{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-gracier-2023-en","result":{"data":{"markdownRemark":{"id":"1b2682a4-b479-5908-a156-3736c53c9f9b","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-gracier-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in Gracier CTF 2023, which began on November 25, 2023, as part of 0nePadding and placed 150th.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 460px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0b021564356e006a3fdf611f84ae0f79/08a84/image-20231128192724713.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 54.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABOElEQVQoz5WS63KCUAyEef9X6rSjVauCXEQPclMr2nYqXusgUK3bJL7A8cc3gTCzZJM1Ju8XqGmJYFZhlBQI6FmlZ4wJfn8UI/0ABqMt2vYn4iXw5OzRDQq4SY1kBelx1cWIstt9GoKn9ZIS41mNYP6LOLsiWlwRUl8XYzK/oGWu0Ogt4ARHtNwN2kTTzoWOt5W+LgZPZfkbmMMcXnhCb7RHn+Da9XdSh9TXxWDffnQi9QPYvpdUtL8KTkzWafqUvkfZH9m/aSGC7uSIgdqJoB2VGBBmeCbxWgR1xUSQd8hXZtiyTXu48yPVHB+kz3Y8Hcu8Qz7Kaz+DrY54tr6FppOjYa/xYq2pf4CrexS2yaFW00rOHlBkFEUmWlwQU2TiR2PDweYrd5wvCTGH+k0VCOlHyfIe7Ef4B/zEIPK/qaEcAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0b021564356e006a3fdf611f84ae0f79/8ac56/image-20231128192724713.webp 240w,\n/static/0b021564356e006a3fdf611f84ae0f79/bc10c/image-20231128192724713.webp 460w\"\n              sizes=\"(max-width: 460px) 100vw, 460px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0b021564356e006a3fdf611f84ae0f79/8ff5a/image-20231128192724713.png 240w,\n/static/0b021564356e006a3fdf611f84ae0f79/08a84/image-20231128192724713.png 460w\"\n            sizes=\"(max-width: 460px) 100vw, 460px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0b021564356e006a3fdf611f84ae0f79/08a84/image-20231128192724713.png\"\n            alt=\"image-20231128192724713\"\n            title=\"image-20231128192724713\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I did not have much time during the competition this time, but I will briefly write up the challenges.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#arisaicrypto\">ARISAI(Crypto)</a></li>\n<li><a href=\"#soprev\">SOP(Rev)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"arisaicrypto\" style=\"position:relative;\"><a href=\"#arisaicrypto\" aria-label=\"arisaicrypto permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ARISAI(Crypto)</h2>\n<blockquote>\n<p>I heard that RSA with multiple primes is more secure. My N is very large, so there should not be a problem.</p>\n</blockquote>\n<p>The challenge provided the following code and <code class=\"language-text\">output.txt</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>number <span class=\"token keyword\">import</span> bytes_to_long\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>number <span class=\"token keyword\">import</span> getPrime\n\nPRIME_LENGTH <span class=\"token operator\">=</span> <span class=\"token number\">24</span>\nNUM_PRIMES <span class=\"token operator\">=</span> <span class=\"token number\">256</span>\n\nFLAG <span class=\"token operator\">=</span> <span class=\"token string\">b\"gctf{redacted}\"</span>\n\nN <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\ne <span class=\"token operator\">=</span> <span class=\"token number\">65537</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>NUM_PRIMES<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    prime <span class=\"token operator\">=</span> getPrime<span class=\"token punctuation\">(</span>PRIME_LENGTH<span class=\"token punctuation\">)</span>\n    N <span class=\"token operator\">*=</span> prime\n\nct <span class=\"token operator\">=</span> <span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>bytes_to_long<span class=\"token punctuation\">(</span>FLAG<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> e<span class=\"token punctuation\">,</span> N<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>N<span class=\"token operator\">=</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>e<span class=\"token operator\">=</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>ct<span class=\"token operator\">=</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token assign-left variable\">N</span><span class=\"token operator\">=</span><span class=\"token number\">1184908748889071774788034737775985521200704101703442353533571651469039119038363889871690290631780514392998940707556520304994251661487952739548636064794593979743960985105714178256254882281217858250862223543439960706396290227277478129176832127123978750828494876903409727762030036738239667368905104438928911566884429794089785359693581516505306703816625771477479791983463382338322851370493663626725244651132237909443116453288042969721313548822734328099261670264015661317332067465328436010383015204012585652642998962413149192518150858822735406696105372552184840669950255731733251466001814530877075818908809387881715924209232067963931299295012877100632316050826276879774867425832387424978221636157426227764972761357957047150626791204295493153062565652892972581618176577163744310556692610510074992218502075083140232623713873241177386817247671528165164472947992350655138814891455499972562301161585763970067635688236798480514440398603568227283629452476242623289661524243073929894099518473939222881149459574426407208658860251686137960952889074096311126991477096465624470265619377139983649503903820480974951491378311837933293607705488991162022547957926530402988912221198282579794590930661493745233069145707902854299501706154802038942258911515981663207152069613126155243024789689987554767962281273345273757236723762684230158310314189489269922058062081424352003908442430243686562569467793068370441732743572240164014190275463904986105758545036928880621165599686076511511089276388190078187849622221351011692443859919384379432387437072419707649486293684966456033518855679391672980173280496419686363359529398834403906418139786395934302273747490127295066208248715874656180233559644161531014137838623558729789331274400542717269108353265885948166102045041669627782992845494987948783304254174326130201166965174477449798721151991240203641</span>\n<span class=\"token assign-left variable\">e</span><span class=\"token operator\">=</span><span class=\"token number\">65537</span>\n<span class=\"token assign-left variable\">ct</span><span class=\"token operator\">=</span><span class=\"token number\">268829805459609475588440899873097740407996768854076329496002425282199615879909227647380967635165606878898541606457683227761652305836586321855100255485305118037701500609605019785162541750877335573032359895573772603246111506991979320486028250721513277767642375361127152574528694298160906073442383962020636918610527024050576972769852306021296823499884948279413653216802756618690182635446020844210831886652986287932378470425746444631963933610367607515800649608436183004088441881238148504635598468243968695248287570279766119573944421327504565309861792437849662128566261080923059583840204287527201636471106753069738472306223410300379312983945939043519755909420737707495224846116170095923898104488099329762265149868062693687303917610957104520999978944379566136253252697346935036425206126213766976582551430726756840294537354912787885103742021813054656962241068550049435394355553796824094853195888610994254949530524531633088750916669188277025883371307926545593346345011181011886157628805587723572874545440223921942144548540109099572715194182349314576321627183804149379561322969725485272107142991680959335537127382716195040449341448266408777436145121388591741613272241408064729715121476227737259932422493622000014673154665474739974557976672498027364986075870354093242809763072555932073688776712239151696700128393589329790478951588551070833013708885416360627613835550721939073618725634813608997025047929327270234611128029339388251117036658410438813874667672407000490721438737857471847655487642835059784967516451098631494261100960513521722400650533821661854325599281416744189966724295645707952292786069145361070873245192529272080607536319284389065418040578100669665069777133031446812281199863684982910055858515634879595144557407925298026899908970790756383369461817536923660051327566555421265363733995050644914554395836353253513</span></code></pre></div>\n<p>Reading the provided Python script, we can see that <code class=\"language-text\">ct</code> in <code class=\"language-text\">output.txt</code> is the RSA encryption of the flag, where <code class=\"language-text\">N</code> is the product of 256 24-bit primes.</p>\n<p>Although <code class=\"language-text\">N</code>, the product of 256 primes, is very large, the primes used are only 24 bits, so factoring it is easy.</p>\n<p>This time, I simply used a table of primes I found online and took <code class=\"language-text\">N mod p</code> from the beginning to identify all of the constituent primes.</p>\n<p>After successfully factoring it, I struggled a bit with constructing <code class=\"language-text\">phi</code>.</p>\n<p>For multi-prime RSA like this challenge, the Euler totient seems to be defined as follows.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6a18ef3c55de7320cbe4b9f934cb45c8/d43b4/image.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAxUlEQVQoz42QXRKDIAyEOQii/AdnfPUO3v9AaZYWB7Cd6cNKjMv6Jeo8T76ui+22sdaal2UZpKd3yBhzn7OU956P42BnLa/r+pCzjjf5WVN/+VuoQjNIKIJzzpxS4hgj+xC4lFKFXjtxCZP8ClV4EBGThFmhbCSgm89WwzeTtWBlxLTvew3tCYMQZqmp0N2DUCfx1f12O2+hlbCOJKHOuQfZrJ6yTTQSmjch6EbCOOwOwvdK/vHlTNWL0C7Q3Pj/6Ju3H/kF25/dLDNMNzsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6a18ef3c55de7320cbe4b9f934cb45c8/8ac56/image.webp 240w,\n/static/6a18ef3c55de7320cbe4b9f934cb45c8/d3be9/image.webp 480w,\n/static/6a18ef3c55de7320cbe4b9f934cb45c8/e46b2/image.webp 960w,\n/static/6a18ef3c55de7320cbe4b9f934cb45c8/ccc09/image.webp 1202w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6a18ef3c55de7320cbe4b9f934cb45c8/8ff5a/image.png 240w,\n/static/6a18ef3c55de7320cbe4b9f934cb45c8/e85cb/image.png 480w,\n/static/6a18ef3c55de7320cbe4b9f934cb45c8/d9199/image.png 960w,\n/static/6a18ef3c55de7320cbe4b9f934cb45c8/d43b4/image.png 1202w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6a18ef3c55de7320cbe4b9f934cb45c8/d9199/image.png\"\n            alt=\"img\"\n            title=\"img\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I looked at the frequency of the recovered primes, I found that the three primes <code class=\"language-text\">(8725153,11369903,16177433)</code> were each used twice.</p>\n<p>So, by handling only the duplicated primes with a term like <code class=\"language-text\">p * (p-1)</code>, I was able to compute <code class=\"language-text\">phi</code> and successfully decrypt the ciphertext.</p>\n<p>I was able to recover the flag with the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>number <span class=\"token keyword\">import</span> long_to_bytes<span class=\"token punctuation\">,</span> bytes_to_long\n\nn<span class=\"token operator\">=</span><span class=\"token number\">1184908748889071774788034737775985521200704101703442353533571651469039119038363889871690290631780514392998940707556520304994251661487952739548636064794593979743960985105714178256254882281217858250862223543439960706396290227277478129176832127123978750828494876903409727762030036738239667368905104438928911566884429794089785359693581516505306703816625771477479791983463382338322851370493663626725244651132237909443116453288042969721313548822734328099261670264015661317332067465328436010383015204012585652642998962413149192518150858822735406696105372552184840669950255731733251466001814530877075818908809387881715924209232067963931299295012877100632316050826276879774867425832387424978221636157426227764972761357957047150626791204295493153062565652892972581618176577163744310556692610510074992218502075083140232623713873241177386817247671528165164472947992350655138814891455499972562301161585763970067635688236798480514440398603568227283629452476242623289661524243073929894099518473939222881149459574426407208658860251686137960952889074096311126991477096465624470265619377139983649503903820480974951491378311837933293607705488991162022547957926530402988912221198282579794590930661493745233069145707902854299501706154802038942258911515981663207152069613126155243024789689987554767962281273345273757236723762684230158310314189489269922058062081424352003908442430243686562569467793068370441732743572240164014190275463904986105758545036928880621165599686076511511089276388190078187849622221351011692443859919384379432387437072419707649486293684966456033518855679391672980173280496419686363359529398834403906418139786395934302273747490127295066208248715874656180233559644161531014137838623558729789331274400542717269108353265885948166102045041669627782992845494987948783304254174326130201166965174477449798721151991240203641</span>\ne<span class=\"token operator\">=</span><span class=\"token number\">65537</span>\nc<span class=\"token operator\">=</span><span class=\"token number\">268829805459609475588440899873097740407996768854076329496002425282199615879909227647380967635165606878898541606457683227761652305836586321855100255485305118037701500609605019785162541750877335573032359895573772603246111506991979320486028250721513277767642375361127152574528694298160906073442383962020636918610527024050576972769852306021296823499884948279413653216802756618690182635446020844210831886652986287932378470425746444631963933610367607515800649608436183004088441881238148504635598468243968695248287570279766119573944421327504565309861792437849662128566261080923059583840204287527201636471106753069738472306223410300379312983945939043519755909420737707495224846116170095923898104488099329762265149868062693687303917610957104520999978944379566136253252697346935036425206126213766976582551430726756840294537354912787885103742021813054656962241068550049435394355553796824094853195888610994254949530524531633088750916669188277025883371307926545593346345011181011886157628805587723572874545440223921942144548540109099572715194182349314576321627183804149379561322969725485272107142991680959335537127382716195040449341448266408777436145121388591741613272241408064729715121476227737259932422493622000014673154665474739974557976672498027364986075870354093242809763072555932073688776712239151696700128393589329790478951588551070833013708885416360627613835550721939073618725634813608997025047929327270234611128029339388251117036658410438813874667672407000490721438737857471847655487642835059784967516451098631494261100960513521722400650533821661854325599281416744189966724295645707952292786069145361070873245192529272080607536319284389065418040578100669665069777133031446812281199863684982910055858515634879595144557407925298026899908970790756383369461817536923660051327566555421265363733995050644914554395836353253513</span>\nprimes <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">8441831</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8450987</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8452019</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8473027</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8476817</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8523661</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8525711</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8608673</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8633423</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8641453</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8725153</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8725153</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8786017</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8796721</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8824679</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8850601</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8913481</span><span class=\"token punctuation\">,</span> <span class=\"token number\">8933437</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9016037</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9041551</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9075889</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9095939</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9126197</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9142547</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9163981</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9172531</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9196001</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9223867</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9253319</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9265309</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9277921</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9298747</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9300803</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9357883</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9368759</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9405353</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9444839</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9552029</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9569057</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9584371</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9663629</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9696719</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9720223</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9748049</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9770723</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9801269</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9828727</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9836483</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9838117</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9853043</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9873373</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9883469</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9884603</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9905167</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9989579</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10000759</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10064897</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10114409</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10122389</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10213001</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10214591</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10228861</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10235447</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10344643</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10428001</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10433911</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10438013</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10441523</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10476001</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10514083</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10523977</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10605817</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10650929</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10667479</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10699517</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10731407</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10732091</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10754837</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10773781</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10849837</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10861127</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10893173</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10918459</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10943417</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10944433</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11028001</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11049739</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11057621</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11073793</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11084419</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11113789</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11152859</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11156681</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11230451</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11239903</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11369903</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11369903</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11462177</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11470343</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11504419</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11519971</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11543971</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11559637</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11625619</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11633267</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11661121</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11768401</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11847721</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11909747</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11915809</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11925691</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11928173</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11945093</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11990089</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12010259</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12089663</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12109277</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12231853</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12240667</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12274813</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12319117</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12339689</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12350357</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12358079</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12387329</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12407609</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12407959</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12515033</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12550357</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12599803</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12621067</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12652597</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12705883</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12804707</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12808151</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12824027</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12932669</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12967831</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13046717</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13059269</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13076249</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13128433</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13170671</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13202297</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13227367</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13328803</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13366687</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13371181</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13415921</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13417357</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13424921</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13430423</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13534007</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13561657</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13566431</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13568981</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13587683</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13625263</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13653811</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13655797</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13669967</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13673927</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13755149</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13799299</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13823059</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13865617</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13870601</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13997617</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14013617</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14044937</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14046449</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14086979</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14103413</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14162843</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14217041</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14311291</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14339863</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14340289</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14377679</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14407667</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14423561</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14435203</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14465153</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14466281</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14475521</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14482381</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14535811</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14548939</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14549063</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14588369</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14624459</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14633851</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14650763</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14693927</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14713939</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14738869</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14797501</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14880347</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14910199</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14922409</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14982181</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15005579</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15020413</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15031937</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15103373</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15181499</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15185399</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15209617</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15232961</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15299831</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15365261</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15441739</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15459343</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15470893</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15475193</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15489707</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15501071</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15682181</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15689647</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15689981</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15707093</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15707143</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15748631</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15792169</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15793247</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15798877</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15922301</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15947639</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16032721</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16045049</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16071229</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16080319</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16175597</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16177433</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16177433</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16198717</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16199101</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16212913</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16225283</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16254883</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16312763</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16336267</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16359283</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16405027</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16432721</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16497373</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16593167</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16594681</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16629163</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16632713</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16643707</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16657153</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16679137</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16701907</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16738913</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16755269</span><span class=\"token punctuation\">]</span>\n\nphi <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\nt <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n<span class=\"token comment\"># https://crypto.stackexchange.com/questions/74891/decrypting-multi-prime-rsa-with-e-n-and-factors-of-n-given</span>\n<span class=\"token builtin\">set</span><span class=\"token punctuation\">(</span>primes<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">for</span> p <span class=\"token keyword\">in</span> primes<span class=\"token punctuation\">:</span>\n    t <span class=\"token operator\">*=</span> p\n    <span class=\"token keyword\">if</span> p <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token number\">8725153</span><span class=\"token punctuation\">,</span><span class=\"token number\">11369903</span><span class=\"token punctuation\">,</span><span class=\"token number\">16177433</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        phi <span class=\"token operator\">=</span> phi <span class=\"token operator\">*</span> p <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span>p<span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        phi <span class=\"token operator\">*=</span> <span class=\"token punctuation\">(</span>p<span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">assert</span><span class=\"token punctuation\">(</span>t <span class=\"token operator\">==</span> n<span class=\"token punctuation\">)</span>\nd <span class=\"token operator\">=</span> <span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>e<span class=\"token punctuation\">,</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span>phi<span class=\"token punctuation\">)</span>\n\nlong_to_bytes<span class=\"token punctuation\">(</span><span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">,</span>d<span class=\"token punctuation\">,</span>n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># gctf{maybe_I_should_have_used_bigger_primes}</span></code></pre></div>\n<h2 id=\"soprev\" style=\"position:relative;\"><a href=\"#soprev\" aria-label=\"soprev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SOP(Rev)</h2>\n<blockquote>\n<p>I am sure you know OOP, but do you also know SOP?</p>\n</blockquote>\n<p>When I decompiled the provided ELF file in Ghidra, I found the following <code class=\"language-text\">main</code> function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">bool <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token class-name\">size_t</span> sVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">ssize_t</span> sVar2<span class=\"token punctuation\">;</span>\n  \n  sVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_000060f0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  DAT_000061c8 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>sVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>DAT_000061c8 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    sVar2 <span class=\"token operator\">=</span> <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>DAT_000060f0<span class=\"token punctuation\">,</span><span class=\"token number\">0x44</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    DAT_000061c8 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>sVar2<span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> DAT_000061c8 <span class=\"token operator\">!=</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>However, this function just stores standard input into <code class=\"language-text\">DAT_000060f0</code> and returns whether its length matched <code class=\"language-text\">0x44</code>, so honestly it is hard to tell what it is doing.</p>\n<p>As a first test, I ran the program with 0x44 bytes of input, and it printed the string <code class=\"language-text\">FAIL</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 735px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2350da698f2ef4c56fa11a7c04606b4b/7608e/image-20231128205302329.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAmklEQVQI11XMPQ+CMBgEYDaMCMXFRAWMRqql7dsyIME4qAPO/v8fc9aKX8OT3N1wgS4UqNCwcwliClVqIVPjWK+a1r4rRr4rRzCDNutwLQ64lSec8waXVYve5UAv3dFCws4EKJHD2fNAe7/5TcQKx7zDve6hwzUo3IBGL4FhHCbhsJMSJuKgaOeZqBzwz/7NHHW8R5MK2PH2zwPGU1Vk9KQctwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2350da698f2ef4c56fa11a7c04606b4b/8ac56/image-20231128205302329.webp 240w,\n/static/2350da698f2ef4c56fa11a7c04606b4b/d3be9/image-20231128205302329.webp 480w,\n/static/2350da698f2ef4c56fa11a7c04606b4b/ed0c4/image-20231128205302329.webp 735w\"\n              sizes=\"(max-width: 735px) 100vw, 735px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2350da698f2ef4c56fa11a7c04606b4b/8ff5a/image-20231128205302329.png 240w,\n/static/2350da698f2ef4c56fa11a7c04606b4b/e85cb/image-20231128205302329.png 480w,\n/static/2350da698f2ef4c56fa11a7c04606b4b/7608e/image-20231128205302329.png 735w\"\n            sizes=\"(max-width: 735px) 100vw, 735px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2350da698f2ef4c56fa11a7c04606b4b/7608e/image-20231128205302329.png\"\n            alt=\"image-20231128205302329\"\n            title=\"image-20231128205302329\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I backtracked from the string <code class=\"language-text\">FAIL</code> in Ghidra and found a function that performs the following processing.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 767px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cded223ab99cf3f8a969fe3842fea70a/6c2f2/image-20231128205413351.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 89.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAACEklEQVQ4y41Ui5aqMAz0//9SbUFRoO+W0jJ3wN3V3dW79pw5SQsdkkzCTjYtGu8hjIfUHQbToznRby0OI2EtOmOg3Ig8z1jXsix4tXZStuisR2s1oXhZ4zoGGDtBhQSVJriJSJaE+W/CEyMcU4RwBmcSS0YknSeRx+D7XxdWsuXTPuDz2a5tGyhfsb8Y6OjgcoaeMqNKsMn9uviT7PFDW4RN08Doil4l5Dqj1rLh7fUzQikkfCgQg4VQAWejmDrrGCMjT7i6gEuIGAMtxet53vuAjvue54mZ1FrvhMfjcTsIsfBhRaKScS7IhcgVPnFPf+LZ9ox+3N6Zt30p5V7blVAwwpOLOK1f9w4tBVmR8sR61TezvtdyJ6TEURRc+wusO0GqKzpnYVIgacKqwi9hXij8EWEDx3bJ2aM8EeP2Ir7woQNetSIbW4J9C+cSa2i3BnbZoS5russPvCa6pyzE5mhVOV6Wozdi4OhNdiGA7BZkv2y2pDciXAnXtEKYMFGILZByA9sStVCa1SeW+hahZP0KLpyUftDsyQtbRcNG81Hw7/gSAc8Z2YcCE2d56AdY08EZAU1rvEZM6Wkk//057PcHKOXRXVqc9QlXe4UO66/KMfKEuYTNnwvrmuO3NnlKeDgIjMOC0TqYySFFTk3PiTGcBMUJsWXzVztxRP8m3B8pyHzvweUmxlIeUO/2i+xF1v8AASOCOiwCyH8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cded223ab99cf3f8a969fe3842fea70a/8ac56/image-20231128205413351.webp 240w,\n/static/cded223ab99cf3f8a969fe3842fea70a/d3be9/image-20231128205413351.webp 480w,\n/static/cded223ab99cf3f8a969fe3842fea70a/e0ad8/image-20231128205413351.webp 767w\"\n              sizes=\"(max-width: 767px) 100vw, 767px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cded223ab99cf3f8a969fe3842fea70a/8ff5a/image-20231128205413351.png 240w,\n/static/cded223ab99cf3f8a969fe3842fea70a/e85cb/image-20231128205413351.png 480w,\n/static/cded223ab99cf3f8a969fe3842fea70a/6c2f2/image-20231128205413351.png 767w\"\n            sizes=\"(max-width: 767px) 100vw, 767px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cded223ab99cf3f8a969fe3842fea70a/6c2f2/image-20231128205413351.png\"\n            alt=\"image-20231128205413351\"\n            title=\"image-20231128205413351\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I also found that this function itself is registered at the following location as the callback for the undefined signal <code class=\"language-text\">0x16</code> via <code class=\"language-text\">signal(0x16,Check);</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 384px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/413f17d1e5ac0a04a78772fd12367f54/804b2/image-20231128211201286.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 128.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAYAAAC3g3x9AAAACXBIWXMAAAsTAAALEwEAmpwYAAACrklEQVRIx42ViZaiMBBF+f8/ma+ZHm1E2w0koCjIvojAmxdQm3ZpyTk5CWCur5ZUKXNNg+P8wd5VITbAYV/DFg0sS+5PEKJAlp0hR9M0eDeUr9kMeT5HeT7yILhvcDo1KApwrfhcoarqG/DZ7P+ZomkzHrzy3yt4NvrKlfnXHH6WwogiHNIcZhTDTlKEfHc8plgYOSznBMPiPASw0gT7LIeIE5hhhOJU/lS4mC8Q5DmWQYAtQRsCLQlMEmz4TkQpbM6VH8Pht4Prwjm4OFd0RV2jvjd5vVq3wFUYYpdmLVAQFqYpPC/BVM9gUqHO4Kz3PvTAh0VlUuGGZ4ryTuFycVHYA14V6lI1wVL5mi5x4hi+d4TreT+C0XSbbx8GDO/qDuhfFJhcpU/XVLUltDqXqGnqLcoX2DUsynQyhccDLTDpgHZ68SHfSfO3F6BNIGkPKfTDZAk8pulNoUGgQ8UBQcYdUCpsesBnya5o6gQufbPij68KJTjsAaXJetj58B74cFOmE43A5BsYdnkY9Ey2+b1VzrWpq9+Bk1ahBPZ8+ABMW+BuiMLJpwpPAntBsV4o3A9RONNklN8Abz5MhvnwV2B8iXLAtAmHmEwfdiZ3QTG4Wny+pc0FqLd5OACojlW4UmEcMP/kQd5lBiGWhULeFH4TUYKFH1JhNADIoMRJiaVeQdic/hbbeE9VCc0MeAXjtqKUBMkK8yqhb8DxeIQoKrGaA5YJmJ4JM9i1PttRpZA3hPCYs3/lXraAz88xwvCE5QIQZgPhCUJs1r+AxTZpi4P0n3C9tii8g1JhB1wvgY2ZwQ0O7UFp5rlXVa4V5l2zUkajfx1wBRgmk/fo/Npa3nU+ZTwaIYwKWILtk32jKM6DO9xT4MffD6SsLv2uN6T/vgSqqso2Wj44+100X43/bQbczJdO40YAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/413f17d1e5ac0a04a78772fd12367f54/8ac56/image-20231128211201286.webp 240w,\n/static/413f17d1e5ac0a04a78772fd12367f54/e6f2f/image-20231128211201286.webp 384w\"\n              sizes=\"(max-width: 384px) 100vw, 384px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/413f17d1e5ac0a04a78772fd12367f54/8ff5a/image-20231128211201286.png 240w,\n/static/413f17d1e5ac0a04a78772fd12367f54/804b2/image-20231128211201286.png 384w\"\n            sizes=\"(max-width: 384px) 100vw, 384px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/413f17d1e5ac0a04a78772fd12367f54/804b2/image-20231128211201286.png\"\n            alt=\"image-20231128211201286\"\n            title=\"image-20231128211201286\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 268px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f59f73cc8813c89e92423fd9747ea2d9/484ae/image-20231128221736996.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1klEQVQ4y52T63LaMBBGef8n6Uzfov8JhpKGXLjZxjgYrJttbC46XdMkE0KYNt2ZHcka6fhb7afOz35AtNgwT2rSbMf4AR4fPOuVJw5hNvXMJ5CmFVFUMxnXKFXRhveej9EJgh5Z7nClp6wObLeQ5x5jPFUJ1sq6jHW9x7mDrB9oZH4VOBgMyeMnmdYvS/5KnkcLewW+B3f6vV8kP76x28UvS0e+Eh+hnW73BpUlFFJOOINwDstkx0JHJDYi1Jax1qhtTexKlpKZ3EuiDaVznygM+mhrcQamYy+JXH5zAkaSqdWMNjmRLUiKioVrx4Inpdko1dLOFfZuemijcFaAEy9dhViASx3L4SUrq3jMFaF1AipPwFVVMZcxzdYcj4dz4HA4xIq8VuHsDLhgWTyTOS1qlCh0J4WJgJ7LiomxrNYb/PF4DgyCQErWb8CpeG4R74hVyNyEUvqKOyl5JoBIYLGA2x+Mck26yi4Vtj40sqmQkifjA3Mx8my2xVQK01hsVWDqmlwaYZodtmlO37puKMSgF10OggFZNsXoQppx5Dk9SMnbt1K+Yp0/xu7fM7r7jlb3Fz58Ne/f8rzLXXnL8lL2++3JAdc2/mt0boe3rDf6vw5/Fr8BLZA5ZDiuGowAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f59f73cc8813c89e92423fd9747ea2d9/8ac56/image-20231128221736996.webp 240w,\n/static/f59f73cc8813c89e92423fd9747ea2d9/eb8f9/image-20231128221736996.webp 268w\"\n              sizes=\"(max-width: 268px) 100vw, 268px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f59f73cc8813c89e92423fd9747ea2d9/8ff5a/image-20231128221736996.png 240w,\n/static/f59f73cc8813c89e92423fd9747ea2d9/484ae/image-20231128221736996.png 268w\"\n            sizes=\"(max-width: 268px) 100vw, 268px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f59f73cc8813c89e92423fd9747ea2d9/484ae/image-20231128221736996.png\"\n            alt=\"image-20231128221736996\"\n            title=\"image-20231128221736996\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://sites.uclouvain.be/SystInfo/usr/include/asm-generic/signal.h.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">signal.h</a></p>\n<p>At the same point, signals <code class=\"language-text\">0xe</code> and <code class=\"language-text\">0x15</code> are also registered.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 649px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/13856ac929658953f06c8d4dd035a876/7762d/image-20231128213034604.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 38.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABTklEQVQoz52RUXMbIQyE/f9/Yl8ybeI68dQYhBASnG+zXD1N+1pmNMztwe4ndNLW8KaKlyx4V0PJZ1S54FYTrrUgdUeMwJgD3gv3DomBEoHKWv+qV+w7uHaczDo+eOnSDNknmt7Qe8bVAj8ZcKnKSxPbY0O4YtvGYVipKfcVpNGehsBJSZeVRJKQSSZyhZTvqE0gThp3uDfMGQy6I0IPLVPzOakP2Ohfho2Gvb1C5Re0vsFaouErRvhx0MNIJhhDqSm/G/rSGPDv2mnKlnsnRRfcm6L2erS7SLoJmhdsw0lhrE5DBtBoBR0W+/5XPQnrGogovqWMc21Iie3KGeeS8XK/4YdUGFtcb2WWSGocVOBGkMzqDLlb/jI04wGKVw4ne3AoiYSJFwIf1N51tRmY2yR1puHvc6uE5Xyawif5Y1gKW5YHR0/x8cD/rv3p+Ak29W5hsiTCFgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/13856ac929658953f06c8d4dd035a876/8ac56/image-20231128213034604.webp 240w,\n/static/13856ac929658953f06c8d4dd035a876/d3be9/image-20231128213034604.webp 480w,\n/static/13856ac929658953f06c8d4dd035a876/df8c5/image-20231128213034604.webp 649w\"\n              sizes=\"(max-width: 649px) 100vw, 649px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/13856ac929658953f06c8d4dd035a876/8ff5a/image-20231128213034604.png 240w,\n/static/13856ac929658953f06c8d4dd035a876/e85cb/image-20231128213034604.png 480w,\n/static/13856ac929658953f06c8d4dd035a876/7762d/image-20231128213034604.png 649w\"\n            sizes=\"(max-width: 649px) 100vw, 649px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/13856ac929658953f06c8d4dd035a876/7762d/image-20231128213034604.png\"\n            alt=\"image-20231128213034604\"\n            title=\"image-20231128213034604\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In the callback for signal <code class=\"language-text\">0xe</code>, <code class=\"language-text\">0x15</code> is raised, and in the callback for signal <code class=\"language-text\">0x15</code>, <code class=\"language-text\">0x16</code> is raised.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 489px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e9425c0f7b41ab2b438cb288813cef0d/03e1f/image-20231128213053921.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 92.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACb0lEQVQ4y61USXLjMAzU/98zf5hPTMnaLFk7F1GbbXUalOXYOSQ5DKtYYJFAs9EAGSTpXyj7B/l5Q10BVUVbX2lXjNMVMrZt+9WUEeR5gf81BDQoCNgvC9S8oJ0mqGmGpe3mGT3XYh3PmnGEpl89ThhoHfcbrnuedfSb1z2boLyUSIcBqbGItEHBdc0Zci17Caci2L++x3lwCJVBR6DKOZzExzKW9tI2uN9vCKqqwoUBOZ3l8MLZDtavc+v8vnIjEgmijXlBzwyEcSY+PJeYsq1xuxGwLEvkvO0sNwkg2TWcEih7EqTJKNIaBf1kXxjWXAt7YZ3T5k25A2ZphowAEhxpi4K2ttYHSsop1z2ZhUpRjveUE+/DS43B+QBMkwznF4Y1g18ZSkqGACe1MxQQzYIcDOU856WXpjoA06eGkl5N2w57qgIoIPpFQ18kr6F7algQsGRRPGAcJ77KciisLo8qR0wj86yt1/BIWSorRam8nrvP+VXDhIA7wx1UKta8VXlgld0bw88q20eVKVlXwJH1U0MJFOeSDo3j2n6pMjUUQOnVo8rpw0cYxm2CVve7htI2EiiAO8P3tlEeSPuUY/2lbURnie0y9EbtKRfjzvCzsXftcg9IDd30BDyxbSTdA9AXhq0THQwFMHPDk6HvQ2p4FMW3CQFKa2DXlW93xsh3OzzWhu/a8D2rUWGcJwTRKeL3dUfY9gw2XnwBLfh2G6NhGbBcr/6d/mZ4hrftjnYeeeNKu2BgFVuykl9Efhf5iRzPr7crth/+xyAMQzBDGH1jw3Zw0/jjn/ctwziO+EMDYbhQfIuVLITGd7/yd6Afl5qzhdyUo3YAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e9425c0f7b41ab2b438cb288813cef0d/8ac56/image-20231128213053921.webp 240w,\n/static/e9425c0f7b41ab2b438cb288813cef0d/d3be9/image-20231128213053921.webp 480w,\n/static/e9425c0f7b41ab2b438cb288813cef0d/6a0ac/image-20231128213053921.webp 489w\"\n              sizes=\"(max-width: 489px) 100vw, 489px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e9425c0f7b41ab2b438cb288813cef0d/8ff5a/image-20231128213053921.png 240w,\n/static/e9425c0f7b41ab2b438cb288813cef0d/e85cb/image-20231128213053921.png 480w,\n/static/e9425c0f7b41ab2b438cb288813cef0d/03e1f/image-20231128213053921.png 489w\"\n            sizes=\"(max-width: 489px) 100vw, 489px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e9425c0f7b41ab2b438cb288813cef0d/03e1f/image-20231128213053921.png\"\n            alt=\"image-20231128213053921\"\n            title=\"image-20231128213053921\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In other words, it seemed likely that once <code class=\"language-text\">SIGTERM</code> is triggered somewhere, a chain of processing begins and the flag is checked at the end.</p>\n<p>I could not follow this chain properly while attaching <code class=\"language-text\">gdb</code>, so I used <code class=\"language-text\">ltrace</code> instead.</p>\n<p>That let me observe the behavior: it starts from <code class=\"language-text\">SIGSEGV</code>, passes through several signals, and finally prints <code class=\"language-text\">FAIL</code>, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/acb316193562f2bc2ac92d923f7fc03f/c23ad/image-20231128215420348.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 84.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACg0lEQVQ4y3VUaVvaYBDMN7V4Vu1l64HITcKVAIncInIUOTwrtv//V0x3lqOUBz7s8yZPspOZ2dkYXbuJYamHtlVHL9PFyB2geO4huhlE3BdGYjsC5zCO3McYsrthFI4TSH4IwNq61HO5jHFxiPH1AJ1wGYPULZ5zXVS+Z6U5hNxBFM5+BPZeBFkpgtbOc2vBFPDeauBP7Qnj8gi/q494Kw7w67qPTqyKZrCI+nketbMcqqcObgOeMDRhbf4DXAY3uvEaHp0uXgo9jEtD8AOdaBWNSw/VM0dOF8WvaZS+ZbQhsXEBk7Xpn4MtghqDdFNYDfFgt/FeeRDZTdQvCiiLbLLhmT+KI7MTQnIrgAx9PErAOYitZkhpBHtx7zHKtlQai17Rs0UWLD67/pKSj6wejkFZlPsuHnYFnC/nZKqLHs2K995nayJ7neRnASNgz7zBq9dX2ZVTW5sWvzxr4gc5FK1VgE8Sk1GmhbtQSadYOpmYP2OwXK74Sivs/ehqyX3J3pvkkOwYG/p5J3EhcF6kp3xX82Jzdi8sU0/BFekrASl1mLlT2cwgB8Opk3H9Io+G39VBpDllaeC0zQ3/eg/58qPdkQyOVDIbHNkQez+ibBgRXs/CXPlhK9ukb82m/EzU8SqRYWzIkGzZRJ8IPgnyhA1ZuZ/MeXSWU8BSyQ/CkKBcP0pmuMmWWUtvB7VSWlf/Nau329Oa+mwMZcKv3gSMO0ywdqSiQ+GW6Nrx+iSr542/oM9b8jPhPVeyLCcZswwC9GV/+2ZDp0tJ+cOY7qslEs1ZHsUzXmtkxGP+fWY2LJZxE3BRD3m4jZaRP7Zg7YT1P2j5gjClkrtR3d/U1PTF5lVD+Qvq9gMocOBecQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/acb316193562f2bc2ac92d923f7fc03f/8ac56/image-20231128215420348.webp 240w,\n/static/acb316193562f2bc2ac92d923f7fc03f/d3be9/image-20231128215420348.webp 480w,\n/static/acb316193562f2bc2ac92d923f7fc03f/e46b2/image-20231128215420348.webp 960w,\n/static/acb316193562f2bc2ac92d923f7fc03f/1d5af/image-20231128215420348.webp 1193w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/acb316193562f2bc2ac92d923f7fc03f/8ff5a/image-20231128215420348.png 240w,\n/static/acb316193562f2bc2ac92d923f7fc03f/e85cb/image-20231128215420348.png 480w,\n/static/acb316193562f2bc2ac92d923f7fc03f/d9199/image-20231128215420348.png 960w,\n/static/acb316193562f2bc2ac92d923f7fc03f/c23ad/image-20231128215420348.png 1193w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/acb316193562f2bc2ac92d923f7fc03f/d9199/image-20231128215420348.png\"\n            alt=\"image-20231128215420348\"\n            title=\"image-20231128215420348\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Now, even though I still did not understand the fine details of the implementation, I could see that the last line compares whether <code class=\"language-text\">(&amp;DAT_00406220)[local_170] == local_58[local_170]</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 449px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/56318ccbea0ad5303529a3b3802b7229/053a9/image-20231128222613963.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 85.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACz0lEQVQ4y41TWW/TQBj0v+cB/kCrVm1zOb69PhIKSEAPkBAPtIUeqC8IeoW0jmM7juMkw9huSlVVFH2azMbenf2OsbSdKvg8eka8wKf4Od7GNrxkF378Hl68hU70DlvTbXzEB+wyduY7+FdIjaGO1Z6M+qCOjcEammETq4GG5YGJ1dDE8o2OdqpDnSgwchOCYc/tCo+E1O6/xtLxDlpXAk5ShxM1oNy0sBbqqA01NIYW1NRGK27BHFnwGd7cq/BISEZko3lmQg9kWFENRtyGyAwYmQZtrMKZ2OhQpFv+enDnbnV0wQ8F9ciFmajcYMCZuhCzYqPP41UUGRUiC3i3oo/LUdCZ+pD7XVhjwaMsaU6eOhATAStnV4hKzHsSRRskLnnYQ6tH4UsDWtCAHK6hHjawHq+hzRZU+TyNIqSiFyyKDe9ACV5BTwWnKkMeaFB+8PnPLpxhF6K/CXH9Ek7I/wF5QE465VoQ7rgallSmSkE92oR840BPtHIAnWkXXsSNcRduyisjckwBXuwUTDE38yvRYp3flUy5qQ0xNskW3JkFwR4uyvTLERW7nP8ruShXZC7kC4M9tCH/NqGGdT7TeasFY2zAyux70/6foVCw3TOg9G20+xb92IKgJ0XchDLgV8RBaalW+RC39lmY+wHYQ4dmprnPbRiRCjGqw05asIY1mENmyrU6bKBF42uJDpGLv158iMKHxZRFKdAmmqWQG2+w8XzGC4oh+fNigix55pal+6Xh78O/Y8mdMcNQhRkqhAyF2aosuT6ooTmgJ5mdPuZnmWtQRypL596sXUJPC+a5icp3CiwOVFJCB8unb7B+4WClv4KloM7SfexPTrE3PsJxto+TyRd8zw9wmB3iOP9W/j/J9nCU7pdcvPuaHOBkdgLpanKN8yTAZdbDeX6GCyLIb4AUyH4B4zNgHgJ5D5j2gVlAvibISG7XBDJiDvwBEXSAyfHn20AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/56318ccbea0ad5303529a3b3802b7229/8ac56/image-20231128222613963.webp 240w,\n/static/56318ccbea0ad5303529a3b3802b7229/57bab/image-20231128222613963.webp 449w\"\n              sizes=\"(max-width: 449px) 100vw, 449px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/56318ccbea0ad5303529a3b3802b7229/8ff5a/image-20231128222613963.png 240w,\n/static/56318ccbea0ad5303529a3b3802b7229/053a9/image-20231128222613963.png 449w\"\n            sizes=\"(max-width: 449px) 100vw, 449px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/56318ccbea0ad5303529a3b3802b7229/053a9/image-20231128222613963.png\"\n            alt=\"image-20231128222613963\"\n            title=\"image-20231128222613963\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><code class=\"language-text\">local_58</code> stores the 0x44-byte sequence defined at <code class=\"language-text\">DAT_00404050</code>.</p>\n<p>In other words, it appears that the flag is an input whose transformed result in <code class=\"language-text\">DAT_00406220</code> matches the byte sequence in <code class=\"language-text\">DAT_00404050</code>.</p>\n<p>Tracing the code back a little, we can see that the values written into the region containing <code class=\"language-text\">DAT_00406220</code> are taken from the region starting at <code class=\"language-text\">DAT_00406140</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 444px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/68cff086de3b6587b14dc12825beb6f0/9b7bd/image-20231129004742143.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 102.50000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAADWklEQVQ4y21VWXLrOBDz/S8w3zOHmUu8vFgLtYukuGi3ggEp2Z5KnqsYle02CKDRnZvIC7hpQmYtOj6F8+jGEdM0omoeEP0Hqulv1PIfFOVfrPkXxwE8+Of4+sLXdcIrPG8iE5AESAhYECzlqfUA4wZ0Pd+XE5qugCgHpF3NiyVKN/LpoMcZbrQYeI5wC1+3PM0iYMqCkmA5i2utoa2GlA55taLvNESxE5DvnYsqPgaDnrXG8yKdwZBQBMySFL33+DQ2AibWo1QKg9NQKjBckPZkpclqsKwzJDBh3Hes+wP7Y4dfPdZtfQIGhj4WPhm+AcfIsOoV8pY+K0slFq0f6SXlLivmZca8rm8Ps2+Ss+ihjoBSngz7TiIXK9LW8EL7ktzyGbzOBzaWKiPDIhc/AJurKf3lYRkkd/ObISX388VwnZmKDp6pOCWnp4f3y8PQ5SDZ+DfDPEhWE5mcgIqAbtuwbDu2faOPZ4cZoLMpgeHvy8PAsKJkaSSsnQg4o201qpoMm9CUIUoOTazpt/OO0jtm2Z8e5mnOG/8fG0q2/JESmPi5qMmscqjpn6gm3GlHQUWhtgrdZhZb37C+xE7Gt/Se/GyK0ZSYw7sAFFjyc7KuyTgjs4KyPTu7Msz74xFlP47HyTD5vKMn4N1eHjKHFQFTmUaGZRMY8pKW3axm/FYaJWMjSECQqWN8esOmzGPIzRvw6eF3wIoMi9qjbSiVfn5IFW0Jo5fwWEpuXMP6DOuynZLVNcuv0TMhWwKWmet62lFQdhg/TkvOupxAiotkiXJ3zNuMcZ1wsNuvLn/3sLQVBgIr5ehhmBaJSi5IpImgIYsNQT2zGDbTvCxnDtMkeW2bp+TI0OQY2G0Z53lF10oITstno18L4henRfoJ2ikkKoMnzh88dKgGzUVwAmrKDIAijF83RYaJNZyOc1pG+jZTbus7jPPEHGb5Dw+byFBEwLAgkmKBYDNqM8eNE6ZFT+fGWXg2bprjmpY/evgEVEZBybfkolhxb0OwHZfxiF8Mec8IBcnlUGNhNm/J/cqhuTZ2iA0li4thWLIJgeq2R1Et+OyGyDBubXo5MDZ2smcqmMu4sQP9OHL0peCNLT2qXMUCC2P4Xb0iJ5vwfQAq+cPx6urz/8rxdcTnf+CkOuwbfjuiAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/68cff086de3b6587b14dc12825beb6f0/8ac56/image-20231129004742143.webp 240w,\n/static/68cff086de3b6587b14dc12825beb6f0/ced2a/image-20231129004742143.webp 444w\"\n              sizes=\"(max-width: 444px) 100vw, 444px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/68cff086de3b6587b14dc12825beb6f0/8ff5a/image-20231129004742143.png 240w,\n/static/68cff086de3b6587b14dc12825beb6f0/9b7bd/image-20231129004742143.png 444w\"\n            sizes=\"(max-width: 444px) 100vw, 444px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/68cff086de3b6587b14dc12825beb6f0/9b7bd/image-20231129004742143.png\"\n            alt=\"image-20231129004742143\"\n            title=\"image-20231129004742143\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Tracing accesses to that region back further, we can see that each byte is repeatedly XORed at the following location.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 542px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6238b42b83b98556b8c42a7615397154/c0388/image-20231129005325287.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 90.41666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAACLklEQVQ4y41Ui5KjMAzr/3/kXQslvCGE8CygldPQ0uvu9jLjCQ6xLFuGU5o3MAaoq43GvV6h6xnzvMKtbcOPi+82/37fT1VVHw78S9wv7rZuP/gP3GfSU1ZrRF2Ha2uRdD1y0g3b1vmZ+NwjaxGYFuUwoHJ3W97h/cZgmudXhjkBQwZcjUVsO2QElGAXwOCMu4A7wH5gEusTdoiqEm1vXwGFYeADhElKwIuz1iVIGRzQzmST9z1Sz/ZCAkGRo7HmFTAtK8S8qKRE7qUlMJ8VwQoyKslSnuWsHkYU9CVxzHbEVPGNYZTmCHjhQgZSYto0js25aZHSTzzbvzyr2MOECeWuMAyLAqZrH4BiJ5XliMgs8gwL27oeiZ87nyLYex8rMsy9gBHPFXtojwwFMEozKAaGvme7yiEZJCKSV1xYSgsyDy6iiSjGHhmy5CsBA9/oXWUpWfxdZQE7e0AR5eImgYC6gqoVlmV9gJ7ivHiZQ1eyOczhgZH0UMbGlcyxUQ0FrWMst+UJKAyvBLw0974lWh/GRsaodc9/dOMSCMNdtLAuEJQhbvMBUGVk2HdubFLH0D6aLn5l72KI2WmGmSbvT9CM053GeixZxQWUHjgW2mUOaYrzlXB89DhhJMC6rvi0HnNYFiWG5YZ6HGkTen6bzTjQJgc40J/m6WXWvrOnKHEOioWKfTODwbZub7+o41h8BlQZ+ElCNyN/S8vHgO23/6OUXLBkT+WtH/8C/s/6Avf2cVaZARWPAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6238b42b83b98556b8c42a7615397154/8ac56/image-20231129005325287.webp 240w,\n/static/6238b42b83b98556b8c42a7615397154/d3be9/image-20231129005325287.webp 480w,\n/static/6238b42b83b98556b8c42a7615397154/3f954/image-20231129005325287.webp 542w\"\n              sizes=\"(max-width: 542px) 100vw, 542px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6238b42b83b98556b8c42a7615397154/8ff5a/image-20231129005325287.png 240w,\n/static/6238b42b83b98556b8c42a7615397154/e85cb/image-20231129005325287.png 480w,\n/static/6238b42b83b98556b8c42a7615397154/c0388/image-20231129005325287.png 542w\"\n            sizes=\"(max-width: 542px) 100vw, 542px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6238b42b83b98556b8c42a7615397154/c0388/image-20231129005325287.png\"\n            alt=\"image-20231129005325287\"\n            title=\"image-20231129005325287\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The initial contents of the region from <code class=\"language-text\">DAT_00406140</code> onward appear to be empty.</p>\n<p>So, although the details were still unclear at this point, I guessed that XORing the flag with some key would produce the byte sequence at <code class=\"language-text\">DAT_00404050</code>.</p>\n<p>To confirm this, I decided to inspect the data that ends up stored in <code class=\"language-text\">DAT_00406220</code> after the input is transformed.</p>\n<p>Since <code class=\"language-text\">gdb</code> was not working well, I inspected the contents of <code class=\"language-text\">DAT_00406220</code> by rewriting the arguments to the <code class=\"language-text\">printf</code> function that prints <code class=\"language-text\">FAIL</code>. (Using Frida might be easier.)</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/d6b80/image-20231129005730854.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7klEQVQY002Q644CIQyF5/2fcXf/qaDOqAiU+2chMdmS0hJOT9uz/fxduN4HD1c4Xp6z9bjQyG2QKkjpSG4rauB8MRz7G0mRkANjDKYNxrq3x+HwflCkEkLlOJQsdXrvCzxjrY3W2io0xiheiCkTfaYJtDRoWSm7EtZStWDgXCJJoeh7dqqtIjURi1B75WvWWsV6gpKm5Egl8982a3btiHohxsTzlRHpa4V5Jtmc7ruaMZb77aby/OL8nZSF3iamLsx2u+5KopO8I89HwJrAW3MRIeesU+tfjCufBafTiX13queLHDsltiXX9K4rfwAMyIVfT3Y1aQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/8ac56/image-20231129005730854.webp 240w,\n/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/d3be9/image-20231129005730854.webp 480w,\n/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/e46b2/image-20231129005730854.webp 960w,\n/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/b9f23/image-20231129005730854.webp 1393w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/8ff5a/image-20231129005730854.png 240w,\n/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/e85cb/image-20231129005730854.png 480w,\n/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/d9199/image-20231129005730854.png 960w,\n/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/d6b80/image-20231129005730854.png 1393w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3ac2c86007d9e758e9c6e2cc5d0fe3d8/d9199/image-20231129005730854.png\"\n            alt=\"image-20231129005730854\"\n            title=\"image-20231129005730854\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I made the actual patch as follows.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 432px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/94052226d0cf96d821808a854f2ced97/0e0c3/image-20231129010005244.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 29.166666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABD0lEQVQY043OzUoCYRTG8bmqoEW1DJI2rbuQ1kItiqJFV9A11ELFIgtSGcZFVOh8hZMfo6ONMuo748z8exsI2igd+J3D4cDDUYximeD1BUyDyXONZqFMX067fI9ZumPSaIBlkBqt9Syd+P0N5ehaY/dU5eBSI3ehsX+ukjursyftHNfYzFfZOqmvtS1t5OscXqkoFbPHje5SsoYUpYLpZYrWmFt9xENb8OREPDrhWhVnSbUdoPjTPoulRyBcgnDAPBqxiDxENM5AzL8rCVE6gy7u1KPnuwyzOcCdDBnNvvBmPl7gE8YxSSqjZVslkXnzhUD5sG1sy6bb6fDZdmg19WxPfhL+VJqmKx/7vQkh+AZ40ayegefqcwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/94052226d0cf96d821808a854f2ced97/8ac56/image-20231129010005244.webp 240w,\n/static/94052226d0cf96d821808a854f2ced97/0bafe/image-20231129010005244.webp 432w\"\n              sizes=\"(max-width: 432px) 100vw, 432px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/94052226d0cf96d821808a854f2ced97/8ff5a/image-20231129010005244.png 240w,\n/static/94052226d0cf96d821808a854f2ced97/0e0c3/image-20231129010005244.png 432w\"\n            sizes=\"(max-width: 432px) 100vw, 432px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/94052226d0cf96d821808a854f2ced97/0e0c3/image-20231129010005244.png\"\n            alt=\"image-20231129010005244\"\n            title=\"image-20231129010005244\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I fed the patched program <code class=\"language-text\">0x44</code> bytes of <code class=\"language-text\">A</code> as input, it printed the byte sequence stored in <code class=\"language-text\">DAT_00406220</code> as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 690px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e37fd1f28a004304f5a7ae7e59e928ff/1e043/image-20231129010158612.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLklEQVQY0z2OS0/CQBSFu1UXuhASCZGAPCu0tKVQS6FTHpZOC5EIlRRpaiCi7Pj/i+N0jC6+fPdkZs4dQc430S7KUKsq1LIC9U5i6BgUupiJQ/jSCLTlwCkZGJdNGDkZ0nUFWvaRo942oGVE7hRhT99x3p6wm4RIphskE8Y0wgfz0Y/xSXc4uFscaYz9c8T5nid47XhYKi7ejAXCXoCYrDAq9CAc3Ajn8AtBc8QPVjpll+Z8DpnX3eA/r7s+NuYCkfUCcq/DzncwLhoY5FToNw20L8sQ4uErTkGCoGZj2ZoiZI9W2gxebQi3OgBt2PBFh8++SFgm8Oo2L3ErFv+VmZXxlJFYqQhhrDnwCEVfsdCX+iB1C2aJoJeR2cYHyBe/pNv/rFxVOGlJmjksp/4B4xCoGM/XT74AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e37fd1f28a004304f5a7ae7e59e928ff/8ac56/image-20231129010158612.webp 240w,\n/static/e37fd1f28a004304f5a7ae7e59e928ff/d3be9/image-20231129010158612.webp 480w,\n/static/e37fd1f28a004304f5a7ae7e59e928ff/8efd0/image-20231129010158612.webp 690w\"\n              sizes=\"(max-width: 690px) 100vw, 690px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e37fd1f28a004304f5a7ae7e59e928ff/8ff5a/image-20231129010158612.png 240w,\n/static/e37fd1f28a004304f5a7ae7e59e928ff/e85cb/image-20231129010158612.png 480w,\n/static/e37fd1f28a004304f5a7ae7e59e928ff/1e043/image-20231129010158612.png 690w\"\n            sizes=\"(max-width: 690px) 100vw, 690px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e37fd1f28a004304f5a7ae7e59e928ff/1e043/image-20231129010158612.png\"\n            alt=\"image-20231129010158612\"\n            title=\"image-20231129010158612\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I then XORed the recovered byte sequence with <code class=\"language-text\">A</code> to restore the key, and XORed that with the byte sequence hardcoded at <code class=\"language-text\">DAT_00404050</code>, which yielded the correct flag as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/155b1f23529d2a1699f1d58679040f03/0c3d0/image-20231129004635690.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVQoz42Pi07DMAxF+/8fhxBCUFTK1rK+kqxdl0cfaXJxA600iQksHdmy7Ovr6KNIwK4VzppBqCbkANWt5kjyGFmZoe06KC2J6w2aemZQGCYTiI48hTA12oGBqxpFf0QjC3BdImZPeGEPdKiGtw7OzrDWYpkt7ArVjvDOYYsoZTFKmaFSOfGJ/PKO0+VAvSMS8YyYP5LjJgx7/B1R1Z7A+xqib9APHbgkt1qgH1sczm9I21d0RpALEvT+Vxw53IjGcaTL1KQNH/A/+bteQ0oJIQSMMVBKhay13vOqMU1TIAje+2cTXJaFhud9aZ7nG1Znm9td8N47G/+NL9oXH4LJlBljAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/155b1f23529d2a1699f1d58679040f03/8ac56/image-20231129004635690.webp 240w,\n/static/155b1f23529d2a1699f1d58679040f03/d3be9/image-20231129004635690.webp 480w,\n/static/155b1f23529d2a1699f1d58679040f03/e46b2/image-20231129004635690.webp 960w,\n/static/155b1f23529d2a1699f1d58679040f03/1a117/image-20231129004635690.webp 1414w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/155b1f23529d2a1699f1d58679040f03/8ff5a/image-20231129004635690.png 240w,\n/static/155b1f23529d2a1699f1d58679040f03/e85cb/image-20231129004635690.png 480w,\n/static/155b1f23529d2a1699f1d58679040f03/d9199/image-20231129004635690.png 960w,\n/static/155b1f23529d2a1699f1d58679040f03/0c3d0/image-20231129004635690.png 1414w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/155b1f23529d2a1699f1d58679040f03/d9199/image-20231129004635690.png\"\n            alt=\"image-20231129004635690\"\n            title=\"image-20231129004635690\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p><code class=\"language-text\">SOP</code> was a very interesting challenge.</p>\n<p>It is an easy challenge if you can analyze the binary dynamically, but perhaps because each step is invoked via signals, I could not analyze it well with debuggers such as <code class=\"language-text\">gdb</code>.</p>\n<p>I suspect the intended solution was to continue the dynamic analysis while hooking the signals with something like Frida, so I would like to try that alternative approach as well.</p>","fields":{"slug":"/ctf-gracier-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/crypto-en/","/tag/english/"]},"frontmatter":{"date":"2023-11-29","description":"This is a writeup for Gracier CTF 2023.","tags":["CTF (en)","Rev (en)","Crypto (en)","English"],"title":"Gracier CTF 2023 Writeup","socialImage":{"publicURL":"/static/3bdb187066373d1ef52b880c8264d733/ctf-gracier-2023.png"}}}},"pageContext":{"slug":"/ctf-gracier-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}