{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-sec4b-2022-en","result":{"data":{"markdownRemark":{"id":"e40347fd-8195-5062-bbd0-240a7d5d2156","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-sec4b-2022\">original page</a>.</p>\n</blockquote>\n<p>I participated in <a href=\"https://score.beginners.azure.noc.seccon.jp/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SECCON Beginners CTF 2022</a>, which was held from 2022/06/04.</p>\n<p>This year again I only took on the Rev challenges, but I managed to solve them all.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a1044a24b9b45571a05de0d8fa2adf27/bb5d0/image-20220605125809068.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4UlEQVQY02WQXXKDMAyEuf/h2nRaAhj8b9nGhKQ32ErO8NSHHSN965XwMM4a90VjswHL5mBDhosF2iZYn+FThdIe82rhuS98YyYeFzMmxXdN6LWwobYT7fFCqieMj9ivOjfkemA/Xj3UR+p98QsTnzDLd6jsOM5f5k8MxiUYR1BuRyBWKqzK4YTOvGzcEIlDmYlWE6E2j0VT5+LV7BUNVI4+VaaMk+pbSS2huT5AtfHv8rPMa+8Jm5TFx/eC24/CJ59vvb8HMQUq2Aoh5goZIKHXNlnE211PIJqU62Ff4/pPfx0ZbHQf576DAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a1044a24b9b45571a05de0d8fa2adf27/8ac56/image-20220605125809068.webp 240w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/d3be9/image-20220605125809068.webp 480w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/e46b2/image-20220605125809068.webp 960w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/f992d/image-20220605125809068.webp 1440w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/05fe0/image-20220605125809068.webp 1453w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a1044a24b9b45571a05de0d8fa2adf27/8ff5a/image-20220605125809068.png 240w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/e85cb/image-20220605125809068.png 480w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/d9199/image-20220605125809068.png 960w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/07a9c/image-20220605125809068.png 1440w,\n/static/a1044a24b9b45571a05de0d8fa2adf27/bb5d0/image-20220605125809068.png 1453w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a1044a24b9b45571a05de0d8fa2adf27/d9199/image-20220605125809068.png\"\n            alt=\"image-20220605125809068\"\n            title=\"image-20220605125809068\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Overall, the problems felt like proper reverse-engineering challenges, and they were very fun to solve.</p>\n<p>This time as well, I’ll write up the problems I found particularly interesting.</p>\n<!-- omit in toc -->\n<h2 id=\"contents\" style=\"position:relative;\"><a href=\"#contents\" aria-label=\"contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Contents</h2>\n<ul>\n<li><a href=\"#wintlsrev\">WinTLS(Rev)</a></li>\n<li><a href=\"#recursiverev\">Recursive(Rev)</a></li>\n<li><a href=\"#ransomrev\">Ransom(Rev)</a></li>\n<li><a href=\"#please_not_debug_merev\">please<em>not</em>debug_me(Rev)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"wintlsrev\" style=\"position:relative;\"><a href=\"#wintlsrev\" aria-label=\"wintlsrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>WinTLS(Rev)</h2>\n<p>You are given a simple PE binary that checks whether the flag string entered through the GUI is correct.</p>\n<p>Decompiling the part that validates the input yields the following function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">bool <span class=\"token function\">check</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> iVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>_Str1<span class=\"token punctuation\">;</span>\n  \n  _Str1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token function\">TlsGetValue</span><span class=\"token punctuation\">(</span>TLS<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strncmp</span><span class=\"token punctuation\">(</span>_Str1<span class=\"token punctuation\">,</span>param_1<span class=\"token punctuation\">,</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> iVar1 <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Here, it seems the program determines whether the flag is correct by comparing the input with the string in the TLS area obtained by the <code class=\"language-text\">TlsGetValue</code> function.</p>\n<p>TLS refers to Thread Local Storage, a per-thread private area.</p>\n<p>Reference: <a href=\"https://www.keicode.com/windows/win19.php\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Understanding Thread Local Storage (TLS) - Thorough Explanation of Windows - Thorough Explanation of Web/DB Programming</a></p>\n<p>Reference: <a href=\"https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-tlsgetvalue\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">TlsGetValue function (processthreadsapi.h) - Win32 apps | Microsoft Docs</a></p>\n<p>Since <code class=\"language-text\">TlsSetValue</code> is used to store a value in TLS, I checked where this function is called.</p>\n<p>It turned out that <code class=\"language-text\">TlsSetValue</code> is called at the following two locations.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f1acbb581382a6e1df201f17510b54fa/2130b/image-20220604201228653.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 41.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZElEQVQoz3WR2W7bMBBF9f//ZTkFksjaN/s51upooUzKUU+HQlskRSPgYqgHHtwzdN6uHVW9MqmNcTb0TUf3VjN0I821xT26xNETcRJyPp8py3Kf38VRs2JZNhb1YBo1+n7HaA38ZJ5nXPdAFB6/AP/k338bp7o21NUqlzeGYZHUvL/36IdmGKcdGMdPJGnE5XzZIZffbf7X1mlFsRFlJcrLYujanrqpUUYxThboEvjPhHFMVuZkRUoq+bZhXbVUtuEkOxzvko7bNLCJ8jiOHA5H/FOE5//Ai54JYp9TGJCEMUmSkucJhSTLM4qiwGlqeYRuRetNtDVq6fn4eGC/u+zz9dUjTQO8kyd5kXMkgExA8Q7YW35Wtg1vt4dAEG0jaf8CjTF43gk/SAmjRLRto0igOWkmzYpcNC3oy6PUojwyTYq+H1Bzx7oagW6sRpPEiUAzsszCCrmUyyzJpZ1t+HmXdv4CpClIVzzSIEAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f1acbb581382a6e1df201f17510b54fa/8ac56/image-20220604201228653.webp 240w,\n/static/f1acbb581382a6e1df201f17510b54fa/d3be9/image-20220604201228653.webp 480w,\n/static/f1acbb581382a6e1df201f17510b54fa/e46b2/image-20220604201228653.webp 960w,\n/static/f1acbb581382a6e1df201f17510b54fa/7bb49/image-20220604201228653.webp 1271w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f1acbb581382a6e1df201f17510b54fa/8ff5a/image-20220604201228653.png 240w,\n/static/f1acbb581382a6e1df201f17510b54fa/e85cb/image-20220604201228653.png 480w,\n/static/f1acbb581382a6e1df201f17510b54fa/d9199/image-20220604201228653.png 960w,\n/static/f1acbb581382a6e1df201f17510b54fa/2130b/image-20220604201228653.png 1271w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f1acbb581382a6e1df201f17510b54fa/d9199/image-20220604201228653.png\"\n            alt=\"image-20220604201228653\"\n            title=\"image-20220604201228653\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7591bceb13e2208f2c09a192f92f8307/89048/image-20220604201206096.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.99999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABjklEQVQoz22SWW+DMBCE+f8/qn0NuYghmMNEfUia5ihHgJBgG6YLCSpqChoZIe3n2dk1Gq2RJjmqqkVZ1rjfFZKkQl1rtPSubAZm+1ivP+C6G7hcgLshQj+EiCIIIXpF9N3JaNuWIBLdWRR33G4Kw6MaDdOysLRcgi0QhB42VLR5Fg+wsQytFY6HGGnaAWUPv2Qx8iJDeSsxNWdYsTk4nxOQnIlfDa7GMpSS2O2OiGMgz6nlm0R2ScmdgqLLTALa1hts5x0rbsPxLDA67bUDnwfwAw9hyOkynxTAaJoGRX6F1m2fm9YNun/doylf05zCcVwwtoDFZpTlCp5HxR7vz5BcCzFIPIHFlVol4F1DKY1aVv1AmuYB5JxRsUU5djDnkVf00EvLWinsP0/U8iPDmjI8n7+QXjJkZY7JZILlwiEQQ0DtCTEM5P/BGFIqbLcnfBPw0mVYS5wOOxz3CQ5fGQFNcuiP1uN1sgO4d1jR3m13Mc5JizSXyCuFAw2piMlhkmE2nfU5RX92brx7Y/0AXlSTiLYAbZ4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7591bceb13e2208f2c09a192f92f8307/8ac56/image-20220604201206096.webp 240w,\n/static/7591bceb13e2208f2c09a192f92f8307/d3be9/image-20220604201206096.webp 480w,\n/static/7591bceb13e2208f2c09a192f92f8307/e46b2/image-20220604201206096.webp 960w,\n/static/7591bceb13e2208f2c09a192f92f8307/a3537/image-20220604201206096.webp 1242w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7591bceb13e2208f2c09a192f92f8307/8ff5a/image-20220604201206096.png 240w,\n/static/7591bceb13e2208f2c09a192f92f8307/e85cb/image-20220604201206096.png 480w,\n/static/7591bceb13e2208f2c09a192f92f8307/d9199/image-20220604201206096.png 960w,\n/static/7591bceb13e2208f2c09a192f92f8307/89048/image-20220604201206096.png 1242w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7591bceb13e2208f2c09a192f92f8307/d9199/image-20220604201206096.png\"\n            alt=\"image-20220604201206096\"\n            title=\"image-20220604201206096\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Tracing back the callers of these two functions, I confirmed that the program creates two threads at the following point after startup.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">CreateThread</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>LPSECURITY_ATTRIBUTES<span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span>LPTHREAD_START_ROUTINE<span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>t1<span class=\"token punctuation\">,</span>atStack312<span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>DStack36<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">CreateThread</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>LPSECURITY_ATTRIBUTES<span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span>LPTHREAD_START_ROUTINE<span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>t2<span class=\"token punctuation\">,</span>atStack312<span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>DStack36<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>It seems each thread stores a different value in its own TLS within the corresponding <code class=\"language-text\">LPTHREAD_START_ROUTINE</code>.</p>\n<p>Each thread performs a different operation on the input, and the input that satisfies both becomes the flag.</p>\n<p>More concretely, the input is checked from the beginning, and the difference is whether characters satisfying <code class=\"language-text\">i % 3 == 0 or i % 5 == 0</code> are removed or extracted.</p>\n<p>So I rewrote that logic in Python and then created the following solver to invert it, which successfully recovered the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token triple-quoted-string string\">\"\"\"\nflag = \"\"\nk = 0\nfor (i = 0; (i &lt; 0x100 &amp;&amp; (word = flag[i]), word != '\\0')); i = i + 1) {\n    if (((int)i % 3 == 0) || ((int)i % 5 == 0)) {\n        j = k;\n        k = k + 1;\n        result[j] = word;\n    }\n}\nresult[k] = 0;\n\"\"\"</span>\n<span class=\"token comment\"># TlsSetValue(TLS,\"c4{fAPu8#FHh2+0cyo8$SWJH3a8X\");</span>\n<span class=\"token comment\"># TlsSetValue(TLS,\"tfb%s$T9NvFyroLh@89a9yoC3rPy&amp;3b}\");</span>\n\n<span class=\"token comment\"># ===========================================</span>\n\na <span class=\"token operator\">=</span> <span class=\"token builtin\">list</span><span class=\"token punctuation\">(</span><span class=\"token string\">r\"c4{fAPu8#FHh2+0cyo8$SWJH3a8X\"</span><span class=\"token punctuation\">)</span>\nb <span class=\"token operator\">=</span> <span class=\"token builtin\">list</span><span class=\"token punctuation\">(</span><span class=\"token string\">r\"tfb%s$T9NvFyroLh@89a9yoC3rPy&amp;3b}\"</span><span class=\"token punctuation\">)</span>\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> i <span class=\"token operator\">%</span> <span class=\"token number\">3</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span> <span class=\"token keyword\">or</span> i <span class=\"token operator\">%</span> <span class=\"token number\">5</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">+=</span> a<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">+=</span> b<span class=\"token punctuation\">.</span>pop<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># ctf4b{f%sAP$uT98Nv#FFHyrh2o+Lh0@8c9yoa98$ySoCW3rJPH3y&amp;a83Xb}</span></code></pre></div>\n<h2 id=\"recursiverev\" style=\"position:relative;\"><a href=\"#recursiverev\" aria-label=\"recursiverev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Recursive(Rev)</h2>\n<p>You are given an ELF binary that checks whether the input matches the flag.</p>\n<p>When I decompiled it with Ghidra, as the challenge name suggests, it seemed to call the <code class=\"language-text\">check</code> function recursively over and over.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2ede31c97638e0664ecceb314290db13/96220/image-20220605002037042.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 61.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB60lEQVQoz3WS65LiIBCFff+nsyz3h6OO8ZYYzQVyARIgZw7oamarlioKSODrPqd7sd3tcDqdkKYZbukNxaNAVVSoyxqNaNE2DaQUqIVAWRbYbLb42ibYf59xOl6QXW/IszuqqoLgnUXf93iPabZ1U5zzYa1FUVZwHv8di0ANF8N0o4O3Ht74uA9z8gRPT3Ata2y+dmh7g8E0MX74N58LKSWcc+9HcbhZptMHWNYlVqsVzGAgaYc1ltAPLER4AT09vCLPBS8DTWPQdwbeD7/kSKpZrda800PUZ1jtn9BXwFmGHklywPnMglQEyiBpwKNIoVQL0xpY5aLpy+WS9+nnzMi5ijfweExwvhSsKIFtAFrcrg+emwh0xqFtW1Z5wyCaFReQZceO6KnE/ZuhYwskuDDDrgO6FzCcy0LC0IJwZxwH3O93aK0ZqOc6YGQg7/0nwyBjZDW/DwkOxwKiCeZrdP3AFpGoRBcf6sGiU4Y+5ww6oqolVKvoq4bqVYR+gNZhu9tjf7iDbYai0lF2mj0IFbFAmhn3BD8ezJB+dvw2TWNss9Bab8nPDEdkWUo5gv6AGY38ZlkExbN9m6+1otcn/pt+t9kLFjOs6xrDMCCsAcAt94qVpuxOEUL/qCD0W17kWK//xId/fZtXOKw/ICmgkQ7acqYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2ede31c97638e0664ecceb314290db13/8ac56/image-20220605002037042.webp 240w,\n/static/2ede31c97638e0664ecceb314290db13/d3be9/image-20220605002037042.webp 480w,\n/static/2ede31c97638e0664ecceb314290db13/e46b2/image-20220605002037042.webp 960w,\n/static/2ede31c97638e0664ecceb314290db13/c0c42/image-20220605002037042.webp 1165w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2ede31c97638e0664ecceb314290db13/8ff5a/image-20220605002037042.png 240w,\n/static/2ede31c97638e0664ecceb314290db13/e85cb/image-20220605002037042.png 480w,\n/static/2ede31c97638e0664ecceb314290db13/d9199/image-20220605002037042.png 960w,\n/static/2ede31c97638e0664ecceb314290db13/96220/image-20220605002037042.png 1165w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2ede31c97638e0664ecceb314290db13/d9199/image-20220605002037042.png\"\n            alt=\"image-20220605002037042\"\n            title=\"image-20220605002037042\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It took me a little time to reverse the function, but after rewriting it in Python it looked roughly like this.</p>\n<p>The string given as input is recursively split in half and checked, and when the length of the string passed as an argument finally becomes 1, the program seems to validate the input by checking whether that character matches the character at a specific position in a table in the data section.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">table <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"DATA\"</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">check</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span> i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    l <span class=\"token operator\">=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> l <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>table<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"Flagの文字\"</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>table<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        k <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>l <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span>\n        nd <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">:</span>k<span class=\"token punctuation\">]</span>\n        <span class=\"token keyword\">if</span> check<span class=\"token punctuation\">(</span>nd<span class=\"token punctuation\">,</span> i<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">1</span>\n        nd <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span>k<span class=\"token punctuation\">:</span>l<span class=\"token operator\">-</span>k<span class=\"token punctuation\">]</span>\n        <span class=\"token keyword\">if</span> check<span class=\"token punctuation\">(</span>nd<span class=\"token punctuation\">,</span> k<span class=\"token operator\">*</span>k<span class=\"token operator\">+</span>i<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">return</span> <span class=\"token number\">1</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span>\n\ncheck<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>At first I thought a brute-force approach, determining the characters one by one from the beginning, would be simplest, but automating the exhaustive checks was annoying, so I used a script like the following to identify the flag manually one character at a time.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># gdb -x run.py</span>\n<span class=\"token keyword\">import</span> gdb\n\nBINDIR <span class=\"token operator\">=</span> <span class=\"token string\">\"/home/ubuntu/Downloads\"</span>\nBIN <span class=\"token operator\">=</span> <span class=\"token string\">\"recursive\"</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'file {}/{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>BINDIR<span class=\"token punctuation\">,</span> BIN<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'b *{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0x5555555552bf\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"input.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token string\">\"ctf4b{r3curs1v3_c4l1_1s_4_v3ry_u53fu1\"</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"A\"</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token number\">38</span><span class=\"token operator\">-</span><span class=\"token number\">37</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'run &lt; {}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"input.txt\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x26</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        gdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'continue'</span><span class=\"token punctuation\">)</span>\n        gdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'xinfo register edx'</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n        gdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'quit'</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>If you edit this script and run it 38 times, you can recover the flag.</p>\n<h2 id=\"ransomrev\" style=\"position:relative;\"><a href=\"#ransomrev\" aria-label=\"ransomrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Ransom(Rev)</h2>\n<p>This challenge was about manually reproducing a file encrypted by ransomware.</p>\n<p>It felt a lot like playing with real malware, and it was a lot of fun.</p>\n<p>Decompiling the challenge binary yielded code like the following.</p>\n<p>At a high level, it seems to encrypt a secret file using an encryption key generated from a random seed, and then send the seed to an external destination at the end.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>__stream <span class=\"token operator\">==</span> <span class=\"token punctuation\">(</span>FILE <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Can\\'t open file.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar2 <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n  pcVar3 <span class=\"token operator\">=</span> <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>text<span class=\"token punctuation\">,</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">,</span>__stream<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>pcVar3 <span class=\"token operator\">!=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    sVar4 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>text<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    enced <span class=\"token operator\">=</span> <span class=\"token function\">malloc</span><span class=\"token punctuation\">(</span>sVar4 <span class=\"token operator\">&lt;&lt;</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">FUN_55555555557f</span><span class=\"token punctuation\">(</span>__buf<span class=\"token punctuation\">,</span>text<span class=\"token punctuation\">,</span>enced<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    __stream_00 <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ctf4b_super_secret.txt.lock\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>__stream_00 <span class=\"token operator\">==</span> <span class=\"token punctuation\">(</span>FILE <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Can\\'t write file.\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    uVar2 <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">goto</span> LAB_55555555591f<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    k <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    sVar4 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>text<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>k <span class=\"token operator\">==</span> sVar4<span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">fprintf</span><span class=\"token punctuation\">(</span>__stream_00<span class=\"token punctuation\">,</span><span class=\"token string\">\"\\\\x%02x\"</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>k <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span>enced<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    k <span class=\"token operator\">=</span> k <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token function\">fclose</span><span class=\"token punctuation\">(</span>__stream_00<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">fclose</span><span class=\"token punctuation\">(</span>__stream<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n__fd <span class=\"token operator\">=</span> <span class=\"token function\">socket</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>__fd <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed to create socket\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    uVar2 <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    local_128<span class=\"token punctuation\">.</span>_0_2_ <span class=\"token operator\">=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n    local_124 <span class=\"token operator\">=</span> <span class=\"token function\">inet_addr</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"192.168.0.225\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    local_128<span class=\"token punctuation\">.</span>_2_2_ <span class=\"token operator\">=</span> <span class=\"token function\">htons</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x1f90</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">connect</span><span class=\"token punctuation\">(</span>__fd<span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>sockaddr <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_128<span class=\"token punctuation\">,</span><span class=\"token number\">0x10</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">write</span><span class=\"token punctuation\">(</span>__fd<span class=\"token punctuation\">,</span>__buf<span class=\"token punctuation\">,</span><span class=\"token number\">0x11</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    uVar2 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Failed to connect\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    uVar2 <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Since the seed used to encrypt the flag could be obtained from the provided pcap file, I next set out to identify the encryption logic.</p>\n<p>Looking at the part that performs encryption based on the seed, I found that the function at <code class=\"language-text\">0x555555555381</code> generates an encryption key from the seed and uses that key to encrypt the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 557px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/642b1906d1057fe8408fa5d9d1fb5aa7/30d00/image-20220605012625271.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 53.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXUlEQVQoz6WSWUvEQBCE8///kC+CiIgHivigoggqaqI5ZrM72WTuzzbuuroeD9pQNMXM1HR1d1Yph5oGqhLKBaoqUjeWUs7q1tOrgYl65Z5GuBHeCn9u5HwifGIZmoEYIxljREGA5PhvZEVpaKctnS4k36N7LT8lUvobspsHKb1WzGY5vZmiTTcKfhevD0j8Lkgc5Kojeo81ctlLA5wRzAlWE3xA2w7n3UqUpejyow+WL+9LrouW87uWy8cJeZWTtxc86Rsam9PZmk6qDiF8qXRdbBTcvL1gKz9h6+GMneKU3XKbveKAo2Kf4/KQq3wDbM/c9/R2Pk5yIfVFbBSMLo4Wk1iKLtHPQGbDvLDjenTPPV09MBXMhA9tlDUBP/xgeZADpaBp3qC1wRkvPZVeissx+7fepiWXj9Oq0M+CSgWZrl3s4qeZ/oKV5XXXmZHJOh/fp7ZaAT7kn7Fu+QUEelyDwKzT4AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/642b1906d1057fe8408fa5d9d1fb5aa7/8ac56/image-20220605012625271.webp 240w,\n/static/642b1906d1057fe8408fa5d9d1fb5aa7/d3be9/image-20220605012625271.webp 480w,\n/static/642b1906d1057fe8408fa5d9d1fb5aa7/9b7c7/image-20220605012625271.webp 557w\"\n              sizes=\"(max-width: 557px) 100vw, 557px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/642b1906d1057fe8408fa5d9d1fb5aa7/8ff5a/image-20220605012625271.png 240w,\n/static/642b1906d1057fe8408fa5d9d1fb5aa7/e85cb/image-20220605012625271.png 480w,\n/static/642b1906d1057fe8408fa5d9d1fb5aa7/30d00/image-20220605012625271.png 557w\"\n            sizes=\"(max-width: 557px) 100vw, 557px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/642b1906d1057fe8408fa5d9d1fb5aa7/30d00/image-20220605012625271.png\"\n            alt=\"image-20220605012625271\"\n            title=\"image-20220605012625271\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The encryption key generated by <code class=\"language-text\">0x555555555381</code> is uniquely determined by the seed value, so I was able to obtain it easily by using gdb to tamper with the seed value passed to that function and capturing its output from memory.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># gdb -x run.py</span>\n<span class=\"token keyword\">import</span> gdb\n\nBINDIR <span class=\"token operator\">=</span> <span class=\"token string\">\"/home/ubuntu/Downloads\"</span>\nBIN <span class=\"token operator\">=</span> <span class=\"token string\">\"ransom\"</span>\n\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'file {}/{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>BINDIR<span class=\"token punctuation\">,</span> BIN<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'b *{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0x5555555555b9\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'b *{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0x5555555555e6\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'run'</span><span class=\"token punctuation\">)</span>\n\nseed <span class=\"token operator\">=</span> <span class=\"token string\">\"rgUAvvyfyApNPEYg\"</span>\n<span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span> c <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>seed<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x5555555592a0</span> <span class=\"token operator\">+</span> i<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">'set {}{} = {}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"{char}\"</span><span class=\"token punctuation\">,</span> target<span class=\"token punctuation\">,</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    gdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'set {}{} = {}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"{char}\"</span><span class=\"token punctuation\">,</span> target<span class=\"token punctuation\">,</span> <span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'x/s 0x5555555592a0'</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'continue'</span><span class=\"token punctuation\">)</span>\n\ni <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>inferiors<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\nmem <span class=\"token operator\">=</span> i<span class=\"token punctuation\">.</span>read_memory<span class=\"token punctuation\">(</span><span class=\"token number\">0x7fffffffdaa0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">264</span><span class=\"token punctuation\">)</span>\nkey <span class=\"token operator\">=</span> mem<span class=\"token punctuation\">.</span>tobytes<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Having identified the encryption key, I next reversed the encryption process implemented by <code class=\"language-text\">FUN_55555555545e</code>.</p>\n<p>The decompiled result looked like this.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">undefined8 <span class=\"token function\">FUN_55555555545e</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> param_1<span class=\"token punctuation\">,</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>param_2<span class=\"token punctuation\">,</span><span class=\"token keyword\">long</span> param_3<span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n  <span class=\"token class-name\">size_t</span> sVar1<span class=\"token punctuation\">;</span>\n  uint local_24<span class=\"token punctuation\">;</span>\n  uint local_20<span class=\"token punctuation\">;</span>\n  ulong local_18<span class=\"token punctuation\">;</span>\n  \n  local_24 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  local_20 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  local_18 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  sVar1 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>param_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">;</span> local_18 <span class=\"token operator\">&lt;</span> sVar1<span class=\"token punctuation\">;</span> local_18 <span class=\"token operator\">=</span> local_18 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    local_24 <span class=\"token operator\">=</span> local_24 <span class=\"token operator\">+</span> <span class=\"token number\">1</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">;</span>\n    local_20 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> local_20 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">FUN_555555555349</span><span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>local_20 <span class=\"token operator\">+</span> param_1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>local_18 <span class=\"token operator\">+</span> param_3<span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span>\n         param_2<span class=\"token punctuation\">[</span>local_18<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span>\n         <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">+</span>\n                  <span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>byte<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>local_20<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span>\n                               <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Rewriting it in Python gives something roughly like this.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">A <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\nB <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\ni <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\nsVar1 <span class=\"token operator\">=</span> strlen<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">;</span> i <span class=\"token operator\">&lt;</span> sVar1<span class=\"token punctuation\">;</span> i <span class=\"token operator\">=</span> i <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    A <span class=\"token operator\">=</span> A <span class=\"token operator\">+</span> <span class=\"token number\">1</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">;</span>\n    B <span class=\"token operator\">=</span> key <span class=\"token operator\">+</span> A <span class=\"token operator\">+</span> B <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span>\n    swap<span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span>A<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">[</span>B<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n    encrypted<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> flag<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span>B<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> key<span class=\"token punctuation\">[</span>A<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Once I understood the encryption logic, all that was left was to create a solver like the following to decrypt it, and I was able to recover the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">encrypted <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> b <span class=\"token keyword\">for</span> b <span class=\"token keyword\">in</span> <span class=\"token string\">b'\\x2b\\xa9\\xf3\\x6f\\xa2\\x2e\\xcd\\xf3\\x78\\xcc\\xb7\\xa0\\xde\\x6d\\xb1\\xd4\\x24\\x3c\\x8a\\x89\\xa3\\xce\\xab\\x30\\x7f\\xc2\\xb9\\x0c\\xb9\\xf4\\xe7\\xda\\x25\\xcd\\xfc\\x4e\\xc7\\x9e\\x7e\\x43\\x2b\\x3b\\xdc\\x09\\x80\\x96\\x95\\xf6\\x76\\x10'</span><span class=\"token punctuation\">]</span>\nkey <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>b <span class=\"token keyword\">for</span> b <span class=\"token keyword\">in</span> <span class=\"token string\">b'h\\x1d\\x8bu}j\\xe90\\x14\\xe7\\x9b\\xa3Ps!\\x7f\\x04y\\x86)\\xe2\\x01\\xd8U\\xe6]\\xc43L\\x10-\\x05\\xc0\\xc3+\\x15\\x03\\xa4\\xeb\\x9e\\xdd\\x8aE\\xe5\\x02H\\x93,VB$[\\x96\\x876\\xa0\\x84\\x1f\\xa8\\xfb:\\xe1\\x07 \\xf2\\x9a\\xc2\\x80o\\x8cm\\x1ext\\xcf\\xc7cd\\x9c\\xcc\\xd0\\x0fTQ\\xd6\\xdf\\x92\\x9f\\xed\\x00\\xa7\\xf9\"\\xff\\x0c\\xc1(\\xcd\\x8fW\\xf6\\x99z\\xfe\\t\\xaa\\xe8C\\x94\\x06\\xb9\\xb87\\xef\\xf0nD\\x8d&amp;\\xe3\\x85\\x08\\xadK;\\xd2#\\x88\\xb5Z1\\xc6\\x984\\xe0\\xfc\\xb3ek\\x82\\xde\\x91\\x97%\\x19\\xea\\x95\\xa5\\xb2\\x8e\\xa1N\\xba\\xfd\\xb6\\x81\\xc9\\xab\\r\\xda\\xd3\\xbb&lt;\\xf4\\xd9\\xbf\\x11w\\x9d\\xe4\\xbd\\xfa\\x1c\\xbcF{\\xf7\\\\\\xb4\\n\\xd1a\\xaeA8\\xa2\\xdb\\xdc\\x18\\xcb\\xc8\\xee\\x90\\xc5\\x13\\x0b\\xca\\xce\\x1ar\\xd7Y\\xf1Sf\\x16\\xf8\\xb1\\xa9_qMg\\x83\\x89\\xf5\\xd5\\xacI*\\xf3~=\\x12>b\\xbe\\xb0@2R\\x0e?\\xecX\\xaf\\xb7.J`5G\\'|\\x17O\\xa69vi\\xd4pl\\x1b/^@YUUUU\\x00\\x00'</span><span class=\"token punctuation\">]</span>\nflag <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"X\"</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">50</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n<span class=\"token comment\"># print(len(encrypted))</span>\n<span class=\"token comment\"># print(len(base))</span>\n\nA <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nB <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">50</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    A <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>A <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span>\n    B <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span>A<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> B<span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span>\n\n    tmp <span class=\"token operator\">=</span> key<span class=\"token punctuation\">[</span>A<span class=\"token punctuation\">]</span>\n    key<span class=\"token punctuation\">[</span>A<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> key<span class=\"token punctuation\">[</span>B<span class=\"token punctuation\">]</span>\n    key<span class=\"token punctuation\">[</span>B<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> tmp\n\n    <span class=\"token comment\"># encrypted[i] = ord(flag[i]) ^ (key[(key[B] + key[A])&amp; 0xff])</span>\n    flag<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>encrypted<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span>B<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> key<span class=\"token punctuation\">[</span>A<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># print(encrypted)</span>\n<span class=\"token comment\"># ctf4b{rans0mw4re_1s_v4ry_dan9er0u3_s0_b4_c4refu1}</span></code></pre></div>\n<h2 id=\"pleasenotdebug_merev\" style=\"position:relative;\"><a href=\"#pleasenotdebug_merev\" aria-label=\"pleasenotdebug_merev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>please<em>not</em>debug_me(Rev)</h2>\n<p>The last problem was marked Hard, but personally it felt about the same as the Medium problem <code class=\"language-text\">Ransom</code>.</p>\n<p>The challenge binary is a program that validates the input flag, but it behaves like packed malware and also includes anti-debugging functionality.</p>\n<p>A rough solution outline is as follows.</p>\n<ul>\n<li>Decrypt the encrypted payload in the binary’s data section and extract it as an ELF file</li>\n<li>Patch the extracted ELF in Ghidra to disable its anti-debugging checks</li>\n<li>Use gdb to identify the encryption logic used during flag verification and write a solver</li>\n</ul>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 540px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f8fed30bfbed289549e22caf61c6479d/07484/image-20220605014721603.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 107.91666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAACjUlEQVQ4y41UWVLbQBTU/a9BPigKyqFIVY6QM6RCBRwDlqxlpNn3zpNssDC2YUatp2X01G+me4q6C2j7gK7LBI+GedR0L5mDrTXk4MFEgOUGutJwyiFTn45Mp4NWbMP2xTTgbVCe7ucfze8P370l7IYIKSsYM7z/cD7qSOJTrSibAC5qCPEErRs4J7fJ8p7hIV6LOsrwufIQcoD3nJJxhOCmhMeTfYHhuo6UsIdSayqb43zLZ5NNCa0LxM4QBMEjBiCNpzxea+ToEKKHG5l/haExFc0dQ997bDYBFeMkmzVqXqHhJTrZYcNbMIq7yT2fkPMVpKqxXFqUZUOae4FyBioE6JgoRmjnkFKa9LdVwOle0HpAcAZOSYXmUEZSAg3EfGwK9/EEik4pMFqM2tdggaF2G5S2AnMDDHWVFWQUxJRBQRPU9OxUL67kT1yKa9zIGyz0AhfiDt/4LS7VAlfyErfuOz2/xp26wI+x5/Mofve/cO9f8OD+4iEscR9WeLBLPIZH/HH3WMZ/WOUVnsY+xk9QtGsJ1Q+wssG6c2hpEyhrAdaTPl0Et5kWLbyfv3M61CQbRZbbkGPKMmIgiQxDA9taWEGzaOlnrqeodqucTlpyRNHRh31foWwqbPoOTLXgeoDiGoEYjqKOJO4U4xu7Vxvuhb6/LqwBleSgyCkmGCpTYiBPu2RnekhTTNhqca6dQ40XSnnaEDqyGScWlvzs0VYJ7FlCEmPR1hjqF9poNVXRQDCNSCSCoR/E/JEhGYDmDFR2JgCcB6hxt24ArzJIjhOC3IE070UmjJ7f8ZwnVDLRQpDFdIKhwcYkxHHkWUucKZkPmGSREd677GAfnC/EHB9Knvv0cFf+bO871v4DvpqycV6h1FcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f8fed30bfbed289549e22caf61c6479d/8ac56/image-20220605014721603.webp 240w,\n/static/f8fed30bfbed289549e22caf61c6479d/d3be9/image-20220605014721603.webp 480w,\n/static/f8fed30bfbed289549e22caf61c6479d/9e625/image-20220605014721603.webp 540w\"\n              sizes=\"(max-width: 540px) 100vw, 540px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f8fed30bfbed289549e22caf61c6479d/8ff5a/image-20220605014721603.png 240w,\n/static/f8fed30bfbed289549e22caf61c6479d/e85cb/image-20220605014721603.png 480w,\n/static/f8fed30bfbed289549e22caf61c6479d/07484/image-20220605014721603.png 540w\"\n            sizes=\"(max-width: 540px) 100vw, 540px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f8fed30bfbed289549e22caf61c6479d/07484/image-20220605014721603.png\"\n            alt=\"image-20220605014721603\"\n            title=\"image-20220605014721603\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>First, I used the following script to decrypt the encrypted payload in the binary’s data section.</p>\n<p>The decrypted data is saved as another binary file in little-endian format.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">binary <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token operator\">&lt;</span>データセクションから抽出したバイナリ<span class=\"token operator\">></span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>binary<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    binary<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> binary<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token number\">0x16</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"revert.bin\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token builtin\">bin</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>binary<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token builtin\">bin</span><span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>binary<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>to_bytes<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"little\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>When I decompiled the extracted binary here, I found the following anti-debugging code embedded in it, so I used Ghidra’s patch feature to tamper with the conditional branch.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">long</span> lVar1<span class=\"token punctuation\">;</span>\nulong uVar2<span class=\"token punctuation\">;</span>\nuint local_c<span class=\"token punctuation\">;</span>\n\nlocal_c <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\nlVar1 <span class=\"token operator\">=</span> <span class=\"token function\">ptrace</span><span class=\"token punctuation\">(</span>PTRACE_TRACEME<span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>lVar1 <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  local_c <span class=\"token operator\">=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\nuVar2 <span class=\"token operator\">=</span> <span class=\"token function\">ptrace</span><span class=\"token punctuation\">(</span>PTRACE_TRACEME<span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>uVar2 <span class=\"token operator\">==</span> <span class=\"token number\">0xffffffffffffffff</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  local_c <span class=\"token operator\">=</span> local_c <span class=\"token operator\">*</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\n  uVar2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span>local_c<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_c <span class=\"token operator\">!=</span> <span class=\"token number\">6</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">fwrite</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"No bugs here so don\\'t debug me!\\n\"</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x20</span><span class=\"token punctuation\">,</span><span class=\"token constant\">stderr</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n<span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p> After patching</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0347bb4e0b37c683e95830472c4d76b5/d43b4/image-20220605020512544.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.500000000000004%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABKUlEQVQY03WQ207CQBRF+/9/4oMliC+g0hpCjCg2FBHsjScoqRJ6v9IuB4hGTNzJytkzyUyyjuS5MXUJaVyyLyuS0IOaEw0/iYKY5afFqrCwoiVOauHWa9zGPbKuD3ODdJOqKMWQbqDSz+/pxbdi3gkUlLKPUomJir7V6W27XERt5EJGTtq0wg6yOLeSKy6jDu3yGmmw0RhHJqOdziSbMtgMGfsa03TGa/3GbC9gju3bmJ7NNo+Jy4i8ziia4hxyJG+dCk1Iokqo14SBT5UJR7EG9sK6OumHfnjUPubPOn4i7qS++8hDMGcUvqBlE9TVhMGHzijWeM40ngTjSsPYmSRxenrXNP8iLUqTRWVj5AbmoWeiFw52bQssjOYdCxPHd4RFcvbhd/+dL94swMgXeWS0AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0347bb4e0b37c683e95830472c4d76b5/8ac56/image-20220605020512544.webp 240w,\n/static/0347bb4e0b37c683e95830472c4d76b5/d3be9/image-20220605020512544.webp 480w,\n/static/0347bb4e0b37c683e95830472c4d76b5/e46b2/image-20220605020512544.webp 960w,\n/static/0347bb4e0b37c683e95830472c4d76b5/ccc09/image-20220605020512544.webp 1202w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0347bb4e0b37c683e95830472c4d76b5/8ff5a/image-20220605020512544.png 240w,\n/static/0347bb4e0b37c683e95830472c4d76b5/e85cb/image-20220605020512544.png 480w,\n/static/0347bb4e0b37c683e95830472c4d76b5/d9199/image-20220605020512544.png 960w,\n/static/0347bb4e0b37c683e95830472c4d76b5/d43b4/image-20220605020512544.png 1202w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0347bb4e0b37c683e95830472c4d76b5/d9199/image-20220605020512544.png\"\n            alt=\"image-20220605020512544\"\n            title=\"image-20220605020512544\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This is a detection method that takes advantage of the fact that multiple <code class=\"language-text\">strace</code>/<code class=\"language-text\">ptrace</code> attachments cannot be active at the same time.</p>\n<p>For details, the following article was helpful.</p>\n<p>Reference: <a href=\"https://seblau.github.io/posts/linux-anti-debugging\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Sebastian Auberger’s Blog | Linux Anti Debugging</a></p>\n<p>By dynamically analyzing the patched binary here, I was able to extract the encrypted flag and the key from memory.</p>\n<p>I could also confirm that the encryption method was RC4.</p>\n<p>So, by reconstructing RC4 from the extracted data, I was able to recover the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">key <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x62</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x36</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x35</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x35</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x62</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x36</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x63</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x37</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x38</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x37</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x38</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x37</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x33</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x36</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x35</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x63</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x39</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x37</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">,</span>\n<span class=\"token number\">0x64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x35</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x39</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x64</span><span class=\"token punctuation\">]</span>\n\nencrypted <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">0x27</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x25</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x81</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x59</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x05</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x01</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbe</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x46</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x48</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x22</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xec</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x98</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x90</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x80</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x36</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x42</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x90</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x85</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x95</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xee</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfa</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x94</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x85</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\nflag <span class=\"token operator\">=</span> RC4<span class=\"token punctuation\">(</span>encrypted<span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># ctf4b{D0_y0u_kn0w_0f_0th3r_w4y5_t0_d3t3ct_d36u991n9_1n_L1nux?}</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>This was my third year participating in sec4b, and compared with <a href=\"/ctf-sec4b-2021\">last year</a>, I felt that I could solve the Rev challenges much more comfortably.</p>\n<p>That said, once the problems get to a level above sec4b, I still get stuck pretty often, so I need to keep improving.</p>","fields":{"slug":"/ctf-sec4b-2022-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/linux-en/","/tag/windows-en/","/tag/english/"]},"frontmatter":{"date":"2022-06-05","description":"A writeup of the Rev challenges from SECCON Beginners 2022.","tags":["CTF (en)","Reversing (en)","Linux (en)","Windows (en)","English"],"title":"SECCON Beginners 2022 Writeup","socialImage":{"publicURL":"/static/4fb9b0055352f8cf25bbbf625bf5e7ae/ctf-sec4b-2022.png"}}}},"pageContext":{"slug":"/ctf-sec4b-2022-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}