ58pyZOd+9zvLd87xlm3bsmJp7J2T3evtyt9v/66/dpN9/euRaCGMcZrhgrXl+747DTXhX7L6jSHQN/eNa3+o1x5pur9YgQvRW+ufdJnB3kRGk39seMy4DJ9iXMdYy/++4oStLFv9k8TxzPc9hTGYdhDNEivJxCxV0sRLNoNtxxnypjz4rvbnG6XHD5gRs1/Z77Jd280NybIisxeLRZIknmsMBmfRNJx2XT/0YzNOvTQLsiwsBKdpCvgwiBhBjLXYrsyfe17FmMXYudzzi2AUhiEvGrZ2KPRv9xplWZE5gbMca0ANICmv2v8/GCEUR5Giubr0jNj/kCHLqqK1SVJTteFwGARBEXiBUBSFgmwZcql/8hVR3hF4AWCGYYiiCEcX+Yxy8Fh1JnK1XfuSpxqWadM0beRrgRavuv1CwILAF8eOxj08efLWydOdEc91u11N0+Ae+MEGnxFKbHdu690+cddUpYmgM8yK2Z7aKEEY4Sy9Agx5zhOO5j5iRCOdpeZ2niIe4zOMWxgPMJ69kLOXwXCHwI5VfW5zKlXSVWFuziItivTIUR1rYmUX/H4ZDKbPZjOWU02l0qu9e/jkZ5ZlCZJodVrciCNJEkJTAF4zW67RZsh7TBdibpmGCZeqqJPJ5GLYLmOez3nJsJTaeeUGUXoI2W63251Oh+M4SZI2gP3A13THmRA08T15vL8mhKWqqqIosLPIZ5CxIBmmcnJe/aRb39M0HaTCMIwsy6PRqChVecDmnKDZ6jFd/6JeeiyJzxcgKYoqZl4FTNFsSyM61c/Z7hGEChQOSF3XwfKLIruE2ZvN6KFiK1WO+LS6+2DIsv1+fzAYAC2kqihgcIeq1g3XNUGkP42opuu6QAgBsyxrHe0ieU6n0z4tQ2EOah9Udu7SFN1qtYAT+JvNZpHZcI+iyJ36rnnePb3FMySc5TgO8MN4APJCZgTMHjBPpFLv8Pqzx7eBmTgjgBOydXZ2VhTtlc9R7rPRoZp3eJr08gX84DbU9qZoex5E25DL7dI7x3v3h+yw0WgAM8gTsl0sz+d5didNtnWLah8bhrmWJyiM5/kNzFAYI0G3tfrg9LNm5ZEoiFAVvV4PwKDTYjAw+5ICPfTg/PCj5tGBoowhvZIoQXkBOF2mG1JlOb6l1juVj3tEWR5J1IBihoxqqyNpVBTtOI7Xb8IQ9RltGS+dfXf1DLO2g7GCMYNX0zctBCdJLI3HKEBuw4W+lTppBv6qGVYxHoIeNjBHfXqIgsR+upqyKwwQcvn1FGN6AzMaq7nZx3kDBtshx2Z+Clg+vQK8TgaErU9zSZC4tdxnHeOj3GAub+PGZWDArN+shp4koxCZB+aqV5t594fmKWPcxti6QiTLRbxAEZgtyGqGspAKVzus/PuGz8HN3JCXBp3vzylW1fmdTvn9ys49lmEaRGOsj6GYYBJsGu5xpE+m0Dc7R9/KXBdqE6TlTT0opiS+8FmUXTZigbnPqLrwd7v03tHer9Bw6/VTWZYIgoBS28AMwjAsD4TZq/+oSszUnUKXh0qGvrmOyCXfYbCWyyWA53NgVibibrd842j3Pki6VqvxvAA+wxFrjuzCesHsnHkGlcyQv4z5gefNYMhBeV/JPJ/7cME+OBsmS6PJsue/1bbf3Hv4w+lpY3v7L5Js7x8cjMcKCBaGyXr/+voPr+RLYNHPO90AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/66616a3dbdc09da9d8188f795a776682/e26c4/image-20230429182044810.webp 184w\"\n              sizes=\"(max-width: 184px) 100vw, 184px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/66616a3dbdc09da9d8188f795a776682/5a64f/image-20230429182044810.png 184w\"\n            sizes=\"(max-width: 184px) 100vw, 184px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/66616a3dbdc09da9d8188f795a776682/5a64f/image-20230429182044810.png\"\n            alt=\"image-20230429182044810\"\n            title=\"image-20230429182044810\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Each function has the same structure: it adds a value to 8-byte slots in a data region called <code class=\"language-text\">check</code>, which has 1293 slots of 8 bytes each.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 272px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3680dbbc3c3a70401b1fe822e90156f3/2aae8/image-20230429182346601.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 106.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAIAAADJt1n/AAAACXBIWXMAAAsTAAALEwEAmpwYAAACYElEQVQ4y4WTy5KbMBRE/e3Z54/yEdmkMosxg548hJ5XEhAbyMVgM3alJioWlErN6b5qTuzHd6q/teoXLRdCZsFiXV3LcgTIy7LM8/LFOhnyM42/h8EnWCAufX8Zhhlgulyuy//WyUG6ETbEAZofz33d9/Ftfz9Vsp7n6eWTX7s9yBHAjuO7c01OABi4ts7lGFVKuFmnFOK2acd+VFEX9p05Hvu8i8043M5llAnBjbU5pTbuYue94MwYM/Z/VOwKd658fb1OD/G4nfM+CM61NkPuuxgLlEG0IdRVpZQahtEmRx1pg8KxTtP0JA4BBJdN0wDuxkQByhB0zl2jJBed1kMe9QovmBcppz0zQtqMti0pKUIixJgzA6ABTM6SCSkr42yfB5MM8aUGs0x32+d1YGtmzrhSLazgjGQCoFNC2zgzbUyP5KRZoB+G9ONw2G5uAyuL8i5ebZONLKTgwthdfMaBe9EP/W77QRZMoG3UInm1Dau4lnVdNw9y6T+U1/M0v2R2jNJuJaP2EFeYuJLa2G1gTWpEkNjnJ9vOOUpI+y/bUgpzJ5/dhwJ9vV4/iZFst8zqRSwYF0JieVZx1KUrhavwz3nKfCOjbYWRP4srjr7rh5gHRgOHHI/MaNtjmWTVtu2qvWfGq9JK4W3hwDAz3jP1lGK9N/GR2XtO+UtmbFhT15Wo9sxR00Cka47MzyVRryVZp13tVxU7AbLx6nK5fLKdVzJjtOu2zLttm/saf/q6MtYNaz018eSw3fXDm7EyJax+cT4jBMNDSkXwZ+9VjIwQSqnquj4NCtrSl4UjkOJf3oChQs8HDwUAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3680dbbc3c3a70401b1fe822e90156f3/8ac56/image-20230429182346601.webp 240w,\n/static/3680dbbc3c3a70401b1fe822e90156f3/542bb/image-20230429182346601.webp 272w\"\n              sizes=\"(max-width: 272px) 100vw, 272px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3680dbbc3c3a70401b1fe822e90156f3/8ff5a/image-20230429182346601.png 240w,\n/static/3680dbbc3c3a70401b1fe822e90156f3/2aae8/image-20230429182346601.png 272w\"\n            sizes=\"(max-width: 272px) 100vw, 272px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3680dbbc3c3a70401b1fe822e90156f3/2aae8/image-20230429182346601.png\"\n            alt=\"image-20230429182346601\"\n            title=\"image-20230429182346601\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The validation logic compares <code class=\"language-text\">needed</code> against <code class=\"language-text\">check</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 650px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4a15ee11a63eec32e6029f7ff358ffae/a6d36/image-20230429183003795.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAIAAAB2/0i6AAAACXBIWXMAAAsTAAALEwEAmpwYAAABmElEQVQY01WNa2vbMBiF/f//wQprS262kzh2JNnpksbJWloYg3Y0H+bA2HKvc3MbR7ZsWdI7M9hg8PBw4HA4mhRSCaUEgAIa8+OelQYlpRCyUKWVEFC2ApI8eWcnAKA5LQMXXJstf/5ar1dbfmJ5Kthsc4wzlorzPt5tT/uIRpTHZ5rQNEkVYyrLVJ7KLJWMyUzTp5XGrNNcPTr7u342Npe9fjEaMO8mRDdh38sGvhwN5HAgR34+HorRrRyV9sW4DNrl/OP1ol7Z9PXIs3NcDS0kMcrN2uq6uqgZh4pz1ttHoxVZvbceLjAGhBVCEiFAWm1TrYemeeh3c9cD0tg53QK7EjmZ1c7bXd51FSHCcwuCgRD1H1r9tVaOjcNtM/qEuGfsHKI8wtt4b/XWXofaqEC4QETi8pZI4oLrqj+Aq10sPlwsri7DXu0dtQr7amdaYDdZvbXW0ZY0YkNP9TY3O8I0WKNZtGzodP6i+fOhP7+/f/3xlAQBfH/YPQcw/Uaf/Plnf/nwNf4y4c8vdPKSTAIVTGEaQPCP36jvkB5l1FHtAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4a15ee11a63eec32e6029f7ff358ffae/8ac56/image-20230429183003795.webp 240w,\n/static/4a15ee11a63eec32e6029f7ff358ffae/d3be9/image-20230429183003795.webp 480w,\n/static/4a15ee11a63eec32e6029f7ff358ffae/c1dc5/image-20230429183003795.webp 650w\"\n              sizes=\"(max-width: 650px) 100vw, 650px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4a15ee11a63eec32e6029f7ff358ffae/8ff5a/image-20230429183003795.png 240w,\n/static/4a15ee11a63eec32e6029f7ff358ffae/e85cb/image-20230429183003795.png 480w,\n/static/4a15ee11a63eec32e6029f7ff358ffae/a6d36/image-20230429183003795.png 650w\"\n            sizes=\"(max-width: 650px) 100vw, 650px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4a15ee11a63eec32e6029f7ff358ffae/a6d36/image-20230429183003795.png\"\n            alt=\"image-20230429183003795\"\n            title=\"image-20230429183003795\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><code class=\"language-text\">needed</code> is also <code class=\"language-text\">8 bytes × 1293</code> entries and has values hardcoded into it.</p>\n<p>Input is accepted as up to 1293 digits; each digit’s value determines how many times the corresponding function is called.</p>\n<p>(If the input is <code class=\"language-text\">123…</code>, <code class=\"language-text\">func0</code> is called once, <code class=\"language-text\">func1</code> twice, <code class=\"language-text\">func2</code> three times, and so on.)</p>\n<p>The task is to find an input that makes <code class=\"language-text\">check</code> exactly equal to <code class=\"language-text\">needed</code> after calling all functions the right number of times.</p>\n<p>I identified all of this but couldn’t come up with a solver algorithm — thinking too rigidly.</p>\n<p>In hindsight, if you let x, y, z, … denote the number of times each function runs, you get a system of 1293 equations in 1293 unknowns — solvable by simultaneous equations.</p>\n<p>It’s easy to get stuck in rigid thinking, so I need to be more flexible.</p>\n<p>I used the following reference for the final solver.</p>\n<p>Reference: <a href=\"https://fazect.github.io/angstrom2023-rev/#moon\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ångstromCTF 2023 - Reverse Engineering Writeups - FazeCT Blogs</a></p>\n<p>First, use pwntools to extract the 1293 hardcoded <code class=\"language-text\">needed</code> values.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\ne <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span><span class=\"token string\">'./moon'</span><span class=\"token punctuation\">,</span>checksec<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n\nneeded <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">1293</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    data <span class=\"token operator\">=</span> e<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span>e<span class=\"token punctuation\">.</span>sym<span class=\"token punctuation\">[</span><span class=\"token string\">'needed'</span><span class=\"token punctuation\">]</span><span class=\"token operator\">+</span>i<span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\n    data <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">.</span>from_bytes<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span><span class=\"token string\">'little'</span><span class=\"token punctuation\">)</span>\n    needed<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>needed<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Then extract the addend from each <code class=\"language-text\">func</code> function to build the system of equations.</p>\n<p>This step uses pwntools’ ELF module and takes a fair amount of time.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> sage<span class=\"token punctuation\">.</span><span class=\"token builtin\">all</span> <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\nmat <span class=\"token operator\">=</span> Matrix<span class=\"token punctuation\">(</span>check<span class=\"token punctuation\">)</span>\nmat <span class=\"token operator\">=</span> mat<span class=\"token punctuation\">.</span>T\nneeded <span class=\"token operator\">=</span> vector<span class=\"token punctuation\">(</span>needed<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>mat<span class=\"token punctuation\">.</span>solve_right<span class=\"token punctuation\">(</span>needed<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Solving the system with the extracted values yields the flag.</p>\n<h2 id=\"physics-hw-misc\" style=\"position:relative;\"><a href=\"#physics-hw-misc\" aria-label=\"physics hw misc permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Physics HW (Misc)</h2>\n<p>Analyzing the provided pcap file, I found data that appeared to be a corrupted ZIP file being transmitted.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/595e5c66d4300872172e16d1ff8c9e30/d004c/image-20230422205325945.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7UlEQVQoz3VTa3PaMBD0//8xnX7MhIRXbIxfNUlJgwME+SVZNikQCCUzwPYkXEo6U8/s3OlOWq3uzobjBbhpteEGIVgSYzx9RjQekc+QpDEynkFIThBnywv+CSrOixy5yGDcNHx8+dqB1bTxOghReB6E64L3HRSuB+n5KP0AZRDQ2tW+9H1U4YAQohoMUH4LaZ+H+WQKg7Ecz5MEk+8/wC0T2d3d/9Htnv3ctD6ts04X8ukJBurvTUok7TYlT6S810NuWX9hmshVjIjSTkdbHaNcqoiJsIwiGIfDAUciXHCuk8JxIPp9cNuGsMmSn1s9TaZiao++tCZTpGrNyfLHRxjH41ErXBaFVqUIOREJx9UHNInafElomvWzzZMAQkEXJw8Pl4TidLAm0DUyL5TURCr/L3SeLmDUnDPhzyzD7Poa7PZW21mjoRG3moibTSStlq5dSnVWSGrLaM/L1RViOjOlKTg3ZaWebPf0aPxRo2uqVPRONVSQakzoadVwiDmhvL+HrMcnV13e7/c4kMrX+RzpjEEWEqvFAm/LJaqyREHNWq9WeN9ssFmvsd1usfv4wG63w68ayn+neJoLGBG1ejSKEEUjCCFQkFJJIySJTCjVFFN+SajoUpWfjMdgjCGOY8xIREJ/2GT6gnA4wm9bRQzqZ9XymQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/595e5c66d4300872172e16d1ff8c9e30/8ac56/image-20230422205325945.webp 240w,\n/static/595e5c66d4300872172e16d1ff8c9e30/d3be9/image-20230422205325945.webp 480w,\n/static/595e5c66d4300872172e16d1ff8c9e30/e46b2/image-20230422205325945.webp 960w,\n/static/595e5c66d4300872172e16d1ff8c9e30/f992d/image-20230422205325945.webp 1440w,\n/static/595e5c66d4300872172e16d1ff8c9e30/6eb7d/image-20230422205325945.webp 1611w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/595e5c66d4300872172e16d1ff8c9e30/8ff5a/image-20230422205325945.png 240w,\n/static/595e5c66d4300872172e16d1ff8c9e30/e85cb/image-20230422205325945.png 480w,\n/static/595e5c66d4300872172e16d1ff8c9e30/d9199/image-20230422205325945.png 960w,\n/static/595e5c66d4300872172e16d1ff8c9e30/07a9c/image-20230422205325945.png 1440w,\n/static/595e5c66d4300872172e16d1ff8c9e30/d004c/image-20230422205325945.png 1611w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/595e5c66d4300872172e16d1ff8c9e30/d9199/image-20230422205325945.png\"\n            alt=\"image-20230422205325945\"\n            title=\"image-20230422205325945\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Exporting the file from Wireshark and extracting it with 7-Zip let me examine the contents.</p>\n<p>The flag was recovered from the extracted file.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I was close to solving moon but couldn’t come up with the solver because I was thinking too rigidly.</p>\n<p>I’ve been saying this for about 3 years now — I really need to keep practicing.</p>","fields":{"slug":"/ctf-angstromctf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2023-04-29","description":"ångstrom CTF 2023 Writeup","tags":["CTF (en)","Rev (en)","English"],"title":"ångstrom CTF 2023 Writeup","socialImage":{"publicURL":"/static/aa817d213fbbbbe145c5236516851875/ctf-angstromctf-2023.png"}}}},"pageContext":{"slug":"/ctf-angstromctf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}