{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-greycat-ctf-2023-en","result":{"data":{"markdownRemark":{"id":"ab7dc558-54a9-584e-9968-e92d28fbcb62","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-greycat-ctf-2023\">original page</a>.</p>\n</blockquote>\n<p>I took part in Greycat CTF, which started on 5/19.</p>\n<p>This time our team members’ schedules did not line up, so we participated casually and finished in 131st place.</p>\n<p>I’ll keep this write-up brief.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#web-assemblyrev\">Web-Assembly(Rev)</a></li>\n<li><a href=\"#reservicerev\">ReService(Rev)</a></li>\n</ul>\n<h2 id=\"web-assemblyrev\" style=\"position:relative;\"><a href=\"#web-assemblyrev\" aria-label=\"web assemblyrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Web-Assembly(Rev)</h2>\n<blockquote>\n<p>Handwriting assembly code is a bad idea…</p>\n</blockquote>\n<p>The challenge binary was accompanied by the following JavaScript code.</p>\n<p>The function <code class=\"language-text\">wasmModule.instance.exports.check()</code> that validates the flag appears to be implemented in WebAssembly.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">const</span> readline <span class=\"token operator\">=</span> <span class=\"token function\">require</span><span class=\"token punctuation\">(</span><span class=\"token string\">'readline'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">const</span> rl <span class=\"token operator\">=</span> readline<span class=\"token punctuation\">.</span><span class=\"token function\">createInterface</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span>\n  <span class=\"token literal-property property\">input</span><span class=\"token operator\">:</span> process<span class=\"token punctuation\">.</span>stdin<span class=\"token punctuation\">,</span>\n  <span class=\"token literal-property property\">output</span><span class=\"token operator\">:</span> process<span class=\"token punctuation\">.</span>stdout\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\nrl<span class=\"token punctuation\">.</span><span class=\"token function\">question</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Gimme something: '</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">flag</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> wasmBinBuf <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">Uint8Array</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">97</span><span class=\"token punctuation\">,</span> <span class=\"token number\">115</span><span class=\"token punctuation\">,</span> <span class=\"token number\">109</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">96</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">127</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">106</span><span class=\"token punctuation\">,</span> <span class=\"token number\">115</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">109</span><span class=\"token punctuation\">,</span> <span class=\"token number\">101</span><span class=\"token punctuation\">,</span> <span class=\"token number\">109</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">99</span><span class=\"token punctuation\">,</span> <span class=\"token number\">104</span><span class=\"token punctuation\">,</span> <span class=\"token number\">101</span><span class=\"token punctuation\">,</span> <span class=\"token number\">99</span><span class=\"token punctuation\">,</span> <span class=\"token number\">107</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">10</span><span class=\"token punctuation\">,</span> <span class=\"token number\">122</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">120</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">127</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">112</span><span class=\"token punctuation\">,</span> <span class=\"token number\">14</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">137</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">59</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">41</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">255</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">40</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">113</span><span class=\"token punctuation\">,</span> <span class=\"token number\">108</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">255</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">113</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">192</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">106</span><span class=\"token punctuation\">,</span> <span class=\"token number\">40</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">255</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">113</span><span class=\"token punctuation\">,</span> <span class=\"token number\">115</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">70</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">108</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">106</span><span class=\"token punctuation\">,</span> <span class=\"token number\">33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">46</span><span class=\"token punctuation\">,</span> <span class=\"token number\">72</span><span class=\"token punctuation\">,</span> <span class=\"token number\">13</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">const</span> wasmMem <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">WebAssembly<span class=\"token punctuation\">.</span>Memory</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token literal-property property\">initial</span><span class=\"token operator\">:</span> <span class=\"token number\">10</span><span class=\"token punctuation\">,</span> <span class=\"token literal-property property\">maximum</span><span class=\"token operator\">:</span> <span class=\"token number\">100</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">var</span> strBuf <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">TextEncoder</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">encode</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">.</span><span class=\"token function\">slice</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">64</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> memBuf <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">Uint8Array</span><span class=\"token punctuation\">(</span>wasmMem<span class=\"token punctuation\">.</span>buffer<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">let</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> strBuf<span class=\"token punctuation\">.</span>length<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        memBuf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> strBuf<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    data <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">121</span><span class=\"token punctuation\">,</span> <span class=\"token number\">66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">71</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">229</span><span class=\"token punctuation\">,</span> <span class=\"token number\">176</span><span class=\"token punctuation\">,</span> <span class=\"token number\">150</span><span class=\"token punctuation\">,</span> <span class=\"token number\">150</span><span class=\"token punctuation\">,</span> <span class=\"token number\">43</span><span class=\"token punctuation\">,</span> <span class=\"token number\">107</span><span class=\"token punctuation\">,</span> <span class=\"token number\">209</span><span class=\"token punctuation\">,</span> <span class=\"token number\">212</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">217</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> <span class=\"token number\">222</span><span class=\"token punctuation\">,</span> <span class=\"token number\">129</span><span class=\"token punctuation\">,</span> <span class=\"token number\">189</span><span class=\"token punctuation\">,</span> <span class=\"token number\">55</span><span class=\"token punctuation\">,</span> <span class=\"token number\">185</span><span class=\"token punctuation\">,</span> <span class=\"token number\">82</span><span class=\"token punctuation\">,</span> <span class=\"token number\">127</span><span class=\"token punctuation\">,</span> <span class=\"token number\">229</span><span class=\"token punctuation\">,</span> <span class=\"token number\">47</span><span class=\"token punctuation\">,</span> <span class=\"token number\">45</span><span class=\"token punctuation\">,</span> <span class=\"token number\">178</span><span class=\"token punctuation\">,</span> <span class=\"token number\">252</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">107</span><span class=\"token punctuation\">,</span> <span class=\"token number\">43</span><span class=\"token punctuation\">,</span> <span class=\"token number\">31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">114</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token punctuation\">,</span> <span class=\"token number\">97</span><span class=\"token punctuation\">,</span> <span class=\"token number\">229</span><span class=\"token punctuation\">,</span> <span class=\"token number\">185</span><span class=\"token punctuation\">,</span> <span class=\"token number\">237</span><span class=\"token punctuation\">,</span> <span class=\"token number\">55</span><span class=\"token punctuation\">,</span> <span class=\"token number\">252</span><span class=\"token punctuation\">,</span> <span class=\"token number\">87</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">168</span><span class=\"token punctuation\">,</span> <span class=\"token number\">75</span><span class=\"token punctuation\">,</span> <span class=\"token number\">222</span><span class=\"token punctuation\">,</span> <span class=\"token number\">121</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>\n\n    <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">let</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> data<span class=\"token punctuation\">.</span>length<span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        memBuf<span class=\"token punctuation\">[</span>i <span class=\"token operator\">+</span> <span class=\"token number\">64</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> \n    <span class=\"token punctuation\">}</span>\n\n    WebAssembly<span class=\"token punctuation\">.</span><span class=\"token function\">instantiate</span><span class=\"token punctuation\">(</span>wasmBinBuf<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span><span class=\"token literal-property property\">js</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">{</span><span class=\"token literal-property property\">mem</span><span class=\"token operator\">:</span> wasmMem<span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">wasmModule</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n        result <span class=\"token operator\">=</span> wasmModule<span class=\"token punctuation\">.</span>instance<span class=\"token punctuation\">.</span>exports<span class=\"token punctuation\">.</span><span class=\"token function\">check</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>result<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Correct flag!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n            console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"?\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    rl<span class=\"token punctuation\">.</span><span class=\"token function\">close</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>The WebAssembly code to be loaded was defined as the byte array in <code class=\"language-text\">wasmBinBuf</code>, so I decoded it with CyberChef and saved it as a <code class=\"language-text\">.wasm</code> file.</p>\n<p>Next, I decompiled the obtained wasm file with Ghidra and got the following function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> export<span class=\"token operator\">::</span><span class=\"token function\">check</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  uint <span class=\"token operator\">*</span>puVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> iVar2<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> iVar3<span class=\"token punctuation\">;</span>\n  uint uVar4<span class=\"token punctuation\">;</span>\n  \n  puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>uint <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">;</span>\n  iVar3 <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n    uVar4 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>uint<span class=\"token punctuation\">)</span>puVar1 <span class=\"token operator\">%</span> <span class=\"token number\">4</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>uVar4 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      iVar2 <span class=\"token operator\">=</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>uVar4 <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      iVar2 <span class=\"token operator\">=</span> <span class=\"token number\">0x29</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>uVar4 <span class=\"token operator\">==</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      iVar2 <span class=\"token operator\">=</span> <span class=\"token number\">0x3b</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n      iVar2 <span class=\"token operator\">=</span> <span class=\"token number\">0x109</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    iVar3 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>uint<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>iVar2 <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>puVar1 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token punctuation\">(</span>puVar1<span class=\"token punctuation\">[</span><span class=\"token number\">0x10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> iVar3<span class=\"token punctuation\">;</span>\n    puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>uint <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>puVar1 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>puVar1 <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x2e</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> iVar3<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Since the byte array used for flag verification was defined as <code class=\"language-text\">data</code> in JavaScript, I wrote the following solver to recover the flag from it.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">base <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">121</span><span class=\"token punctuation\">,</span> <span class=\"token number\">66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">71</span><span class=\"token punctuation\">,</span> <span class=\"token number\">65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">229</span><span class=\"token punctuation\">,</span> <span class=\"token number\">176</span><span class=\"token punctuation\">,</span> <span class=\"token number\">150</span><span class=\"token punctuation\">,</span> <span class=\"token number\">150</span><span class=\"token punctuation\">,</span> <span class=\"token number\">43</span><span class=\"token punctuation\">,</span> <span class=\"token number\">107</span><span class=\"token punctuation\">,</span> <span class=\"token number\">209</span><span class=\"token punctuation\">,</span> <span class=\"token number\">212</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">217</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">,</span> <span class=\"token number\">222</span><span class=\"token punctuation\">,</span> <span class=\"token number\">129</span><span class=\"token punctuation\">,</span> <span class=\"token number\">189</span><span class=\"token punctuation\">,</span> <span class=\"token number\">55</span><span class=\"token punctuation\">,</span> <span class=\"token number\">185</span><span class=\"token punctuation\">,</span> <span class=\"token number\">82</span><span class=\"token punctuation\">,</span> <span class=\"token number\">127</span><span class=\"token punctuation\">,</span> <span class=\"token number\">229</span><span class=\"token punctuation\">,</span> <span class=\"token number\">47</span><span class=\"token punctuation\">,</span> <span class=\"token number\">45</span><span class=\"token punctuation\">,</span> <span class=\"token number\">178</span><span class=\"token punctuation\">,</span> <span class=\"token number\">252</span><span class=\"token punctuation\">,</span> <span class=\"token number\">11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">107</span><span class=\"token punctuation\">,</span> <span class=\"token number\">43</span><span class=\"token punctuation\">,</span> <span class=\"token number\">31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">114</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token punctuation\">,</span> <span class=\"token number\">97</span><span class=\"token punctuation\">,</span> <span class=\"token number\">229</span><span class=\"token punctuation\">,</span> <span class=\"token number\">185</span><span class=\"token punctuation\">,</span> <span class=\"token number\">237</span><span class=\"token punctuation\">,</span> <span class=\"token number\">55</span><span class=\"token punctuation\">,</span> <span class=\"token number\">252</span><span class=\"token punctuation\">,</span> <span class=\"token number\">87</span><span class=\"token punctuation\">,</span> <span class=\"token number\">12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">168</span><span class=\"token punctuation\">,</span> <span class=\"token number\">75</span><span class=\"token punctuation\">,</span> <span class=\"token number\">222</span><span class=\"token punctuation\">,</span> <span class=\"token number\">121</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">]</span>\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n\n<span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span>b <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>base<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> i <span class=\"token operator\">%</span> <span class=\"token number\">4</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        t <span class=\"token operator\">=</span> <span class=\"token number\">0x1f</span>\n    <span class=\"token keyword\">elif</span> i <span class=\"token operator\">%</span> <span class=\"token number\">4</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n        t <span class=\"token operator\">=</span> <span class=\"token number\">0x29</span>\n    <span class=\"token keyword\">elif</span> i <span class=\"token operator\">%</span> <span class=\"token number\">4</span> <span class=\"token operator\">==</span> <span class=\"token number\">2</span><span class=\"token punctuation\">:</span>\n        t <span class=\"token operator\">=</span> <span class=\"token number\">0x3b</span>\n    <span class=\"token keyword\">elif</span> i <span class=\"token operator\">%</span> <span class=\"token number\">4</span> <span class=\"token operator\">==</span> <span class=\"token number\">3</span><span class=\"token punctuation\">:</span>\n        t <span class=\"token operator\">=</span> <span class=\"token number\">0x109</span>\n    \n    <span class=\"token comment\"># (t * (x &amp; 0xff) &amp; 0xff) = (b &amp; 0xff)</span>\n    <span class=\"token keyword\">for</span> x <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>t <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span>x <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            result <span class=\"token operator\">=</span> x\n    \n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>result<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># grey{0bfusc4t10n_u51ng_w3b4s53mbly_1s_4_th1ng}</span></code></pre></div>\n<p>With this, I was able to obtain the flag.</p>\n<h2 id=\"reservicerev\" style=\"position:relative;\"><a href=\"#reservicerev\" aria-label=\"reservicerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ReService(Rev)</h2>\n<blockquote>\n<p>I found this file that was installed by the virus. Can you find out what it does?</p>\n<p>It seems to connect to a c2 server and makes use of the current time.</p>\n</blockquote>\n<p>By manually reconstructing the decompiled Go binary, I found that it appended an 8-character hex string generated by the following logic to the URL and issued a request with <code class=\"language-text\">http.Get()</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"go\"><pre class=\"language-go\"><code class=\"language-go\"><span class=\"token keyword\">package</span> main\n\n<span class=\"token keyword\">import</span> <span class=\"token punctuation\">(</span>\n\t<span class=\"token string\">\"fmt\"</span>\n\t<span class=\"token string\">\"hash/crc32\"</span>\n\t<span class=\"token string\">\"math/rand\"</span>\n\t<span class=\"token string\">\"time\"</span>\n<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">func</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\tnow <span class=\"token operator\">:=</span> time<span class=\"token punctuation\">.</span><span class=\"token function\">Now</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">Unix</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\trand<span class=\"token punctuation\">.</span><span class=\"token function\">Seed</span><span class=\"token punctuation\">(</span>now<span class=\"token punctuation\">)</span>\n\thash <span class=\"token operator\">:=</span> crc32<span class=\"token punctuation\">.</span><span class=\"token function\">ChecksumIEEE</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token function\">byte</span><span class=\"token punctuation\">(</span>fmt<span class=\"token punctuation\">.</span><span class=\"token function\">Sprintf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%x\"</span><span class=\"token punctuation\">,</span> rand<span class=\"token punctuation\">.</span><span class=\"token function\">Int</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\tresult <span class=\"token operator\">:=</span> fmt<span class=\"token punctuation\">.</span><span class=\"token function\">Sprintf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%x\"</span><span class=\"token punctuation\">,</span> hash<span class=\"token punctuation\">)</span>\n\tfmt<span class=\"token punctuation\">.</span><span class=\"token function\">Println</span><span class=\"token punctuation\">(</span>result<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>I thought I would need to brute-force the time when this file was created, but that wasn’t the case at all; simply looking at the packet stream when the binary was executed revealed the flag immediately.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 604px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/20080f1ad5843a5c8b904fe6cfb4e5bd/87254/image.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 69.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAA7DAAAOwwHHb6hkAAACl0lEQVQ4y42TeVMaTRDG9/t/gFSqcprgEZBF0CgKGqImSpCjFIIKKocry7nALpcCv/QOqbz1/hMzVU91Pz3dvTPP9GqpVJLI/j6JZJJc7oL9g31OTk9JZ9JksxeCc3bCO0SiUZKpFLmfOTKZFFGp+RGPq/zjo0O+fo2RTqfQ1tZ0Xrx8x6s3HgL6Z5Y+ennzbkXB6w3i92/xwePl/dIar98uK+7zBfEsrxMK7bK6FkCXulAoTCDwGa1UGsrpKmRzLRp1yOct8dvKGsYcs4bau8g2la0Jf5C4m+PuF4uO4nUTBS2TqbEXvSB2eEWx4PDt+w2HR9ccHRfIZdsUru1F7HgRuxZ++bMjvMBlvksiUVXWrXVzte3tQzwrIVa923z5ksCv7+FdD7Pu3yUSOeHg4Ac+f5hPvh0Fl0ejJwQ2oqJbktDmgfBTYrEzYlKveb06b9+vsuTxsbm5x/KKXzRb56NoFNjYUTq5ernc1XdDYrq+JXk6W5sRVlb1hYbBXYLBMFr+rsdVsSZ6tGg2+lQrDUolE+O+Se2hIxpa3Fcb3N4YolGX8QiGgxmO/aR8235U3PVHwzlauSZFTYtWqy3o0GpbtLt9LGdA0+rREnT6tor1BkOc8QRnNFHWHo3/47+h3RdvMTPnGPEEtWQKM5nGTGdw5ANPT1Oms/kfPE1nz0Krlau0zzNYMsDdfI6mDKd1dclIZmg6sFmsOf+6tIroVCn3RR+HSqkr2oyZPM6YTGE8mfEovmo5n/8TtMtCXebM5OysQTxuygC3KZfdx+lTERiGw8TtjluwaPz3Exodbm57qol70rs71+9Rrw+oVm1Mc0C3O/7T6NmGhmnRbI2wrLGMzVB+LZtGQ164OeThwZZrT/935efWL8Ky8I1AFFu8AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/20080f1ad5843a5c8b904fe6cfb4e5bd/8ac56/image.webp 240w,\n/static/20080f1ad5843a5c8b904fe6cfb4e5bd/d3be9/image.webp 480w,\n/static/20080f1ad5843a5c8b904fe6cfb4e5bd/059a8/image.webp 604w\"\n              sizes=\"(max-width: 604px) 100vw, 604px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/20080f1ad5843a5c8b904fe6cfb4e5bd/8ff5a/image.png 240w,\n/static/20080f1ad5843a5c8b904fe6cfb4e5bd/e85cb/image.png 480w,\n/static/20080f1ad5843a5c8b904fe6cfb4e5bd/87254/image.png 604w\"\n            sizes=\"(max-width: 604px) 100vw, 604px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/20080f1ad5843a5c8b904fe6cfb4e5bd/87254/image.png\"\n            alt=\"img\"\n            title=\"img\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The binary analysis turned out to be completely unrelated, and I still was not really sure what the intended challenge was…</p>","fields":{"slug":"/ctf-greycat-ctf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-22","description":"This is the write-up for Greycat CTF 2023.","tags":["CTF (en)","Rev (en)","English"],"title":"Greycat CTF 2023 Write-up","socialImage":{"publicURL":"/static/b73ed478c6587fe55250a438bca7e3b8/ctf-greycat-ctf-2023.png"}}}},"pageContext":{"slug":"/ctf-greycat-ctf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}