{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-pwnme-2025-en","result":{"data":{"markdownRemark":{"id":"99d08688-e45b-5619-aadb-d770ddc05d05","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-pwnme-2025\">original page</a>.</p>\n</blockquote>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#back-to-the-pastrev\">Back to the past(Rev)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"back-to-the-pastrev\" style=\"position:relative;\"><a href=\"#back-to-the-pastrev\" aria-label=\"back to the pastrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Back to the past(Rev)</h2>\n<blockquote>\n<p>Using the provided binary and the encrypted file, find a way to retrieve the flag contained in “flag.enc”. Note that the binary would have been run in May 2024. Note: The flag is in the format PWNME{…}</p>\n</blockquote>\n<p>The challenge provides an ELF file with a file-encryption feature, along with an encrypted flag file.</p>\n<p>Analyzing this ELF shows that it seeds <code class=\"language-text\">srand</code> from the program’s execution time and then performs the encryption using random numbers generated by <code class=\"language-text\">rand</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 561px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/371a6d418db1ba93b98e4852b432e2aa/410f3/image-20250301220422147.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 92.08333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAACEklEQVQ4y5VUW5LbIBD0VbKWeIMAgeXI3r/c/0q9DbI2dqq8dj6m0INpeqabOThvkPKMEBOkdRiExHEUjBHHYdzW/i6+/7X1WRykUpBKwzoLZSysD9AEdlOBj7WH9fEh6SfQwyBET1ouf3A6f+J6viIQoKYFfspwZC+U+Wb5iulhlBLKeqR5Qa4L5nqCcROMnwmY2I5I5qzABFYRXjMcpYLSiiCWABEuTOjf7ATtPEEcGbItUrM15g1AoZhoyMh3QE22uygfQ4v2LN8vWZDNkaAuGNTqoLyDLelB7Q14i9bz/YCnJQ8EVFRasCxtmtqmKy+1ZysS2bdWBPgQO1gD/bGHWzQADcfSpXbQgWA5IZQTXMzspb+1478AKY63VDrCzx4qMSaHkWx/HYf3S24hmNRAhbK0iidTi4FJDWRri3wZ7ZA7hrSGtvTiiilVxJQRcoFLMy3kHlR+Fg8MB7l58XItVJs3ZVlo9hNSqUhrIajdDmaS1KZ78y8R09cHhrKXbXiH683cEiFYRK+RpkDWuYO2ux95HS3t1e8897Z3fatisw2T5a2HO/39xH9N/VbJ7aHd51wvKMuK3+vaGX0M4xsg4qa8uGNIwOaxmYIs6yenzpmipD4jSy0IKXbzt337/u6MO/X374ddkGabOkfMaUKOHjUHLMupT582gNugaGOuOSCX0g9z7KMzEwKnk+xDROMLOSETuZMhFTUAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/371a6d418db1ba93b98e4852b432e2aa/8ac56/image-20250301220422147.webp 240w,\n/static/371a6d418db1ba93b98e4852b432e2aa/d3be9/image-20250301220422147.webp 480w,\n/static/371a6d418db1ba93b98e4852b432e2aa/6c067/image-20250301220422147.webp 561w\"\n              sizes=\"(max-width: 561px) 100vw, 561px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/371a6d418db1ba93b98e4852b432e2aa/8ff5a/image-20250301220422147.png 240w,\n/static/371a6d418db1ba93b98e4852b432e2aa/e85cb/image-20250301220422147.png 480w,\n/static/371a6d418db1ba93b98e4852b432e2aa/410f3/image-20250301220422147.png 561w\"\n            sizes=\"(max-width: 561px) 100vw, 561px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/371a6d418db1ba93b98e4852b432e2aa/410f3/image-20250301220422147.png\"\n            alt=\"image-20250301220422147\"\n            title=\"image-20250301220422147\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From the file timestamp, I knew the flag file had been encrypted in May 2024, so at first it seemed like I just needed to implement a solver that used <code class=\"language-text\">srand</code> and <code class=\"language-text\">rand</code> to decrypt the file… but I could not actually recover the flag.</p>\n<p>After taking a closer look with <code class=\"language-text\">gdb</code>, I found the reason: the random numbers produced from the same timestamp by the <code class=\"language-text\">srand</code>/<code class=\"language-text\">rand</code> functions in my local environment did not match the numbers generated by the statically linked <code class=\"language-text\">srand</code>/<code class=\"language-text\">rand</code> functions embedded in the challenge binary.</p>\n<p>So I started reversing the challenge binary’s <code class=\"language-text\">srand</code>/<code class=\"language-text\">rand</code> implementation.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 436px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/53a74d2db6e336915f99b81a3c525bce/8574c/image-20250301220439451.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 77.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACC0lEQVQ4y42T63KiQBCFeYKNrrs/NlHjBQaQi4xGQAZQd+PuejcXU8lW3v81ThpEymQlyY+vTnfT00xNnZZudyvsHtdY3yww39xjffcPy+09lpsNZqsVFqS7xyf8Waxx/XeG69l8rwVI0ShEgogFhuEIQTxBEI0ojogw1XjyE76I4A6DD5FkpqPRktFsK0Si7ZSWrOS1RivJ5bT2EZKsanD6JuKYQ4RdWLYFEcUYBkNohgXOOWK/h9DjFPfg+gKe70PRdFiUK0yFfITUpqnWYIheNIZuGPDo2vF4DLtrp3/cNzLICssPKaqK9lH+eqBCN+QdBIFNauBq4MEPAhimmQ1k6eEikiHHuaR1DCpqKYqqHd1CA9P2tVOwTJM3Pu6VzspllDLOUr5m+j5fSiWUKxV6ZwOV79/SPKlLP6o1JJxX67ioVUmrpDVc1OvvQz21ywZ4v4/LZhPn2Rnp7mGNh6cNNrdLLLY7bHfPZOgtpmTg6Xyx11Nk3ybT369yKRwJhImxIwE/jFNjf9bECV4gioxNxs2N/cbESkaes08aW5CxuxbZRpDBu9AdstLYBZ+4sMUV+C8fdjSAM3Jhuhy65cAJJzB4H5plQtX1U8ameOBCpU1QqIEZnf+8VuTHN8a29sZ2Pbqlgw6tnUkrZ9LKMRpetBkHcmMnzS2ZpbSzt8n/nMRZfjhUNOwQvwBFpOjZLWOR2gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/53a74d2db6e336915f99b81a3c525bce/8ac56/image-20250301220439451.webp 240w,\n/static/53a74d2db6e336915f99b81a3c525bce/bfa8c/image-20250301220439451.webp 436w\"\n              sizes=\"(max-width: 436px) 100vw, 436px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/53a74d2db6e336915f99b81a3c525bce/8ff5a/image-20250301220439451.png 240w,\n/static/53a74d2db6e336915f99b81a3c525bce/8574c/image-20250301220439451.png 436w\"\n            sizes=\"(max-width: 436px) 100vw, 436px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/53a74d2db6e336915f99b81a3c525bce/8574c/image-20250301220439451.png\"\n            alt=\"image-20250301220439451\"\n            title=\"image-20250301220439451\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Below is the solver I wrote by reproducing the above code as custom functions.</p>\n<p>In the end, using the random numbers generated from the timestamp <code class=\"language-text\">Thu May 09 2024 05:01:17 GMT+0900</code> let me obtain the key that decrypts the correct flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdint.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;time.h></span></span>\n\n<span class=\"token class-name\">uint64_t</span> seed<span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">uint64_t</span> result<span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">int32_t</span> r<span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">int32_t</span> key<span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">int32_t</span> tmp<span class=\"token punctuation\">;</span>\n\n<span class=\"token class-name\">uint64_t</span> <span class=\"token function\">custom_srand</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    seed <span class=\"token operator\">=</span> s <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token class-name\">uint64_t</span> <span class=\"token function\">custom_rand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    result <span class=\"token operator\">=</span> <span class=\"token number\">0x5851f42d4c957f2d</span> <span class=\"token operator\">*</span> seed <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    seed <span class=\"token operator\">=</span> result<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> result <span class=\"token operator\">>></span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token class-name\">int32_t</span> <span class=\"token function\">gen_key</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    r <span class=\"token operator\">=</span> <span class=\"token function\">custom_rand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    tmp <span class=\"token operator\">=</span> r <span class=\"token operator\">/</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">;</span>\n    key <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>r <span class=\"token operator\">-</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int8_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>tmp <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">7</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> tmp<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> key<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">struct</span> <span class=\"token class-name\">tm</span> time_info <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// Initialize the time structure to zero</span>\n    time_info<span class=\"token punctuation\">.</span>tm_year <span class=\"token operator\">=</span> <span class=\"token number\">2024</span> <span class=\"token operator\">-</span> <span class=\"token number\">1900</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// Year (years since 1900)</span>\n    time_info<span class=\"token punctuation\">.</span>tm_mon  <span class=\"token operator\">=</span> <span class=\"token number\">5</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>        <span class=\"token comment\">// Month (0 = January, 1 = February, ..., 4 = May)</span>\n    time_info<span class=\"token punctuation\">.</span>tm_mday <span class=\"token operator\">=</span> <span class=\"token number\">9</span><span class=\"token punctuation\">;</span>            <span class=\"token comment\">// Day</span>\n    time_info<span class=\"token punctuation\">.</span>tm_hour <span class=\"token operator\">=</span> <span class=\"token number\">22</span><span class=\"token punctuation\">;</span>           <span class=\"token comment\">// Hour (24-hour clock)</span>\n    time_info<span class=\"token punctuation\">.</span>tm_min  <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>            <span class=\"token comment\">// Minute</span>\n    time_info<span class=\"token punctuation\">.</span>tm_sec  <span class=\"token operator\">=</span> <span class=\"token number\">16</span><span class=\"token punctuation\">;</span>           <span class=\"token comment\">// Second</span>\n    <span class=\"token function\">setenv</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"TZ\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Asia/Tokyo\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">tzset</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">time_t</span> epoch_time <span class=\"token operator\">=</span> <span class=\"token function\">mktime</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>time_info<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// target = 0x70 0x63 0x42 0x50 0x6a</span>\n    <span class=\"token comment\">// for (int i = 0 ; i &lt; 60*60*24; i++) {</span>\n    <span class=\"token comment\">//     custom_srand(epoch_time-i);</span>\n    <span class=\"token comment\">//     if (gen_key() == 0x70) {</span>\n    <span class=\"token comment\">//         if (gen_key() == 0x63) {</span>\n    <span class=\"token comment\">//             if (gen_key() == 0x42) {</span>\n    <span class=\"token comment\">//                 printf(\"%d\\n\", epoch_time-i);</span>\n    <span class=\"token comment\">//                 break;</span>\n    <span class=\"token comment\">//             }</span>\n    <span class=\"token comment\">//         }</span>\n    <span class=\"token comment\">//     }</span>\n    <span class=\"token comment\">// }</span>\n\n    epoch_time <span class=\"token operator\">=</span> <span class=\"token number\">1715198477</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"keys = [\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> i <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span> i<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">custom_srand</span><span class=\"token punctuation\">(</span>epoch_time<span class=\"token operator\">-</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"[\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> j <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> j <span class=\"token operator\">&lt;</span> <span class=\"token number\">40</span><span class=\"token punctuation\">;</span> j<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">int32_t</span> r <span class=\"token operator\">=</span> <span class=\"token function\">custom_rand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int32_t</span> tmp <span class=\"token operator\">=</span> r <span class=\"token operator\">/</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int32_t</span> key <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>r <span class=\"token operator\">-</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int8_t</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>tmp <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">7</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> tmp<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xFF</span><span class=\"token punctuation\">;</span>\n            \n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>j <span class=\"token operator\">!=</span> <span class=\"token number\">39</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d,\"</span><span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n            <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d\"</span><span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>i <span class=\"token operator\">!=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"],\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"]\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"]\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The solver that uses the random numbers generated by the code above as the key is shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">keys <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">[</span><span class=\"token number\">112</span><span class=\"token punctuation\">,</span><span class=\"token number\">99</span><span class=\"token punctuation\">,</span><span class=\"token number\">66</span><span class=\"token punctuation\">,</span><span class=\"token number\">80</span><span class=\"token punctuation\">,</span><span class=\"token number\">106</span><span class=\"token punctuation\">,</span><span class=\"token number\">86</span><span class=\"token punctuation\">,</span><span class=\"token number\">57</span><span class=\"token punctuation\">,</span><span class=\"token number\">41</span><span class=\"token punctuation\">,</span><span class=\"token number\">90</span><span class=\"token punctuation\">,</span><span class=\"token number\">9</span><span class=\"token punctuation\">,</span><span class=\"token number\">43</span><span class=\"token punctuation\">,</span><span class=\"token number\">34</span><span class=\"token punctuation\">,</span><span class=\"token number\">111</span><span class=\"token punctuation\">,</span><span class=\"token number\">95</span><span class=\"token punctuation\">,</span><span class=\"token number\">73</span><span class=\"token punctuation\">,</span><span class=\"token number\">32</span><span class=\"token punctuation\">,</span><span class=\"token number\">112</span><span class=\"token punctuation\">,</span><span class=\"token number\">54</span><span class=\"token punctuation\">,</span><span class=\"token number\">87</span><span class=\"token punctuation\">,</span><span class=\"token number\">46</span><span class=\"token punctuation\">,</span><span class=\"token number\">112</span><span class=\"token punctuation\">,</span><span class=\"token number\">74</span><span class=\"token punctuation\">,</span><span class=\"token number\">53</span><span class=\"token punctuation\">,</span><span class=\"token number\">81</span><span class=\"token punctuation\">,</span><span class=\"token number\">36</span><span class=\"token punctuation\">,</span><span class=\"token number\">29</span><span class=\"token punctuation\">,</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span><span class=\"token number\">83</span><span class=\"token punctuation\">,</span><span class=\"token number\">76</span><span class=\"token punctuation\">,</span><span class=\"token number\">20</span><span class=\"token punctuation\">,</span><span class=\"token number\">114</span><span class=\"token punctuation\">,</span><span class=\"token number\">97</span><span class=\"token punctuation\">,</span><span class=\"token number\">55</span><span class=\"token punctuation\">,</span><span class=\"token number\">89</span><span class=\"token punctuation\">,</span><span class=\"token number\">121</span><span class=\"token punctuation\">,</span><span class=\"token number\">109</span><span class=\"token punctuation\">,</span><span class=\"token number\">60</span><span class=\"token punctuation\">,</span><span class=\"token number\">22</span><span class=\"token punctuation\">,</span><span class=\"token number\">22</span><span class=\"token punctuation\">,</span><span class=\"token number\">56</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">[</span><span class=\"token number\">101</span><span class=\"token punctuation\">,</span><span class=\"token number\">30</span><span class=\"token punctuation\">,</span><span class=\"token number\">103</span><span class=\"token punctuation\">,</span><span class=\"token number\">28</span><span class=\"token punctuation\">,</span><span class=\"token number\">88</span><span class=\"token punctuation\">,</span><span class=\"token number\">32</span><span class=\"token punctuation\">,</span><span class=\"token number\">47</span><span class=\"token punctuation\">,</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span><span class=\"token number\">114</span><span class=\"token punctuation\">,</span><span class=\"token number\">95</span><span class=\"token punctuation\">,</span><span class=\"token number\">21</span><span class=\"token punctuation\">,</span><span class=\"token number\">97</span><span class=\"token punctuation\">,</span><span class=\"token number\">98</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span><span class=\"token number\">42</span><span class=\"token punctuation\">,</span><span class=\"token number\">21</span><span class=\"token punctuation\">,</span><span class=\"token number\">36</span><span class=\"token punctuation\">,</span><span class=\"token number\">12</span><span class=\"token punctuation\">,</span><span class=\"token number\">88</span><span class=\"token punctuation\">,</span><span class=\"token number\">119</span><span class=\"token punctuation\">,</span><span class=\"token number\">99</span><span class=\"token punctuation\">,</span><span class=\"token number\">108</span><span class=\"token punctuation\">,</span><span class=\"token number\">97</span><span class=\"token punctuation\">,</span><span class=\"token number\">45</span><span class=\"token punctuation\">,</span><span class=\"token number\">5</span><span class=\"token punctuation\">,</span><span class=\"token number\">41</span><span class=\"token punctuation\">,</span><span class=\"token number\">65</span><span class=\"token punctuation\">,</span><span class=\"token number\">101</span><span class=\"token punctuation\">,</span><span class=\"token number\">15</span><span class=\"token punctuation\">,</span><span class=\"token number\">61</span><span class=\"token punctuation\">,</span><span class=\"token number\">86</span><span class=\"token punctuation\">,</span><span class=\"token number\">32</span><span class=\"token punctuation\">,</span><span class=\"token number\">70</span><span class=\"token punctuation\">,</span><span class=\"token number\">7</span><span class=\"token punctuation\">,</span><span class=\"token number\">106</span><span class=\"token punctuation\">,</span><span class=\"token number\">64</span><span class=\"token punctuation\">,</span><span class=\"token number\">78</span><span class=\"token punctuation\">,</span><span class=\"token number\">45</span><span class=\"token punctuation\">,</span><span class=\"token number\">43</span><span class=\"token punctuation\">,</span><span class=\"token number\">86</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"flag.enc\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    data <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> key <span class=\"token keyword\">in</span> keys<span class=\"token punctuation\">:</span>\n    tmp <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n    <span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span>d <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        tmp <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>d<span class=\"token operator\">^</span>key<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">\"PWNME\"</span> <span class=\"token keyword\">in</span> tmp<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>tmp<span class=\"token punctuation\">)</span></code></pre></div>\n<p>With this, I was able to recover the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 926px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bf36c20865d0f28b8fa4db688fec8ae9/69476/image-20250301220404196.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.416666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAT0lEQVQI1w3FSwqAIABAwZZ98VMKCaFhWVZuu//NXs1mqr0s3G8glpmQHD4exPNhyw9ruoi5YJynGTS9sv+KuhO0YkLqEWsNUkmEFGit+AA1yBoS+FY8yQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bf36c20865d0f28b8fa4db688fec8ae9/8ac56/image-20250301220404196.webp 240w,\n/static/bf36c20865d0f28b8fa4db688fec8ae9/d3be9/image-20250301220404196.webp 480w,\n/static/bf36c20865d0f28b8fa4db688fec8ae9/dafe9/image-20250301220404196.webp 926w\"\n              sizes=\"(max-width: 926px) 100vw, 926px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bf36c20865d0f28b8fa4db688fec8ae9/8ff5a/image-20250301220404196.png 240w,\n/static/bf36c20865d0f28b8fa4db688fec8ae9/e85cb/image-20250301220404196.png 480w,\n/static/bf36c20865d0f28b8fa4db688fec8ae9/69476/image-20250301220404196.png 926w\"\n            sizes=\"(max-width: 926px) 100vw, 926px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bf36c20865d0f28b8fa4db688fec8ae9/69476/image-20250301220404196.png\"\n            alt=\"image-20250301220404196\"\n            title=\"image-20250301220404196\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I actually wanted to do something smarter, like reusing the original binary’s code via something like <code class=\"language-text\">dlopen</code>, but that did not work because the target was not a library file and the functions I wanted were not exported.</p>\n<p>Still looking for a better method…</p>\n<!-- ## C4 License(Rev)\n\n> Using the license of 'Noa' and the provided binary, develop a keygen to create a valid license for the 100 requested users.\n\n\n\n![image-20250302192011119](../../static/media/2025-03-01-ctf-pwnme-ctf-2025/image-20250302192011119.png)\n\n\n\n``` bash\n{\"user\": \"Noa\", \"serial\": \"e3bfbdf16314ebed7bd2c608ae530692724cc3a5\"}\n```\n\n\n\n![image-20250302191827304](../../static/media/2025-03-01-ctf-pwnme-ctf-2025/image-20250302191827304.png) -->","fields":{"slug":"/ctf-pwnme-2025-en","tagSlugs":["/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2025-03-07","description":"Pwnme CTF 2025 Writeup","tags":["Rev (en)","English"],"title":"Pwnme CTF 2025 Writeup","socialImage":{"publicURL":"/static/d0dd803f9c7dc5e6d5b04c8ae0dabb6c/ctf-pwnme-2025.png"}}}},"pageContext":{"slug":"/ctf-pwnme-2025-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}