{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-pico-2025-en","result":{"data":{"markdownRemark":{"id":"b9ba43ca-ff39-5556-b099-bb11a223774c","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-pico-2025\">original page</a>.</p>\n</blockquote>\n<p>For this year’s picoCTF, I only solved the Rev challenges for now.</p>\n<p>There were not many particularly interesting challenges this time, but I will leave a brief writeup anyway.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#flag-huntersrev\">Flag Hunters(Rev)</a></li>\n<li><a href=\"#tap-into-hashrev\">Tap into Hash(Rev)</a></li>\n<li><a href=\"#chronohackrev\">Chronohack(Rev)</a></li>\n<li><a href=\"#quantum-scramblerrev\">Quantum Scrambler(Rev)</a></li>\n<li><a href=\"#perplexedrev\">perplexed(Rev)</a></li>\n<li><a href=\"#binary-instrumentation-1rev\">Binary Instrumentation 1(Rev)</a></li>\n<li><a href=\"#binary-instrumentation-2rev\">Binary Instrumentation 2(Rev)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"flag-huntersrev\" style=\"position:relative;\"><a href=\"#flag-huntersrev\" aria-label=\"flag huntersrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Flag Hunters(Rev)</h2>\n<blockquote>\n<p>Lyrics jump from verses to the refrain kind of like a subroutine call. There’s a hidden refrain this program doesn’t print by default. Can you get it to print it? There might be something in it for you.</p>\n</blockquote>\n<p>The following Python script was provided as the challenge file.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> re\n<span class=\"token keyword\">import</span> time\n\n\n<span class=\"token comment\"># Read in flag from file</span>\nflag <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">'flag.txt'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'r'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nsecret_intro <span class=\"token operator\">=</span> \\\n<span class=\"token triple-quoted-string string\">'''Pico warriors rising, puzzles laid bare,\nSolving each challenge with precision and flair.\nWith unity and skill, flags we deliver,\nThe ether’s ours to conquer, '''</span>\\\n<span class=\"token operator\">+</span> flag <span class=\"token operator\">+</span> <span class=\"token string\">'\\n'</span>\n\n\nsong_flag_hunters <span class=\"token operator\">=</span> secret_intro <span class=\"token operator\">+</span>\\\n<span class=\"token triple-quoted-string string\">'''\n\n[REFRAIN]\nWe’re flag hunters in the ether, lighting up the grid,\nNo puzzle too dark, no challenge too hid.\nWith every exploit we trigger, every byte we decrypt,\nWe’re chasing that victory, and we’ll never quit.\nCROWD (Singalong here!);\nRETURN\n\n[VERSE1]\nCommand line wizards, we’re starting it right,\nSpawning shells in the terminal, hacking all night.\nScripts and searches, grep through the void,\nEvery keystroke, we're a cypher's envoy.\nBrute force the lock or craft that regex,\nFlag on the horizon, what challenge is next?\n\nREFRAIN;\n\nEchoes in memory, packets in trace,\nDigging through the remnants to uncover with haste.\nHex and headers, carving out clues,\nResurrect the hidden, it's forensics we choose.\nDisk dumps and packet dumps, follow the trail,\nBuried deep in the noise, but we will prevail.\n\nREFRAIN;\n\nBinary sorcerers, let’s tear it apart,\nDisassemble the code to reveal the dark heart.\nFrom opcode to logic, tracing each line,\nEmulate and break it, this key will be mine.\nDebugging the maze, and I see through the deceit,\nPatch it up right, and watch the lock release.\n\nREFRAIN;\n\nCiphertext tumbling, breaking the spin,\nFeistel or AES, we’re destined to win.\nFrequency, padding, primes on the run,\nVigenère, RSA, cracking them for fun.\nShift the letters, matrices fall,\nDecrypt that flag and hear the ether call.\n\nREFRAIN;\n\nSQL injection, XSS flow,\nMap the backend out, let the database show.\nInspecting each cookie, fiddler in the fight,\nCapturing requests, push the payload just right.\nHTML's secrets, backdoors unlocked,\nIn the world wide labyrinth, we’re never lost.\n\nREFRAIN;\n\nStack's overflowing, breaking the chain,\nROP gadget wizardry, ride it to fame.\nHeap spray in silence, memory's plight,\nRace the condition, crash it just right.\nShellcode ready, smashing the frame,\nControl the instruction, flags call my name.\n\nREFRAIN;\n\nEND;\n'''</span>\n\nMAX_LINES <span class=\"token operator\">=</span> <span class=\"token number\">100</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">reader</span><span class=\"token punctuation\">(</span>song<span class=\"token punctuation\">,</span> startLabel<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n  lip <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n  start <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n  refrain <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n  refrain_return <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n  finished <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n\n  <span class=\"token comment\"># Get list of lyric lines</span>\n  song_lines <span class=\"token operator\">=</span> song<span class=\"token punctuation\">.</span>splitlines<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n  \n  <span class=\"token comment\"># Find startLabel, refrain and refrain return</span>\n  <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>song_lines<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> song_lines<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> startLabel<span class=\"token punctuation\">:</span>\n      start <span class=\"token operator\">=</span> i <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">elif</span> song_lines<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'[REFRAIN]'</span><span class=\"token punctuation\">:</span>\n      refrain <span class=\"token operator\">=</span> i <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">elif</span> song_lines<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'RETURN'</span><span class=\"token punctuation\">:</span>\n      refrain_return <span class=\"token operator\">=</span> i\n\n  <span class=\"token comment\"># Print lyrics</span>\n  line_count <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n  lip <span class=\"token operator\">=</span> start\n  <span class=\"token keyword\">while</span> <span class=\"token keyword\">not</span> finished <span class=\"token keyword\">and</span> line_count <span class=\"token operator\">&lt;</span> MAX_LINES<span class=\"token punctuation\">:</span>\n    line_count <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">for</span> line <span class=\"token keyword\">in</span> song_lines<span class=\"token punctuation\">[</span>lip<span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">';'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n      <span class=\"token keyword\">if</span> line <span class=\"token operator\">==</span> <span class=\"token string\">''</span> <span class=\"token keyword\">and</span> song_lines<span class=\"token punctuation\">[</span>lip<span class=\"token punctuation\">]</span> <span class=\"token operator\">!=</span> <span class=\"token string\">''</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">continue</span>\n      <span class=\"token keyword\">if</span> line <span class=\"token operator\">==</span> <span class=\"token string\">'REFRAIN'</span><span class=\"token punctuation\">:</span>\n        song_lines<span class=\"token punctuation\">[</span>refrain_return<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">'RETURN '</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>lip <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n        lip <span class=\"token operator\">=</span> refrain\n      <span class=\"token keyword\">elif</span> re<span class=\"token punctuation\">.</span><span class=\"token keyword\">match</span><span class=\"token punctuation\">(</span><span class=\"token string\">r\"CROWD.*\"</span><span class=\"token punctuation\">,</span> line<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        crowd <span class=\"token operator\">=</span> <span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Crowd: '</span><span class=\"token punctuation\">)</span>\n        song_lines<span class=\"token punctuation\">[</span>lip<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">'Crowd: '</span> <span class=\"token operator\">+</span> crowd\n        lip <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n      <span class=\"token keyword\">elif</span> re<span class=\"token punctuation\">.</span><span class=\"token keyword\">match</span><span class=\"token punctuation\">(</span><span class=\"token string\">r\"RETURN [0-9]+\"</span><span class=\"token punctuation\">,</span> line<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        lip <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>line<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n      <span class=\"token keyword\">elif</span> line <span class=\"token operator\">==</span> <span class=\"token string\">'END'</span><span class=\"token punctuation\">:</span>\n        finished <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\n      <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>line<span class=\"token punctuation\">,</span> flush<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n        time<span class=\"token punctuation\">.</span>sleep<span class=\"token punctuation\">(</span><span class=\"token number\">0.5</span><span class=\"token punctuation\">)</span>\n        lip <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n\n\nreader<span class=\"token punctuation\">(</span>song_flag_hunters<span class=\"token punctuation\">,</span> <span class=\"token string\">'[VERSE1]'</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Accessing the remote server causes the text after <code class=\"language-text\">[VERSE1]</code> to be printed in order.</p>\n<p>Because the Flag is written on lines before <code class=\"language-text\">[VERSE1]</code>, we need to somehow make the introductory text print.</p>\n<p>When you connect to the remote server, it asks for input at <code class=\"language-text\">CROWD</code>, and you can see that the text you enter is appended to the server-side data by <code class=\"language-text\">song_lines[lip] = 'Crowd: ' + crowd</code>.</p>\n<p>Furthermore, if the text matches <code class=\"language-text\">RETURN [0-9]+</code>, execution jumps to the line specified there and continues printing.</p>\n<p>Also, because the text is evaluated using semicolon-separated tokens, if you provide input so that a line like <code class=\"language-text\">Crowd: ;RETURN 0</code> is added, you can make it print the correct Flag as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 646px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0b49a173fd5a159384fc4db4140a59f3/27524/image-20250308164121021.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 94.16666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACtUlEQVQ4y32UbXOiQBCEjRr1vDOCoIiC8qKIoJiY3P3/fzY3z6RInaHqPkyxDMNsd0/v9uLSk33tSVQ5EpWOhIkr6yiV5TaVKDtJGIay28dyKk+y3W4kTRNbh5tQHNcRf+nLRvNEr9eTXlXV0lwbiaOdFmeSJqlkWaLvG8nzVFJdp1kq+/1OitNRknQvmeZpOJ+/fDb5N+7vb3JtLlJfKmluVynPJ0VQSH7I5XA8WO717Wbvza2RKI7k16+f8vz8bNFpeD6XEqwDoxLvYqO10d3DcG35DHTJ3vKsfd+Tfr/fbdRGEATiadHCW1gxVJaqC7lVsLI8TzRizSaLxUJGo0+Ew+HwsSH6rLUoViogyw+ZsAk/8Q66nSJ3dQDH4mCNp9Opfnc159rzoWFRHFXkzCKKtjZB6G91XaocaNsOAspsCNJWlvF4/Njw7f5qk+Tn338+bACe51lAHwSgNfq6pslqtbLhTKc/5Onp6bEh8MfjkQyGA5lMJhZ8GAwGX0Udnf4X7x93ub02RpM1Fkp0DVIsA92j2gcPQhUzgzhQxKw7DWmAxxjO5VpbY/TMNcht1eD4kjwNHGeulJfy8jIzVp2GFDOYwzG3QSB+qYNBIwaAA0AMSk4LU6/r6kuaTnBOEZoJQ2Opu+NB7IH4oGFAPPHpWmsZ1kh1x+Adk/PR1enZD2roKN6aRrPZzN7ZDJQzpQg66kAH9bmG+11HNOT81pfajHt/v9sA0KxproKt+F6cCqnqs5yr0lggCRLhkoeGTJKTAJWWjqfTbM376UPXfMhQkMX3/a9m/f43HyZKI95FRo9CriQa0xAtCY4Ym6DpZDLumvn79dVeUVV1Nk+y5uTgS2giC3V8Y3joyAWC4RkKh4CLwg4DoqOJ3cAqMugcxzF6oG9ptk6gDjYgJgcru1y4QFSav5Bs20RwmMGHAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0b49a173fd5a159384fc4db4140a59f3/8ac56/image-20250308164121021.webp 240w,\n/static/0b49a173fd5a159384fc4db4140a59f3/d3be9/image-20250308164121021.webp 480w,\n/static/0b49a173fd5a159384fc4db4140a59f3/8c2f2/image-20250308164121021.webp 646w\"\n              sizes=\"(max-width: 646px) 100vw, 646px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0b49a173fd5a159384fc4db4140a59f3/8ff5a/image-20250308164121021.png 240w,\n/static/0b49a173fd5a159384fc4db4140a59f3/e85cb/image-20250308164121021.png 480w,\n/static/0b49a173fd5a159384fc4db4140a59f3/27524/image-20250308164121021.png 646w\"\n            sizes=\"(max-width: 646px) 100vw, 646px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0b49a173fd5a159384fc4db4140a59f3/27524/image-20250308164121021.png\"\n            alt=\"image-20250308164121021\"\n            title=\"image-20250308164121021\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"tap-into-hashrev\" style=\"position:relative;\"><a href=\"#tap-into-hashrev\" aria-label=\"tap into hashrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Tap into Hash(Rev)</h2>\n<blockquote>\n<p>Can you make sense of this source code file and write a function that will decode the given encrypted file content?\nFind the encrypted file here. It might be good to analyze source file to get the flag.</p>\n</blockquote>\n<p>Looking at the Python script provided as the challenge file, you can see that it performs a simple encryption scheme.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">import</span> base64\n<span class=\"token keyword\">import</span> hashlib\n<span class=\"token keyword\">import</span> sys\n<span class=\"token keyword\">import</span> secrets\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">xor_bytes</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">,</span> b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">(</span>x <span class=\"token operator\">^</span> y <span class=\"token keyword\">for</span> x<span class=\"token punctuation\">,</span> y <span class=\"token keyword\">in</span> <span class=\"token builtin\">zip</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">,</span> b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nkey <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x1br\\t;\\x0f\\xb5\\x9f\\xaa\\xd1'\\xaf\\x86[\\xf0\\xe6\\xd9'D\\xf9\\x8d\\x17g\\xeb>_gG.\\xd4\\xc3\\xdc\\x83\"</span>\nenc <span class=\"token operator\">=</span> <span class=\"token string\">b'o\\x14>\\xda\\x16\\xc7\\xce\\xd784,.\\x8f2\\x80@cD?\\xd3L\\x90\\x9f\\x87l0yy\\xdam\\x85J1\\x139\\x88\\x10\\x95\\x9f\\x82ke*.\\xda>\\xd3\\x195O?\\xd3\\x10\\xc4\\x94\\x83kd| \\x882\\x86IzFk\\xd2@\\x95\\xcd\\x83:by{\\x8c3\\x81\\x1e6E8\\xdaC\\xc2\\xcf\\xd087||\\x8em\\xd0\\x1c3Cj\\xde\\x10\\xc0\\x99\\x89;4+{\\x8fn\\x84\\x1abN9\\xdc\\x16\\xc5\\xc8\\xd0mc}+\\x81o\\xd7J1[k\\xda\\x12\\x94\\xce\\x89m3}(\\xdbh\\x84KeDh\\x8fF\\x9e\\xc9\\x84i1.*\\x8f2\\x87\\x1d4\\x15+\\x83\\x17\\xc9\\xef\\xe5Iz*t\\xd7h\\xd9\\'d%\\t\\x82\"\\xcf\\xfe\\xd3[09{\\xe0T\\xea-=;k\\x98@\\x9f\\xcf\\xf9Pp\\x0bb\\xd5A\\xe8\\x02\\x15=\\x04\\x8eL\\x96\\x9f\\x86n0ze\\x89m\\x81A6Bi\\x88B\\x91\\xce\\x8279q~\\x8d:\\x84OfAn\\x8fA\\x95\\xc9\\xd76d|}\\x95;\\x82@oFb\\xddE\\x93\\x98\\xd2jdz/\\x88h\\xd7\\x1a6@o\\xdd\\x12\\x94\\x94\\xd2m`}y\\x8c>\\x82LaCm\\x8f\\x10\\x9f\\x9f\\xd3>0py\\xde2\\x87AoGh\\x88\\x11\\x91\\x9a\\x84=3z*\\xde&amp;\\x82Hb@n\\xddM\\xc3\\xce\\x89me.(\\x808\\xd0KaGo\\x8bG\\x91\\x9b\\x81?`.|\\xde=\\xd6@b\\x17m\\x8e\\x11\\x9f\\x95\\x80>d+.\\x88>\\x80\\x1d4\\x14m\\xdd\\x12\\x96\\xcf\\x85m1q-\\x8ao\\xb0z'</span>\n\ndecrypted_text <span class=\"token operator\">=</span> <span class=\"token string\">b\"\"</span>\nblock_size <span class=\"token operator\">=</span> <span class=\"token number\">16</span>\nkey_hash <span class=\"token operator\">=</span> hashlib<span class=\"token punctuation\">.</span>sha256<span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>digest<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>enc<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> block_size<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    block <span class=\"token operator\">=</span> enc<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">:</span>i <span class=\"token operator\">+</span> block_size<span class=\"token punctuation\">]</span>\n    decrypt_block <span class=\"token operator\">=</span> xor_bytes<span class=\"token punctuation\">(</span>block<span class=\"token punctuation\">,</span> key_hash<span class=\"token punctuation\">)</span>\n    decrypted_text <span class=\"token operator\">+=</span> decrypt_block</code></pre></div>\n<p>By running the solver above, you can easily decrypt the Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ea8414be6e0094ee9cea237e8b0d33d8/e515d/image-20250308165823543.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 7.083333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAS0lEQVQI1xWKwQ2AIBDAHAEFfIkYNRgZhM/duf82FR5N06RTrS/lKVz3SWsNM0NVsM8QEdQU6T0YX9oT+cjdG3GNxBjwfiEEj5sdPx1KHvbeWG27AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ea8414be6e0094ee9cea237e8b0d33d8/8ac56/image-20250308165823543.webp 240w,\n/static/ea8414be6e0094ee9cea237e8b0d33d8/d3be9/image-20250308165823543.webp 480w,\n/static/ea8414be6e0094ee9cea237e8b0d33d8/e46b2/image-20250308165823543.webp 960w,\n/static/ea8414be6e0094ee9cea237e8b0d33d8/fa512/image-20250308165823543.webp 1430w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ea8414be6e0094ee9cea237e8b0d33d8/8ff5a/image-20250308165823543.png 240w,\n/static/ea8414be6e0094ee9cea237e8b0d33d8/e85cb/image-20250308165823543.png 480w,\n/static/ea8414be6e0094ee9cea237e8b0d33d8/d9199/image-20250308165823543.png 960w,\n/static/ea8414be6e0094ee9cea237e8b0d33d8/e515d/image-20250308165823543.png 1430w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ea8414be6e0094ee9cea237e8b0d33d8/d9199/image-20250308165823543.png\"\n            alt=\"image-20250308165823543\"\n            title=\"image-20250308165823543\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"chronohackrev\" style=\"position:relative;\"><a href=\"#chronohackrev\" aria-label=\"chronohackrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Chronohack(Rev)</h2>\n<blockquote>\n<p>Can you guess the exact token and unlock the hidden flag?\nOur school relies on tokens to authenticate students. The access is granted through nc verbal-sleep.picoctf.net 61959. Unfortunately, someone leaked an important file for token generation. Guess the token to get the flag.</p>\n</blockquote>\n<p>The following script was provided as the challenge file.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> random\n<span class=\"token keyword\">import</span> time\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">get_random</span><span class=\"token punctuation\">(</span>length<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    alphabet <span class=\"token operator\">=</span> <span class=\"token string\">\"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\"</span>\n    random<span class=\"token punctuation\">.</span>seed<span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token number\">1000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>  <span class=\"token comment\"># seeding with current time </span>\n    s <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span>length<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        s <span class=\"token operator\">+=</span> random<span class=\"token punctuation\">.</span>choice<span class=\"token punctuation\">(</span>alphabet<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">return</span> s\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">flag</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/flag.txt'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'r'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> picoCTF<span class=\"token punctuation\">:</span>\n        content <span class=\"token operator\">=</span> picoCTF<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>content<span class=\"token punctuation\">)</span>\n\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Welcome to the token generation challenge!\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Can you guess the token?\"</span><span class=\"token punctuation\">)</span>\n    token_length <span class=\"token operator\">=</span> <span class=\"token number\">20</span>  <span class=\"token comment\"># the token length</span>\n    token <span class=\"token operator\">=</span> get_random<span class=\"token punctuation\">(</span>token_length<span class=\"token punctuation\">)</span> \n\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        n<span class=\"token operator\">=</span><span class=\"token number\">0</span>\n        <span class=\"token keyword\">while</span> n <span class=\"token operator\">&lt;</span> <span class=\"token number\">50</span><span class=\"token punctuation\">:</span>\n            user_guess <span class=\"token operator\">=</span> <span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\nEnter your guess for the token (or exit):\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n            n<span class=\"token operator\">+=</span><span class=\"token number\">1</span>\n            <span class=\"token keyword\">if</span> user_guess <span class=\"token operator\">==</span> <span class=\"token string\">\"exit\"</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Exiting the program...\"</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">break</span>\n            \n            <span class=\"token keyword\">if</span> user_guess <span class=\"token operator\">==</span> token<span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Congratulations! You found the correct token.\"</span><span class=\"token punctuation\">)</span>\n                flag<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">break</span>\n            <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Sorry, your token does not match. Try again!\"</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> n <span class=\"token operator\">==</span> <span class=\"token number\">50</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\nYou exhausted your attempts, Bye!\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span> KeyboardInterrupt<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\\nKeyboard interrupt detected. Exiting the program...\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">\"__main__\"</span><span class=\"token punctuation\">:</span>\n    main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>It turns out that you can obtain the Flag if you guess the one-time password generated by a PRNG seeded with the timestamp at runtime within the attempt limit.</p>\n<p>I was able to get the Flag with the following simple script.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> random\n<span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">get_random</span><span class=\"token punctuation\">(</span>T<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    alphabet <span class=\"token operator\">=</span> <span class=\"token string\">\"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\"</span>\n    random<span class=\"token punctuation\">.</span>seed<span class=\"token punctuation\">(</span>T<span class=\"token punctuation\">)</span>\n    s <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">20</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        s <span class=\"token operator\">+=</span> random<span class=\"token punctuation\">.</span>choice<span class=\"token punctuation\">(</span>alphabet<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">return</span> s<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">1000</span><span class=\"token punctuation\">,</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    s0 <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token number\">1000</span><span class=\"token punctuation\">)</span>\n    target <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"verbal-sleep.picoctf.net\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">59978</span><span class=\"token punctuation\">,</span> ssl<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n    <span class=\"token comment\"># s1 = int(time.time() * 1000)</span>\n    target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Welcome to the token generation challenge!\"</span><span class=\"token punctuation\">)</span>\n    s1 <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token number\">1000</span><span class=\"token punctuation\">)</span>\n    target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Enter your guess for the token (or exit):\"</span><span class=\"token punctuation\">)</span>\n    s3 <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token number\">1000</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>s0<span class=\"token punctuation\">,</span>s1<span class=\"token punctuation\">,</span>s1<span class=\"token operator\">-</span>s0<span class=\"token punctuation\">,</span>s3<span class=\"token operator\">-</span>s1<span class=\"token punctuation\">)</span>\n\n    target<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>get_random<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    r <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    j <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    <span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span>j <span class=\"token operator\">&lt;</span> <span class=\"token number\">47</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        tmp <span class=\"token operator\">=</span> j<span class=\"token operator\">+</span>i\n        target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Enter your guess for the token (or exit):\"</span><span class=\"token punctuation\">)</span>\n        tk <span class=\"token operator\">=</span> get_random<span class=\"token punctuation\">(</span>s0<span class=\"token operator\">+</span>tmp<span class=\"token punctuation\">)</span>\n        target<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>tk<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n            r <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>s0<span class=\"token operator\">+</span>tmp<span class=\"token punctuation\">,</span> tk<span class=\"token punctuation\">,</span> r<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> <span class=\"token string\">\"Congratulations\"</span> <span class=\"token keyword\">in</span> r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span>\n                r <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span>\n                exit<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>s1<span class=\"token operator\">+</span>tmp<span class=\"token punctuation\">,</span>tmp<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>target<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">)</span>\n\n        j <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n    target<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 926px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/53d26d0c732f26e9f1fef6320662c4e9/69476/image-20250309073016466.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABD0lEQVQY04WRyW7DMAxEfbdho4kbxIlXWfIm70vS//+xqUYucu2BoEBqHkeUUzcVpnmEUhKlFNC6wzAO6AeNosgRPSKkWYpn/ESSxChEgYep5XlmM/tt1+By+YLjOHDGacD752UAPZqmxrotOF479mPDYGqZEUpZIjdwqUorJoxG2OOQeZlwu32fwL7XON47Ot3aIIxQDqGY7lSlIMrCgnXfWXhthrOXpAm2fUUYhidQVdI6oYAXKdBmCGGs3aO7dUQxHZUGSleiFIhNZnA91/B6Ailc1tlC6IBPadoaXdeiqisL45DMAIPAh+d58H3fnpnPcwDXdf+ebOjcI/dAYZolxmlmP6QQ+cfVZ0f/xC9y2aNnI+vF5gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/53d26d0c732f26e9f1fef6320662c4e9/8ac56/image-20250309073016466.webp 240w,\n/static/53d26d0c732f26e9f1fef6320662c4e9/d3be9/image-20250309073016466.webp 480w,\n/static/53d26d0c732f26e9f1fef6320662c4e9/dafe9/image-20250309073016466.webp 926w\"\n              sizes=\"(max-width: 926px) 100vw, 926px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/53d26d0c732f26e9f1fef6320662c4e9/8ff5a/image-20250309073016466.png 240w,\n/static/53d26d0c732f26e9f1fef6320662c4e9/e85cb/image-20250309073016466.png 480w,\n/static/53d26d0c732f26e9f1fef6320662c4e9/69476/image-20250309073016466.png 926w\"\n            sizes=\"(max-width: 926px) 100vw, 926px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/53d26d0c732f26e9f1fef6320662c4e9/69476/image-20250309073016466.png\"\n            alt=\"image-20250309073016466\"\n            title=\"image-20250309073016466\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, perhaps something was wrong with the challenge server: at first I could not get the correct Flag no matter what I tried, and I wasted a lot of time on it.</p>\n<p>The next morning the server had been updated, and when I used the same script as the day before, I was able to get the Flag right away.</p>\n<h2 id=\"quantum-scramblerrev\" style=\"position:relative;\"><a href=\"#quantum-scramblerrev\" aria-label=\"quantum scramblerrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Quantum Scrambler(Rev)</h2>\n<blockquote>\n<p>We invented a new cypher that uses “quantum entanglement” to encode the flag. Do you have what it takes to decode it?</p>\n</blockquote>\n<p>Checking the provided script showed that it shuffled the byte value of each character in the Flag using a custom algorithm.</p>\n<p>The processing was not very complex, so I simply wrote a solver that reversed the shuffling and obtained the Flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">scrambled_L <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>スクランブル化されたリスト<span class=\"token punctuation\">]</span>\n\ni <span class=\"token operator\">=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>scrambled_L<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span>i <span class=\"token operator\">></span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    i <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n    im2 <span class=\"token operator\">=</span> scrambled_L<span class=\"token punctuation\">[</span>i<span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    im1 <span class=\"token operator\">=</span> scrambled_L<span class=\"token punctuation\">[</span>i<span class=\"token operator\">-</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    scrambled_L<span class=\"token punctuation\">[</span>i<span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>im1<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>scrambled_L<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># [['0x70'], ['0x63', '0x69'], ['0x43', '0x6f'], ['0x46', '0x54'], ['0x70', '0x7b'], ['0x74', '0x79'], ['0x6f', '0x68'], ['0x5f', '0x6e'], ['0x73', '0x69'], ['0x77', '0x5f'], ['0x69', '0x65'], ['0x64', '0x72'], ['0x35', '0x62'], ['0x31', '0x37'], ['0x32', '0x34'], ['0x66', '0x66'], ['0x7d']]</span>\n\n<span class=\"token keyword\">for</span> l <span class=\"token keyword\">in</span> scrambled_L<span class=\"token punctuation\">:</span>\n   <span class=\"token keyword\">if</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>l<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n      <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>l<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    \n   <span class=\"token keyword\">if</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>l<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">2</span><span class=\"token punctuation\">:</span>\n      <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>l<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n      <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>l<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># picoCTF{python_is_weirdb57142ff}</span></code></pre></div>\n<h2 id=\"perplexedrev\" style=\"position:relative;\"><a href=\"#perplexedrev\" aria-label=\"perplexedrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>perplexed(Rev)</h2>\n<blockquote>\n<p>Download the binary here.</p>\n</blockquote>\n<p>Analyzing the challenge binary showed that it validates the input password with the following <code class=\"language-text\">check</code> function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">int64_t</span> <span class=\"token function\">check</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span> input<span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token number\">0x1b</span><span class=\"token punctuation\">)</span>\n      <span class=\"token keyword\">return</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token class-name\">int64_t</span> val<span class=\"token punctuation\">;</span>\n  <span class=\"token function\">__builtin_memcpy</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>val<span class=\"token punctuation\">,</span> <span class=\"token string\">\"\\xe1\\xa7\\x1e\\xf8\\x75\\x23\\x7b\\x61\\xb9\\x9d\\xfc\\x5a\\x5b\\xdf\\x69\\xd2\\xfe\\x1b\\xed\\xf4\\xed\\x67\\xf4\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x17</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">int32_t</span> n <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">int32_t</span> k <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">int32_t</span> var_2c_1 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x16</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span> j <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> j <span class=\"token operator\">&lt;=</span> <span class=\"token number\">7</span><span class=\"token punctuation\">;</span> j <span class=\"token operator\">+=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n      <span class=\"token punctuation\">{</span>\n          <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>k<span class=\"token punctuation\">)</span>\n              k <span class=\"token operator\">+=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n\n          <span class=\"token class-name\">int32_t</span> rax_17<span class=\"token punctuation\">;</span>\n          rax_17 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span><span class=\"token punctuation\">)</span>input<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int64_t</span><span class=\"token punctuation\">)</span>n<span class=\"token punctuation\">]</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span><span class=\"token number\">7</span> <span class=\"token operator\">-</span> k<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n\n          <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rax_17 <span class=\"token operator\">!=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">int8_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>val <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">int64_t</span><span class=\"token punctuation\">)</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span><span class=\"token number\">7</span> <span class=\"token operator\">-</span> j<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n              <span class=\"token keyword\">return</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n\n          k <span class=\"token operator\">+=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n\n          <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>k <span class=\"token operator\">==</span> <span class=\"token number\">8</span><span class=\"token punctuation\">)</span>\n          <span class=\"token punctuation\">{</span>\n              k <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n              n <span class=\"token operator\">+=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n          <span class=\"token punctuation\">}</span>\n\n          <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int64_t</span><span class=\"token punctuation\">)</span>n <span class=\"token operator\">==</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n              <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">}</span>\n\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Since it was essentially simple byte manipulation, I could find the Flag easily by just throwing angr at it.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"perplexed\"</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\nobj <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>loader<span class=\"token punctuation\">.</span>main_object\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Entry\"</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>obj<span class=\"token punctuation\">.</span>entry<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nfind <span class=\"token operator\">=</span> <span class=\"token number\">0x40143e</span>\navoids <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x40143e</span><span class=\"token punctuation\">]</span>\n\ninit_state <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simgr<span class=\"token punctuation\">(</span>init_state<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>find<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>avoids<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 出力</span>\nsimgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>The execution result is below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 516px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/967904979d25fbb2d484973c92c39261/75dcb/image-20250308194125700.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABdUlEQVQoz3VS2XLCMAx04IUHKJQUQhJyEEIg9wH9/0/bemUMnen0QaNrtV5prDxvjyw7iSVpgkuRo7hekJ0zHA4e4iRGEPqIoiOiOJJefskRBD4WiwV87TmzWq2glIIKwwCbz41JfpnjOH9q1mazGebzOZTzjl/4vVa4XC3heR5c18V6/SHKqHy73cL9MrXdfgffP4D4/x4SC7TC9JRiGHs0bf2ysryhrG6yenEtpN8PHeqmEnx2Nic6Zan2Mc55JnXF24zTICQ3TcK47RqJu74TUpKxVlalrrWSP77v8sB0H8UzZ6x4aAII5BBjq5bkdVMLkORN28iwxRHDOWIshygUMg3mOhxgTjX90KPSXhTqflVX0iMRe/Uzpx8Gs4WKtUIrmwWqGsZB1IzTKMOm37+UkYQ4uz7r02Q41PEYouvMq1VdymrmXu8bkkz6Wi17dlXimdOTjEJUoj/u/TE9XzZHphHIOj0PbhVZteyRhFsYxaN89h98GBn0Qa6+DQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/967904979d25fbb2d484973c92c39261/8ac56/image-20250308194125700.webp 240w,\n/static/967904979d25fbb2d484973c92c39261/d3be9/image-20250308194125700.webp 480w,\n/static/967904979d25fbb2d484973c92c39261/5f588/image-20250308194125700.webp 516w\"\n              sizes=\"(max-width: 516px) 100vw, 516px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/967904979d25fbb2d484973c92c39261/8ff5a/image-20250308194125700.png 240w,\n/static/967904979d25fbb2d484973c92c39261/e85cb/image-20250308194125700.png 480w,\n/static/967904979d25fbb2d484973c92c39261/75dcb/image-20250308194125700.png 516w\"\n            sizes=\"(max-width: 516px) 100vw, 516px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/967904979d25fbb2d484973c92c39261/75dcb/image-20250308194125700.png\"\n            alt=\"image-20250308194125700\"\n            title=\"image-20250308194125700\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"binary-instrumentation-1rev\" style=\"position:relative;\"><a href=\"#binary-instrumentation-1rev\" aria-label=\"binary instrumentation 1rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Binary Instrumentation 1(Rev)</h2>\n<blockquote>\n<p>I have been learning to use the Windows API to do cool stuff! Can you wake up my program to get the flag?</p>\n</blockquote>\n<p>Running the challenge binary showed that it was implemented to sleep forever before printing the correct Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 771px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b66c6d123f9b5b989a10a22ec499c93f/5d030/image-20250308222217123.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 16.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAZklEQVQI161PSQrAIAz0JrgcNB4sNDH+/5FTTRH6gB6GWUgmxI2hYGaoKuacEBHTwmKaqCGlhBijIeds/oudhRDgvYfjm3H1jlrrWibj1triYv5kByc7OdE7X0qxYrcv7PY/sD94AGQjRzQcbh+YAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b66c6d123f9b5b989a10a22ec499c93f/8ac56/image-20250308222217123.webp 240w,\n/static/b66c6d123f9b5b989a10a22ec499c93f/d3be9/image-20250308222217123.webp 480w,\n/static/b66c6d123f9b5b989a10a22ec499c93f/d5234/image-20250308222217123.webp 771w\"\n              sizes=\"(max-width: 771px) 100vw, 771px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b66c6d123f9b5b989a10a22ec499c93f/8ff5a/image-20250308222217123.png 240w,\n/static/b66c6d123f9b5b989a10a22ec499c93f/e85cb/image-20250308222217123.png 480w,\n/static/b66c6d123f9b5b989a10a22ec499c93f/5d030/image-20250308222217123.png 771w\"\n            sizes=\"(max-width: 771px) 100vw, 771px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b66c6d123f9b5b989a10a22ec499c93f/5d030/image-20250308222217123.png\"\n            alt=\"image-20250308222217123\"\n            title=\"image-20250308222217123\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I analyzed the binary in the decompiler, I noticed that it had an unusual entry point and might be packed with some kind of packer.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">int64_t</span> <span class=\"token function\">_start</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  TEB<span class=\"token operator\">*</span> gsbase<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">struct</span> <span class=\"token class-name\">_PEB</span><span class=\"token operator\">*</span> ProcessEnvironmentBlock <span class=\"token operator\">=</span> gsbase<span class=\"token operator\">-></span>ProcessEnvironmentBlock<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">int64_t</span> lpMem <span class=\"token operator\">=</span> <span class=\"token function\">HeapAlloc</span><span class=\"token punctuation\">(</span><span class=\"token function\">GetProcessHeap</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> HEAP_ZERO_MEMORY<span class=\"token punctuation\">,</span> <span class=\"token number\">0x400</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">GetLastError</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> ERROR_IPSEC_IKE_SECLOADFAIL<span class=\"token punctuation\">)</span>\n      <span class=\"token function\">HeapFree</span><span class=\"token punctuation\">(</span><span class=\"token function\">GetProcessHeap</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> HEAP_NONE<span class=\"token punctuation\">,</span> lpMem<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">else</span>\n  <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">ReleaseSRWLockExclusive</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">ReleaseSRWLockShared</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">SetCriticalSectionSpinCount</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">TryAcquireSRWLockExclusive</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">WakeAllConditionVariable</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">SetUnhandledExceptionFilter</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">UnhandledExceptionFilter</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">CheckMenuItem</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">GetMenu</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">GetSystemMenu</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">GetMenuItemID</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">EnableMenuItem</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> MF_BYCOMMAND<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">MessageBeep</span><span class=\"token punctuation\">(</span>MB_OK<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">GetLastError</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">MessageBoxW</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> nullptr<span class=\"token punctuation\">,</span> nullptr<span class=\"token punctuation\">,</span> MB_OK<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">MessageBoxA</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">,</span> nullptr<span class=\"token punctuation\">,</span> nullptr<span class=\"token punctuation\">,</span> MB_OK<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">UpdateWindow</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">GetWindowContextHelpId</span><span class=\"token punctuation\">(</span>nullptr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>ProcessEnvironmentBlock <span class=\"token operator\">&amp;&amp;</span> ProcessEnvironmentBlock<span class=\"token operator\">-></span>OSMajorVersion <span class=\"token operator\">==</span> <span class=\"token number\">0xa</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n      <span class=\"token class-name\">int64_t</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n      arg_10 <span class=\"token operator\">=</span> nullptr<span class=\"token punctuation\">;</span>\n      arg_8 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n      <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> ImageBaseAddress <span class=\"token operator\">=</span> ProcessEnvironmentBlock<span class=\"token operator\">-></span>ImageBaseAddress<span class=\"token punctuation\">;</span>\n      <span class=\"token class-name\">int64_t</span> rsi_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">int64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>ImageBaseAddress <span class=\"token operator\">+</span> <span class=\"token number\">0x3c</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> rbx_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>ImageBaseAddress <span class=\"token operator\">+</span> <span class=\"token number\">0x108</span> <span class=\"token operator\">+</span> rsi_1<span class=\"token punctuation\">;</span>\n\n      <span class=\"token keyword\">do</span>\n      <span class=\"token punctuation\">{</span>\n          <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">sub_14b0</span><span class=\"token punctuation\">(</span>rbx_1<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x9f520b2d</span><span class=\"token punctuation\">)</span>\n          <span class=\"token punctuation\">{</span>\n              <span class=\"token class-name\">uint64_t</span> rdi_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rbx_1 <span class=\"token operator\">+</span> <span class=\"token number\">0xc</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n              <span class=\"token class-name\">uint64_t</span> rbx_2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rbx_1 <span class=\"token operator\">+</span> <span class=\"token number\">0x10</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n              <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rdi_1 <span class=\"token operator\">!=</span> <span class=\"token operator\">-</span><span class=\"token punctuation\">(</span>ImageBaseAddress<span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> rbx_2 <span class=\"token operator\">&amp;&amp;</span> <span class=\"token function\">sub_18b0</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span><span class=\"token function\">sub_1300</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> rdi_1 <span class=\"token operator\">+</span> ImageBaseAddress<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span>rbx_2<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>arg_10<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>arg_8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n              <span class=\"token punctuation\">{</span>\n                  <span class=\"token function\">loader</span><span class=\"token punctuation\">(</span>arg_10<span class=\"token punctuation\">,</span> arg_8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n              <span class=\"token punctuation\">}</span>\n\n              <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n          <span class=\"token punctuation\">}</span>\n\n          rbx_1 <span class=\"token operator\">+=</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">;</span>\n          i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">&lt;=</span> <span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint16_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>rsi_1 <span class=\"token operator\">+</span> ImageBaseAddress <span class=\"token operator\">+</span> <span class=\"token number\">6</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0xffffffff</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Looking at the PE sections confirmed that a section named ATOM had been created, which showed that the binary had been packed with a packer called AtomPePacker.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 182px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e417d16378bd5c2b35204ad75f53f0b0/a51ee/image-20250308222301491.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 113.73626373626374%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAAsTAAALEwEAmpwYAAADgElEQVQ4y6XU61MaVxjA4f2nM/3UTL6kqU5rRvutqWmaMTFBUqt4KXhFrfEGBMVEpSp3lotcXGBhb7++u9BMMnESMzkzDy/n7Lm8nD0HJZvNopZK5LI5ShKLxSL5fJ5CofBVcrmcR0HKefKM19vbbIe3abY6fEtRqtWqZKiiqqq3Qr1ep9lsePHq6upWarUalUqFTqeDMjMzw+jIQ8bGxng48jPDQyMMPbjP6Ogv+Hx+4fuiqSk/ExMTpNNplPX1dZ5L5ddHvzH++HcejT/lyeNx6fCMUDAkgl+0FAoxPz9HQfZewbFAK2Bk9kUEq3gEPQ2cHhjt2zE7Hts0UCyzh1E6oZuJ0Ukd0JPodXKMgV6fLRi0vf8+iDKZpWtYRg+l2ajz7uSUSDTGafKc3YMY0WiU4+MEsViMePwNB5EoiaM40UiEvb19EolDdnd2icrzaOSAdDbP9XUTXddRGo0GO6+32Vhfk8GHLMzPE1xewd1bd1/mFxZYWV1jcyPs7VcwtEQ4LM8CcyyvrbOyFJQF45TLFbrdLoppGLiTFgp5LlMpHOfm83Vj+6DRtm0MmceyLNlD+cjJ694Mr7IS3qLV7rzv5MiA2/i/uGMU0zRlZpftrWjbFrb1Ael0W+5cim07cjOuqV7VMKxvunWDDLttzHYds1Wj1yhiNEt9DRVDq2IbuugM4ud0MN1jY3c1tJM1mkdB6tEZ6rFAX2Sa65MwWD05bi0c6efpaf36J+QcyplWDDmQbiYuN8NeU+1zs5U2s9PA1K/lFvQGulgysdVtfcLLUEbRS27QebtE680M7XjA04pO002GMS620M/+QX8bRD9ZRj9dh05VMnevW+sDmvdrlMu6zr9qRZRJFvvRrSeLEss1r811cnnOWS7PaSbPea3NRb3LubgYSNZ0mrrc5b/SNvfnKtz1q9z5I8N3E1nPnSdp7k2XmMrDZApeZER6EFMfeymeXkBKk7e8nDeZOm7jS7R5edjqO2rxIq7hf6ezmLcJFhyWSrBUhpDqsJCzP7IoZjI2OU3O4WzG4qe/yzwIqNyV5e/5sp7vJ9MML5YYXa7wQ6DM8JzKj4ESQ4sVnidN/JKpL+UwJfxph2cXDmk3w52SxezhNX9Gm6Ix0ORVpMFsQiNwpElsMblV4dV+Hd9enbWcyWbJYUO1PZslm9Wig9q2Bn+wX12cGzlybf8Dg82XUGeBu30AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e417d16378bd5c2b35204ad75f53f0b0/1bda0/image-20250308222301491.webp 182w\"\n              sizes=\"(max-width: 182px) 100vw, 182px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e417d16378bd5c2b35204ad75f53f0b0/a51ee/image-20250308222301491.png 182w\"\n            sizes=\"(max-width: 182px) 100vw, 182px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e417d16378bd5c2b35204ad75f53f0b0/a51ee/image-20250308222301491.png\"\n            alt=\"image-20250308222301491\"\n            title=\"image-20250308222301491\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://github.com/NUL0x4C/AtomPePacker?tab=readme-ov-file\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">NUL0x4C/AtomPePacker: A Highly capable Pe Packer</a></p>\n<p>Unfortunately, as far as I could tell after searching around, no unpacker for this Packer had been published, so I decided to extract the unpacked binary after it had been loaded into memory.</p>\n<p>Reading a bit further into the binary, I found that the following <code class=\"language-text\">loader</code> function validates the PE header, which strongly suggested that the unpacked PE file data had already been expanded in memory by this point.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e81101890d3ef46f654e4a46b6e96eb7/b0aa6/image-20250308222509137.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 56.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABeklEQVQoz4WSaVLCQBSEuQpCZl9CWLIJWKVyAO9/l7bfJAhSpfz4aiaQ9Hz9ksVwecNh6HE8njCOI06k7QccyO7QYtd2N3i9fcJi+zlAW4s6RoQQ8aI11pUqrJTGi6xXeL1+wuL8daFRh33bohtf0Y8DzuRI013fYxgGdDNt16PZH/43bD56GhoYbWgYkHMiGYGrDR6Jvznv4YljEzEWk9W9+R1ToLPQDDTWITIspoSUa5jEESiF5arCcl0xrJqq3Y3kyk/lyXAOZHCsG6RNw9AIFwNCneF4gI8ZhnM2zhcBxWdW1+BHQyWVjUXF0Jg3yM0W9WaLwIDIUJ9YOyYY1re8V6oL1rvSSns5gKsNd4F6CgzFJnFvS4VqplTiF6AENSH3l//1vCeL5r2DMtNLKSsrSV3PWo4YMSGeNnLtC9P+Bk29jMLNgXxgCrSlgnEB2rib2QN/fY+/Z8iKV8OQG9R82xvO0LrZjlixIHKw5byck5nyk3KxiEjgNx6CTJmNVacCAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e81101890d3ef46f654e4a46b6e96eb7/8ac56/image-20250308222509137.webp 240w,\n/static/e81101890d3ef46f654e4a46b6e96eb7/d3be9/image-20250308222509137.webp 480w,\n/static/e81101890d3ef46f654e4a46b6e96eb7/e46b2/image-20250308222509137.webp 960w,\n/static/e81101890d3ef46f654e4a46b6e96eb7/e96a9/image-20250308222509137.webp 1233w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e81101890d3ef46f654e4a46b6e96eb7/8ff5a/image-20250308222509137.png 240w,\n/static/e81101890d3ef46f654e4a46b6e96eb7/e85cb/image-20250308222509137.png 480w,\n/static/e81101890d3ef46f654e4a46b6e96eb7/d9199/image-20250308222509137.png 960w,\n/static/e81101890d3ef46f654e4a46b6e96eb7/b0aa6/image-20250308222509137.png 1233w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e81101890d3ef46f654e4a46b6e96eb7/d9199/image-20250308222509137.png\"\n            alt=\"image-20250308222509137\"\n            title=\"image-20250308222509137\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I set a breakpoint on this function in WinDbg and ran the program.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">bp PP64Stub+1dc0</code></pre></div>\n<p>Next, I dumped the unpacked PE that had been loaded in memory at that point with the <code class=\"language-text\">.writemem</code> command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">.writemem C:<span class=\"token punctuation\">\\</span>Users<span class=\"token punctuation\">\\</span>kash1064<span class=\"token punctuation\">\\</span>Downloads<span class=\"token punctuation\">\\</span>bininst1<span class=\"token punctuation\">\\</span>dump.exe @rcx L?0x6499</code></pre></div>\n<p>Analyzing the dumped program confirmed that it contained a Base64-encoded Flag string, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b4f6366301bd2bf47e34323a717cc050/e4900/image-20250308222156904.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15.833333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAkUlEQVQI1z2Oyw7CIBBFSVcDhEdLeRejLtT//8ErUOvi5oSZybmwUjLarSGmiBA8fE/KCbmn1oIQA4w1MEZDa4V1W2GthXMOSilIKSeJCIwxsPfnhdRlzm3YdzfpvcfR6pwPeeniUTyYO0daOxB7GeccQgosy3IKH8/7/N1oIE7ngeCTV+aO6Pem/+zaj/tL+AVrTkc5KAuAVAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b4f6366301bd2bf47e34323a717cc050/8ac56/image-20250308222156904.webp 240w,\n/static/b4f6366301bd2bf47e34323a717cc050/d3be9/image-20250308222156904.webp 480w,\n/static/b4f6366301bd2bf47e34323a717cc050/e46b2/image-20250308222156904.webp 960w,\n/static/b4f6366301bd2bf47e34323a717cc050/6257a/image-20250308222156904.webp 988w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b4f6366301bd2bf47e34323a717cc050/8ff5a/image-20250308222156904.png 240w,\n/static/b4f6366301bd2bf47e34323a717cc050/e85cb/image-20250308222156904.png 480w,\n/static/b4f6366301bd2bf47e34323a717cc050/d9199/image-20250308222156904.png 960w,\n/static/b4f6366301bd2bf47e34323a717cc050/e4900/image-20250308222156904.png 988w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b4f6366301bd2bf47e34323a717cc050/d9199/image-20250308222156904.png\"\n            alt=\"image-20250308222156904\"\n            title=\"image-20250308222156904\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>That gave me the correct Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 441px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3a530efba6c1bec536a26fac67a92a62/efc6e/image-20250308222244757.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 46.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABUklEQVQoz6XS207CQBAG4D65l9rG5/HSKBCvkKMiFARbCrXnQs/blv5Ot6AJeKWTfJnN7GYzs63gOj6msxUse4fyALC8Qp7jD0owxiAEOw3a+hm+J4OlKtJY4ZI6J40sJUlT4zlqnM6m8YrOOHRpQRe6d7C0a6iLW+gfInRFgrEWsV3d4FMROWsjYbMUYagSTI32VZEz6Zz2LkGdX8F37lGH4DgePD+AT4Igxn4fwaFnqLnuHoZhQ9ct2ktQFBWNdaBOfrATVjQjx3GEiCRJzIVhgLrG61GIMAq4mPbSNPmWZemZjBN86mQynGAynqFgFW8b5dHhF8d6Tl+i7uicsN0pmFoDzKwRpsYQsjPC3HvBgsg2rd0x5THmTpNlygv7lcZk9ATFBWHpvqFrPqBvddDVH9EzWuiZ7YbR5vU+X7cod3h9YDzRL1bitxDwj6iq6sIXmW+n0CKMC7AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3a530efba6c1bec536a26fac67a92a62/8ac56/image-20250308222244757.webp 240w,\n/static/3a530efba6c1bec536a26fac67a92a62/24c94/image-20250308222244757.webp 441w\"\n              sizes=\"(max-width: 441px) 100vw, 441px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3a530efba6c1bec536a26fac67a92a62/8ff5a/image-20250308222244757.png 240w,\n/static/3a530efba6c1bec536a26fac67a92a62/efc6e/image-20250308222244757.png 441w\"\n            sizes=\"(max-width: 441px) 100vw, 441px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3a530efba6c1bec536a26fac67a92a62/efc6e/image-20250308222244757.png\"\n            alt=\"image-20250308222244757\"\n            title=\"image-20250308222244757\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"binary-instrumentation-2rev\" style=\"position:relative;\"><a href=\"#binary-instrumentation-2rev\" aria-label=\"binary instrumentation 2rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Binary Instrumentation 2(Rev)</h2>\n<blockquote>\n<p>I’ve been learning more Windows API functions to do my bidding. Hmm… I swear this program was supposed to create a file and write the flag directly to the file. Can you try and intercept the file writing function to see what went wrong?</p>\n</blockquote>\n<p>Analyzing the challenge binary confirmed that it had been packed in the same way as the previous binary.</p>\n<p>So I used WinDbg and the same method as before to dump the unpacked PE data.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">bp PP64Stub+1dc3\ng\n\n.writemem C:<span class=\"token punctuation\">\\</span>Users<span class=\"token punctuation\">\\</span>kash1064<span class=\"token punctuation\">\\</span>Downloads<span class=\"token punctuation\">\\</span>dump.exe @rcx L?0x6499</code></pre></div>\n<p>Decompiling the dumped binary showed that it embedded a Base64-encoded Flag in the binary, as shown below, which gave me the correct Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9c5fc4ae7599bf60d953b8290bcdeed2/05fb0/image-20250308232722925.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnUlEQVQI1z2PwRKCMAxE+RRpUm4KI7QBSmkpnv3/v1lDdTy8SXY3mUyalCJKOTHHhC1GxJQQ84FQ9Zew/zyta1GdE/ZcVEetupP3muXzhaZli2d/xzT0IGtBzKCuQ0sMQ1bhCuscXb3lOsOakTGwrKh3M4RHP6AZncP72HDqVVkDJi+YJSjrH+cEsmivuZcFkwiWsFXtVI/+8ub6xQfzW2CBBJCZOwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9c5fc4ae7599bf60d953b8290bcdeed2/8ac56/image-20250308232722925.webp 240w,\n/static/9c5fc4ae7599bf60d953b8290bcdeed2/d3be9/image-20250308232722925.webp 480w,\n/static/9c5fc4ae7599bf60d953b8290bcdeed2/e46b2/image-20250308232722925.webp 960w,\n/static/9c5fc4ae7599bf60d953b8290bcdeed2/22e6c/image-20250308232722925.webp 1138w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9c5fc4ae7599bf60d953b8290bcdeed2/8ff5a/image-20250308232722925.png 240w,\n/static/9c5fc4ae7599bf60d953b8290bcdeed2/e85cb/image-20250308232722925.png 480w,\n/static/9c5fc4ae7599bf60d953b8290bcdeed2/d9199/image-20250308232722925.png 960w,\n/static/9c5fc4ae7599bf60d953b8290bcdeed2/05fb0/image-20250308232722925.png 1138w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9c5fc4ae7599bf60d953b8290bcdeed2/d9199/image-20250308232722925.png\"\n            alt=\"image-20250308232722925\"\n            title=\"image-20250308232722925\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 523px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e944b0617987d6f0c9d41974e5b19815/3e286/image-20250308232741279.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 49.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJUlEQVQoz62SS0vDQBSF5///Cs3GtSuhFnFRWpWACBZduCjRvCaPTjpNMplMcryZ2hrowkId+Dj3nEku82JRlCGMcmgNtO0xuj0919SEhb4LbzWDLJbYbpZWBzZip6X8zcbYb8X+n1fiDUqVYHJ9jTR0kAQO1rGDPBrqS5tZT6TkuT+CvOA0z3fz3L8gvaIVSjD882DGaNq/hjEt+t6cSQ8mhICUEkVRoKor1KpGXZ+GUsoy9ixLMkRBTIdfwegObWP+xGgD3WioRqFpmkPjoWar4APP7y78zINQKfKKI68T0h9sPcpIs5IWoLZo6e0MT2UMe+ELuMk9nsI7zD8nWHzd4sEngqnVuTex+VA/hlPrZ94N4iKwl9B1nT27PWfdMrU4yr4BNNz8a9EEFpsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e944b0617987d6f0c9d41974e5b19815/8ac56/image-20250308232741279.webp 240w,\n/static/e944b0617987d6f0c9d41974e5b19815/d3be9/image-20250308232741279.webp 480w,\n/static/e944b0617987d6f0c9d41974e5b19815/210f1/image-20250308232741279.webp 523w\"\n              sizes=\"(max-width: 523px) 100vw, 523px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e944b0617987d6f0c9d41974e5b19815/8ff5a/image-20250308232741279.png 240w,\n/static/e944b0617987d6f0c9d41974e5b19815/e85cb/image-20250308232741279.png 480w,\n/static/e944b0617987d6f0c9d41974e5b19815/3e286/image-20250308232741279.png 523w\"\n            sizes=\"(max-width: 523px) 100vw, 523px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e944b0617987d6f0c9d41974e5b19815/3e286/image-20250308232741279.png\"\n            alt=\"image-20250308232741279\"\n            title=\"image-20250308232741279\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since this challenge could be solved with exactly the same approach as the previous one, with no twist at all, I was not quite sure what the intended idea was.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>It was a bit disappointing that the Rev challenges were not very interesting.</p>\n<p>I think I will try some other categories too.</p>","fields":{"slug":"/ctf-pico-2025-en","tagSlugs":["/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2025-03-20","description":"Pico CTF 2025 Writeup","tags":["Rev (en)","English"],"title":"Pico CTF 2025 Writeup","socialImage":{"publicURL":"/static/2f09ef5b8b7eee18c36587f726743bf7/ctf-pico-2025.png"}}}},"pageContext":{"slug":"/ctf-pico-2025-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}