{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-sec4b-2023-en","result":{"data":{"markdownRemark":{"id":"89c67772-de3c-5265-a14e-12d2e1911cdb","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-sec4b-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in SECCON Beginners CTF 2023 (starting June 3) with team 0nePadding.</p>\n<p>Final placement was 35th out of 778 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 867px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/43d099397a397f0343dd7253023f0b56/264eb/image-20230604164204980.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 89.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAIAAADUsmlHAAAACXBIWXMAAAsTAAALEwEAmpwYAAADG0lEQVQ4y3VT22vTUBjPqw/+Bf4hCgoiKIIgingBwQs+qOjAh00URQVFERT24pzaedsmOue8TRwTL3OKl62ll7RpmmZZm7XLpU3TNjlJczvHkxw39cGPj5DzXX/fjVKUuihWChzP5LlsLp/N5tOZHFcUALARQr4fBAH8DweUJKuSrJTKYo4tFPk5OsdyHJ9KZ/VmCztDCNG/BJcYEwWAhf5D2BMn/s2+70UchFDCtPiPMk2gabrrukRKyDTM6qLU6TjLcbASY9EaumXZWO55HjYLncvigokBWBYOTGxNw5iNJxWlRvITkpVakZ9flNSFharjhHEpM4INIyQkNUYYLJW6JA9hY8tmq22YoNlsETkFLPtPeBRy2I4oBKZI+Fv7dzuikgOqVCrTNF0oFPIMw3N4WkwimeZ43nU9bCQIQiaT4Vg8Am5ufi6eSNLZXC7HEC2l1HShWtMbmqoboqYbDcmSubaueUbN9TzLtoWKKtcVUak3G2ZLzmmLvFGXHNCGUc22h2vE++BYqvhtNpUuluQQmO8StK4PgQPYWp5RmA/peEVWsS2G/WfOUOODb73oY0/3xb4NPSOx13HH9ZeX5A396vTk8Ys/zm7subfr3LNpWiQqCnQ8BFQ4fRlOnkSpgbGJLzsvjK09NhAbT5DefCq+33Jr/b7hHS+50SvDU/uvjt/4JIjNaFRWgJzpa+Dmasg8Jw3lq9ruC093nBuRGyZ+9rzs2hbb9FWYIrMrKGBgRnnLaJFzx7WfH9Yvr/LK3/Ebrxr+Xnr4eV3XXbbcAJ5+cHhP1+gh0zGiRfM7XvAoIT1OKm4AKctDnYlT4PwKl34WZQ4Mq3Pk+vjm7qGS1ILIOfzkwLb7Wyt6mWRWDfd2whijtbBmy0eQf8feO/jiJ5uRbMn0YpP0mqOxM3c+kOMZmr07OLIXzvQhJetzk+2H26dGe1OLIOp2uGEwXrX6Z+p9Xyv936Xej/Pd/e/LcpMcYOB1gvQgensCvTtpP9jSOr/SeXUcL+eyc2gmtZ0f5fa00GRUy/EhWjpaUiqSkoh97aeGXXZieVV/Aciovxv+FAxpAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/43d099397a397f0343dd7253023f0b56/8ac56/image-20230604164204980.webp 240w,\n/static/43d099397a397f0343dd7253023f0b56/d3be9/image-20230604164204980.webp 480w,\n/static/43d099397a397f0343dd7253023f0b56/415aa/image-20230604164204980.webp 867w\"\n              sizes=\"(max-width: 867px) 100vw, 867px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/43d099397a397f0343dd7253023f0b56/8ff5a/image-20230604164204980.png 240w,\n/static/43d099397a397f0343dd7253023f0b56/e85cb/image-20230604164204980.png 480w,\n/static/43d099397a397f0343dd7253023f0b56/264eb/image-20230604164204980.png 867w\"\n            sizes=\"(max-width: 867px) 100vw, 867px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/43d099397a397f0343dd7253023f0b56/264eb/image-20230604164204980.png\"\n            alt=\"image-20230604164204980\"\n            title=\"image-20230604164204980\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>We managed to hold a top-5 position for the first six hours or so, but then ran out of solvable problems and gradually slid down to 35th. Frustrating, but entirely a matter of skill — more practice needed.</p>\n<p>As usual I focused on Rev and cleared it completely. This time I also tried my hand at Misc and Pwn.</p>\n<p>This writeup covers the Rev and some of the Misc problems. The kernel exploit Pwn challenge deserves a separate, more detailed post.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#halfrev\">Half (Rev)</a></li>\n<li><a href=\"#threerev\">Three (Rev)</a></li>\n<li><a href=\"#pokerrev\">Poker (Rev)</a></li>\n<li><a href=\"#leakrev\">Leak (Rev)</a></li>\n<li><a href=\"#heavenrev\">Heaven (Rev)</a></li>\n<li><a href=\"#yaromisc\">YARO (Misc)</a></li>\n<li><a href=\"#wrap-up\">Wrap-up</a></li>\n</ul>\n<h2 id=\"half-rev\" style=\"position:relative;\"><a href=\"#half-rev\" aria-label=\"half rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Half (Rev)</h2>\n<blockquote>\n<p>Let’s look up what kind of file a binary file is!</p>\n<p>And how do we peek inside it…?</p>\n</blockquote>\n<p>Running <code class=\"language-text\">strings</code> on the downloaded binary reveals the Flag.</p>\n<h2 id=\"three-rev\" style=\"position:relative;\"><a href=\"#three-rev\" aria-label=\"three rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Three (Rev)</h2>\n<blockquote>\n<p>You can’t find the flag just by glancing at the contents of this file!</p>\n<p>Do you need a specialized tool to analyze binary files?</p>\n</blockquote>\n<p>Decompiling with Ghidra shows that three data regions each define 4-byte-aligned values, and the Flag is assembled by taking one character at a time from each region.</p>\n<p>The following solver script retrieves the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">f1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">0x63</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x63</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x75</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x62</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x74</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x72</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span> <span class=\"token punctuation\">]</span>\nf2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">0x74</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x62</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x79</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x74</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x75</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x74</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x69</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x67</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span> <span class=\"token punctuation\">]</span>\nf3 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x70</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x74</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span> <span class=\"token punctuation\">]</span>\n\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x31</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> i <span class=\"token operator\">%</span> <span class=\"token number\">3</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>f1<span class=\"token punctuation\">[</span>i<span class=\"token operator\">//</span><span class=\"token number\">3</span><span class=\"token operator\">*</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">elif</span> i <span class=\"token operator\">%</span> <span class=\"token number\">3</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>f2<span class=\"token punctuation\">[</span>i<span class=\"token operator\">//</span><span class=\"token number\">3</span><span class=\"token operator\">*</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">elif</span> i <span class=\"token operator\">%</span> <span class=\"token number\">3</span> <span class=\"token operator\">==</span> <span class=\"token number\">2</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>f3<span class=\"token punctuation\">[</span>i<span class=\"token operator\">//</span><span class=\"token number\">3</span><span class=\"token operator\">*</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># ctf4b{c4n_y0u_ab1e_t0_und0_t4e_t4ree_sp1it_f14g3}</span></code></pre></div>\n<h2 id=\"poker-rev\" style=\"position:relative;\"><a href=\"#poker-rev\" aria-label=\"poker rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Poker (Rev)</h2>\n<blockquote>\n<p>Let’s play poker together! Apparently you get a flag if you accumulate enough points!</p>\n<p>But when I try to run this binary file…? Let’s use a specialized tool that can inspect the internals while it’s running!</p>\n</blockquote>\n<p>Running the binary shows a program that randomly wins or loses, causing the score to fluctuate:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 901px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7586f1105e5622609ffb239f6307b336/0955e/image-20230604165010482.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 110.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAIAAABPIytRAAAACXBIWXMAAAsTAAALEwEAmpwYAAACuElEQVQ4y41Ua0sUURgeM2+p6aar697c66x7mZmd3dn76Mys61q2fgg1oqztAhlUVBRBfqyoPgSCZaBhiWBkJKHlGi15oxShlCSE/k3POCJ9ahaeD+ecOc/7Pu/zvmeIsIWlDd6AiRJJnq5lWG0g2MD5aihaw1AaJtGcaNMHT7DpsMZDl9viDbRkDrfqA6FaN7bE9vrm2MPh8Scvvn1e+vD6bX5mfj2/8mlq5sHVwazYuzA9uzA9N/roWW567tXT0S8z81MjEyu5xYmhMV+JhfizvbOc+7qz+Ruft9Z/ylj78Wtj63t+9fLxc5PD46OPn4/cH9pYXlvNLS59zL8ZmZidfP/u5VSo1kPcPDnQL/Tc7b8+ePH2le7zWanvrNB7IXVqIJM96mrr9iXZKuedM9ew7eG6bvQN3MveupQ+jUK4GjchGrmUNYpicMlJNLmLje6DRleRgSzSQ5ivpJmpsDsJnatI7yk24QLQcsDgKTbjnEhaoh32OEIkGv2BKtJ/yAGwlc59YIvzQCWJ6PJiF8o5IZrDGa8kmkJpR0IwcoKBw5qraUFgJdB/QICTdsTbrVFex+wlQf5KhypTJsOVjDeJ7iV0fuyRcB/qZMHEZTySZA6lnTy6D+W8zg/lojmkToZbnSTfbokiM2wIVrv2XKkmC6q5wxZDqpiWostsCgrRLJMlcwQ1g5yyxngdi4ajZ8HDrkLdRqs6bHF4FjniidVTAMQX5jbZCqvABMdXKo8UBosqtUJ8IbJDGGBMWNqeaG0KAPFGRlmok1EtrAZZeaXRegpPN1rnA9TJXW6xyy3svg0GamXNZVZZf6lFnYzB7KZSSA7PYDVCIDkMB/wVauSkJXKsRWi3xiRTOKzxxrV0pM6HngPK01GZ7U4njxAxLY3fEsCU25WFuuw2QxATyjexyFlIb//FXzaWAjcEsLJVAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7586f1105e5622609ffb239f6307b336/8ac56/image-20230604165010482.webp 240w,\n/static/7586f1105e5622609ffb239f6307b336/d3be9/image-20230604165010482.webp 480w,\n/static/7586f1105e5622609ffb239f6307b336/2b666/image-20230604165010482.webp 901w\"\n              sizes=\"(max-width: 901px) 100vw, 901px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7586f1105e5622609ffb239f6307b336/8ff5a/image-20230604165010482.png 240w,\n/static/7586f1105e5622609ffb239f6307b336/e85cb/image-20230604165010482.png 480w,\n/static/7586f1105e5622609ffb239f6307b336/0955e/image-20230604165010482.png 901w\"\n            sizes=\"(max-width: 901px) 100vw, 901px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7586f1105e5622609ffb239f6307b336/0955e/image-20230604165010482.png\"\n            alt=\"image-20230604165010482\"\n            title=\"image-20230604165010482\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Decompiling with Ghidra reveals that a function to retrieve the Flag executes once the total score reaches a value that is practically unachievable in normal play.</p>\n<p>I could have patched memory at runtime with gdb, but it was easier to just patch the winning score threshold to 0 in Ghidra.</p>\n<p>Running the patched binary means a single win triggers the Flag:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/99043d35649d0608ff6ac6534348e610/ec3e2/image-20230604165229548.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 33.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAIAAACHqfpvAAAACXBIWXMAAAsTAAALEwEAmpwYAAABhUlEQVQY02PQl9U1VTS0U7bWFTI0EjcFIh1BfX1hQ30RYxt5Kzdl62BjT0NuNWM+dTtpYztpI0tRPX0uFQMwYphU27144tz1C1ZuWrxm24qN+zftWjRhTnlcXqp79OlDJ2a0Tp7fN2vd/JWzO6cBZed2Tz++93CgkbsWs6whjyrD/s177t64vWnx2ns37h7eceDskVMXjp9bO39lln/SyplLJtf3rp699Oq5y+sXrj625/DiSfMObN2T7h2nziBlxKPGEGTkkembkOoRE2MXHGLiBUKmXpFWfk7yZraShjaShrlBKf66LiBlPgnJ7lF+ei720sZ67EqG3KoMTvLm1uL6QDeoMUhqMctpMslqscgBGUBpPQ4QAlqizSIPROoM0hqMMjqs8kBBoE6Qn701HdxUrIGBYcynAQwVEz4NfU5lEOKAagayIaQBRBzC5VAGaQ4z9/HRcQowdPfVdQay/fVdXVWsXZQsXZWtnRUt3FQhpI2zoqWLkhXQGiDXVcnSXtoEaAoA/op7YvaQvyYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/99043d35649d0608ff6ac6534348e610/8ac56/image-20230604165229548.webp 240w,\n/static/99043d35649d0608ff6ac6534348e610/d3be9/image-20230604165229548.webp 480w,\n/static/99043d35649d0608ff6ac6534348e610/e46b2/image-20230604165229548.webp 960w,\n/static/99043d35649d0608ff6ac6534348e610/c5bb7/image-20230604165229548.webp 997w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/99043d35649d0608ff6ac6534348e610/8ff5a/image-20230604165229548.png 240w,\n/static/99043d35649d0608ff6ac6534348e610/e85cb/image-20230604165229548.png 480w,\n/static/99043d35649d0608ff6ac6534348e610/d9199/image-20230604165229548.png 960w,\n/static/99043d35649d0608ff6ac6534348e610/ec3e2/image-20230604165229548.png 997w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/99043d35649d0608ff6ac6534348e610/d9199/image-20230604165229548.png\"\n            alt=\"image-20230604165229548\"\n            title=\"image-20230604165229548\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"leak-rev\" style=\"position:relative;\"><a href=\"#leak-rev\" aria-label=\"leak rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Leak (Rev)</h2>\n<blockquote>\n<p>Suspicious traffic was detected from the server!</p>\n<p>On further investigation, a suspicious file was found. Please analyze it along with the traffic log.</p>\n<p>Sensitive information may have been exfiltrated…?</p>\n</blockquote>\n<p>Looking at the provided pcap file shows a byte sequence being sent to a C2 server.</p>\n<p>This looks like some kind of encrypted byte sequence, so I analyzed the program in Ghidra.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">0x8e,0x57,0xff,0x59,0x45,0xda,0x90,0x06,0x28,0xb2,0xab,0xfa,0x49,0x73,0x32,0x33,0x4a,0x73,0x29,0x41,0x3c,0x34,0xb7,0xf6,0x62,0x73,0x25,0x0f,0x95,0x40,0x16,0xfa,0x47,0xe9,0x22,0x8d,0xa5,0xcd,0x3d,0x53,0xee,0xb4,0xb3,0x51,0x8e,0xd2,0x89,0x93,0x5b,0xe0,0x59,0xcb,0xfb,0xb1,0x1b</code></pre></div>\n<p>Looking at the decompiled output, the Flag encryption appears to be performed as follows:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 715px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7441c00a033de05e146f64364add24d4/d0c0e/image-20230604165644627.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAIAAAAmMtkJAAAACXBIWXMAAAsTAAALEwEAmpwYAAABeklEQVQoz31S7a7bMAjN+z/nbtc2TWKbLwO2M+L7Y6p6N4QQwhwDBxZEInoCHqkA4RPhcZTXTivzwRXM2Y3VdIxxfsiiKlqTKrhTpEp1EgvfXVCxjz5GG1N+ACMi88ZSPKRJawEXdQqnufWmrdV4+Ql7Lm4WlWvFx0op3xG+ctm3tBNtalxrCVWldv0o4vUNbJYR74iPlG85PUr+BeXJLKr5wjTvvfXuo0df7t3fwQoiq0h8n8yoCpjhnDMw/fyvLETR4YoMMVQkT2oC1U1npW5TZ329zBtY2AG+EF9IW8o55W/mrZQijG6hFL2YieXLvBPmhHALeoR/z4UnqVCrIHeprTc2l3+2rVaQboSvPR3rhvtxpLyWIK/cqwqRAKoZ20Ve+1wV475ifr22tB0kNQeFwXOwHSN6697GnNk+72Q5xxl8l/UZPWuc1GT4+6Bm8ph6zmAff+Xyl4hqbKlALrWgz50VES5gRNFwbC52HjYHERkMZrDWuF//A2YD9wacjgAsAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7441c00a033de05e146f64364add24d4/8ac56/image-20230604165644627.webp 240w,\n/static/7441c00a033de05e146f64364add24d4/d3be9/image-20230604165644627.webp 480w,\n/static/7441c00a033de05e146f64364add24d4/cb533/image-20230604165644627.webp 715w\"\n              sizes=\"(max-width: 715px) 100vw, 715px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7441c00a033de05e146f64364add24d4/8ff5a/image-20230604165644627.png 240w,\n/static/7441c00a033de05e146f64364add24d4/e85cb/image-20230604165644627.png 480w,\n/static/7441c00a033de05e146f64364add24d4/d0c0e/image-20230604165644627.png 715w\"\n            sizes=\"(max-width: 715px) 100vw, 715px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7441c00a033de05e146f64364add24d4/d0c0e/image-20230604165644627.png\"\n            alt=\"image-20230604165644627\"\n            title=\"image-20230604165644627\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>At a glance it’s clear this is simply XOR-ing each Flag character with a key generated by a local function.</p>\n<p>Manually deriving the per-character key generation was tedious, so I used the following gdb script to extract it.</p>\n<p>Since the key generation does not depend on the input string, the extracted key can be used directly for decryption:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># gdb -x run.py</span>\n<span class=\"token keyword\">import</span> gdb\n<span class=\"token keyword\">from</span> pprint <span class=\"token keyword\">import</span> pprint\n\n<span class=\"token comment\"># pprint(dir(gdb))</span>\nBINDIR <span class=\"token operator\">=</span> <span class=\"token string\">\"/home/ubuntu/Hacking/CTF/2023/sec4b/Rev/Leak\"</span>\nBIN <span class=\"token operator\">=</span> <span class=\"token string\">\"leak\"</span>\nINPUT <span class=\"token operator\">=</span> <span class=\"token string\">\"./in.txt\"</span>\nOUT <span class=\"token operator\">=</span> <span class=\"token string\">\"./out.txt\"</span>\nBREAK <span class=\"token operator\">=</span> <span class=\"token string\">\"0x555555555518\"</span>\n\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'file {}/{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>BINDIR<span class=\"token punctuation\">,</span> BIN<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'b *{}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>BREAK<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ngdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">'run &lt; {}'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>INPUT<span class=\"token punctuation\">,</span> OUT<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nkey <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># register</span>\n    reg <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>gdb<span class=\"token punctuation\">.</span>parse_and_eval<span class=\"token punctuation\">(</span><span class=\"token string\">\"$rcx\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    key<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>reg<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> reg <span class=\"token operator\">==</span> <span class=\"token string\">\"0x29\"</span><span class=\"token punctuation\">:</span>\n        gdb<span class=\"token punctuation\">.</span>execute<span class=\"token punctuation\">(</span><span class=\"token string\">\"continue\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># ['0xed', '0x23', '0x99', '0x6d', '0x27', '0xa1', '0xe0', '0x32', '0x51', '0xed', '0xc5', '0xca', '0x16', '0x47', '0x46', '0x47', '0x2f', '0x1d', '0x5d', '0x70', '0xc', '0x5a', '0xe8', '0x82', '0x52', '0x2c', '0x51', '0x3b', '0xf4', '0x34', '0x49', '0x97', '0x73', '0x87', '0x7d', '0xef', '0xc0', '0xa5', '0xc', '0x3d', '0x8a', '0xeb', '0xc7', '0x65', '0xeb', '0x8d', '0xea', '0xe6', '0x29']</span></code></pre></div>\n<p>XOR-ing the extracted key with the encrypted byte sequence from the pcap yields the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">key<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token number\">0xed</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x23</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x99</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x27</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x51</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xed</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xca</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x47</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x46</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x47</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x70</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x82</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x52</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x51</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x49</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x97</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x87</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xef</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xeb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xeb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xea</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x29</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x38</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfa</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x95</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xcc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x11</span><span class=\"token punctuation\">]</span>\nenc<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token number\">0x8e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x57</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xff</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x59</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x45</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xda</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x90</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x06</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x28</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xb2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xab</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xfa</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x49</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x32</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x33</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4a</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x29</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x41</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xb7</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xf6</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x62</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x25</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x0f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x95</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x40</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xfa</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x47</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xe9</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x22</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x8d</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xa5</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xcd</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3d</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x53</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xee</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xb4</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xb3</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x51</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x8e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xd2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x89</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x93</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x5b</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xe0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x59</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xcb</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xfb</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xb1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x1b</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>enc<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token operator\">^</span>enc<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># ctf4b{p4y_n0_4ttent10n_t0_t4at_m4n_beh1nd_t4e_cur4a1n}</span></code></pre></div>\n<h2 id=\"heaven-rev\" style=\"position:relative;\"><a href=\"#heaven-rev\" aria-label=\"heaven rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Heaven (Rev)</h2>\n<blockquote>\n<p>I wrote a program to encrypt messages.</p>\n<p>Try to decrypt it!</p>\n</blockquote>\n<p>The challenge provides an ELF encryption binary and the output from encrypting the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ ./heaven\n------ menu ------\n<span class=\"token number\">0</span>: encrypt message\n<span class=\"token number\">1</span>: decrypt message\n<span class=\"token number\">2</span>: <span class=\"token builtin class-name\">exit</span>\n<span class=\"token operator\">></span> <span class=\"token number\">0</span>\nmessage: ctf4b<span class=\"token punctuation\">{</span>---CENSORED---<span class=\"token punctuation\">}</span>\nencrypted message: ca6ae6e83d63c90bed34a8be8a0bfd3ded34f25034ec508ae8ec0b7f</code></pre></div>\n<p>Decompiling with Ghidra shows the encryption logic implemented as follows:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 603px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/058cbfda59067e75e21dbb6779d1d36a/9128f/image-20230604170357860.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 102.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAIAAAAC64paAAAACXBIWXMAAAsTAAALEwEAmpwYAAABuElEQVQ4y41Ta2+jMBDM//+Xp14gFPBzX/Ya0yVNo/vQ5LAErGTGszM7vvS+x9CmiaalBIAZ55WClLKfWBd7vCvDTGOMS54d+ZVQSj0LznlCmFKCmNETeZZu/ZwEMxfEpQgxe1Vu26Zdt75t21H+B9waEg1orHjL5D/S3yGPUlgkicQ3TdyZCZbFJI8p/lnjHDiVVs50fteconMxpU+iNWCMBral9RRYRBAGc6oUFBUs2A/eM8x9Fy5EjjnVSlWr9fzcPs649/8U0Z+vH+aS85UpZezWbspqBzVFFn6v/GK7WqE1M7cjidVsZ0nCiqUqUEsp5QyIrVQUYaRWK5QiD2YADOHDeeeCeRZqq6wsTVQb8YZo8//GsPlohSrVWn7mrD3nBfEGFEnKdi5eD7D9DDlLId3avm+//vfKsKMiBIARgJJPLmVvA6hcKx7+V+kvDbuDWemWP12MfnVzpCFDjAOCs6ib1Fc6Lt8fy4mPlmSjnFulTU/H065PDJt3ZjuBpEBrJJdsWop4xIZUUZu+uhj9dtuv130cdYAwwhpgihRMCylrExPffgUft1bbPYb7I9B9/8fRd+sLX/aW+cDTnYMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/058cbfda59067e75e21dbb6779d1d36a/8ac56/image-20230604170357860.webp 240w,\n/static/058cbfda59067e75e21dbb6779d1d36a/d3be9/image-20230604170357860.webp 480w,\n/static/058cbfda59067e75e21dbb6779d1d36a/e7dd8/image-20230604170357860.webp 603w\"\n              sizes=\"(max-width: 603px) 100vw, 603px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/058cbfda59067e75e21dbb6779d1d36a/8ff5a/image-20230604170357860.png 240w,\n/static/058cbfda59067e75e21dbb6779d1d36a/e85cb/image-20230604170357860.png 480w,\n/static/058cbfda59067e75e21dbb6779d1d36a/9128f/image-20230604170357860.png 603w\"\n            sizes=\"(max-width: 603px) 100vw, 603px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/058cbfda59067e75e21dbb6779d1d36a/9128f/image-20230604170357860.png\"\n            alt=\"image-20230604170357860\"\n            title=\"image-20230604170357860\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since the <code class=\"language-text\">message</code> value itself is not modified, everything else can be ignored and we focus on:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>\n    lVar11 <span class=\"token operator\">=</span> lVar10 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    bVar2 <span class=\"token operator\">=</span> <span class=\"token function\">calc_xor</span><span class=\"token punctuation\">(</span>message<span class=\"token punctuation\">[</span>lVar10<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>uVar1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    message<span class=\"token punctuation\">[</span>lVar10<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> sbox<span class=\"token punctuation\">[</span>bVar2<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    lVar10 <span class=\"token operator\">=</span> lVar11<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>lVar7 <span class=\"token operator\">!=</span> lVar11<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token function\">__printf_chk</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"encrypted message: %02x\"</span><span class=\"token punctuation\">,</span>local_21<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">print_hexdump</span><span class=\"token punctuation\">(</span>message<span class=\"token punctuation\">,</span>lVar7<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>From this decompiled output, the encryption and output flow is:</p>\n<ol>\n<li>A random 1-byte value <code class=\"language-text\">uVar1</code> is generated in advance.</li>\n<li>Each character of <code class=\"language-text\">message</code> is passed, along with <code class=\"language-text\">uVar1</code>, to <code class=\"language-text\">calc_xor</code>.</li>\n<li>The result of <code class=\"language-text\">calc_xor</code> is used as an index into the hardcoded <code class=\"language-text\">sbox</code>, and replaces the character in <code class=\"language-text\">message</code>.</li>\n<li>Finally, <code class=\"language-text\">uVar1</code> and the hex-encoded encrypted <code class=\"language-text\">message</code> are printed.</li>\n</ol>\n<p>From the output, the <code class=\"language-text\">uVar1</code> used when encrypting the Flag is <code class=\"language-text\">0xca</code>.</p>\n<p>Since the <code class=\"language-text\">sbox</code> bytes are hardcoded, we just need to determine the implementation of <code class=\"language-text\">calc_xor</code> to decrypt the Flag.</p>\n<p>However, attempting to analyze <code class=\"language-text\">calc_xor</code> in Ghidra did not yield a clear result:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 914px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ef2c3056ff2dd55e0229b7e5a1db78ab/076ca/image-20230604171234531.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 77.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAIAAACZeshMAAAACXBIWXMAAAsTAAALEwEAmpwYAAABrUlEQVQoz22SbW+bMBSF8/9/WdJMTbp+yabRUSjB72AbbIzfZgKtstTWlSXrnodzfM2OqbAWHT0WFos5FeIG8Qn2aZ/J4Igw1dtJilbKqJSNn2vX8nDloRXho7cl1TWxNTWp/oIh7Q2zTe8BU3XdKOVDCPFu7aCMJTN1b2toLkVXQv/rqksyARFb7tvelZ0uGvz68zWpH+GG6hKqtg9YhAY5JB3gGsqAtvJwjH9qcDgcMjBGuCgAY3G2AaLBWscFFmIalfUher+oMSHH448MzPv+2lDvl47Wznk/zlP0MdywVU0pO59fMjCjrKpgglPDzt4F3ymZTmv7E6an0zkHs66u0Oo832Cuh6/2qsYYPz+fMnDX9R81XuAYZrPB7nb+UhNCnp6O2di0qvAWO8Hed3rw4T8YIbTf7/MDa9ttYOud+TQ+xOacXy6/MzAltCyhc0vHGGe9Y0rcCRb1MMjqvYzf1i59FYJuvbO16V29NOrBWUpRFG8ZeHNep22Wd+5v077Pp7VGCGfgvks/Cdmc55vzpB5ESikAQAYWQiDULenCFns004MoOQMAv8P/AG1/n9RyLHTAAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ef2c3056ff2dd55e0229b7e5a1db78ab/8ac56/image-20230604171234531.webp 240w,\n/static/ef2c3056ff2dd55e0229b7e5a1db78ab/d3be9/image-20230604171234531.webp 480w,\n/static/ef2c3056ff2dd55e0229b7e5a1db78ab/38f11/image-20230604171234531.webp 914w\"\n              sizes=\"(max-width: 914px) 100vw, 914px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ef2c3056ff2dd55e0229b7e5a1db78ab/8ff5a/image-20230604171234531.png 240w,\n/static/ef2c3056ff2dd55e0229b7e5a1db78ab/e85cb/image-20230604171234531.png 480w,\n/static/ef2c3056ff2dd55e0229b7e5a1db78ab/076ca/image-20230604171234531.png 914w\"\n            sizes=\"(max-width: 914px) 100vw, 914px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ef2c3056ff2dd55e0229b7e5a1db78ab/076ca/image-20230604171234531.png\"\n            alt=\"image-20230604171234531\"\n            title=\"image-20230604171234531\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I fell back to <code class=\"language-text\">objdump</code> to get the disassembly:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 708px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6502df515445a061c53b247d3611cde3/3cb0f/image-20230604171419586.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAIAAAB2/0i6AAAACXBIWXMAAAsTAAALEwEAmpwYAAABZklEQVQY0z2RWU/CUBCFXUgAERBXFCnQFrrQlhawOxC6AkoFYhR9UnzU///sKUiTk5vcufPNnJl7EDbtL2/t1HUpQ02YYSR5Tk3TzoVunukXOTlLP0v+4FZZKeGr9uQ1jH6RlU/onQ6m3Oh3+e02DPbwfsqOlkrokQau46oaNgfgEUFpnzLXRrSQg7Blg+9kqRhGsU/3zalrfIoA9siP9UtRypBSmhTTDWjCDIxryaPMueBOWgM+VduRMezW9a1tjT+O4bngICOgLXTG+XDGYRa7rIS0/WEtXvoznzb7hX3nGTf6WWw80uSOqlN2GImeVZZ7Baabb8Ee+q+6kzGhAo5EF+bVUlvJNf874w7beG6nanAxrPSwKpDKaRPqZCgw1o2MNJ+yUBRMDOf28CZ438JEQFlYwajSg2GfNHzKUEs8TA3vunCOcfARPmli+agbw/qF4BAqkuDQuBIxJOZJjCVCJFES/AMQvlbOGa46GAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6502df515445a061c53b247d3611cde3/8ac56/image-20230604171419586.webp 240w,\n/static/6502df515445a061c53b247d3611cde3/d3be9/image-20230604171419586.webp 480w,\n/static/6502df515445a061c53b247d3611cde3/3f436/image-20230604171419586.webp 708w\"\n              sizes=\"(max-width: 708px) 100vw, 708px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6502df515445a061c53b247d3611cde3/8ff5a/image-20230604171419586.png 240w,\n/static/6502df515445a061c53b247d3611cde3/e85cb/image-20230604171419586.png 480w,\n/static/6502df515445a061c53b247d3611cde3/3cb0f/image-20230604171419586.png 708w\"\n            sizes=\"(max-width: 708px) 100vw, 708px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6502df515445a061c53b247d3611cde3/3cb0f/image-20230604171419586.png\"\n            alt=\"image-20230604171419586\"\n            title=\"image-20230604171419586\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I’m not entirely sure what this is doing, but it appears to store values defined from address <code class=\"language-text\">0x404181</code> onto the stack and then pop them with <code class=\"language-text\">lret</code>.</p>\n<p>Analyzing with gdb revealed the following behavior:</p>\n<ol>\n<li>Decrement the received Flag character by 1.</li>\n<li>XOR the result from step 1 with <code class=\"language-text\">uVar1</code>.</li>\n</ol>\n<p>So I wrote the following reverse script to retrieve the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">sbox <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">0xc2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x53</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x80</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x17</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x11</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x24</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xcd</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x39</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x41</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x52</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x99</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x03</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x69</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x43</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x19</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x94</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x36</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x30</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x25</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x18</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x02</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x90</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x98</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x74</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xaa</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x20</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xea</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x72</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x14</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x23</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x96</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x62</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x46</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x22</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x08</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x12</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xac</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfe</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x84</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x15</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x91</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x56</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xeb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x33</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x31</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x27</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x54</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbf</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xda</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x68</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x38</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x35</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xca</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x09</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xde</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x32</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x82</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xad</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x45</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x85</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xaf</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x29</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x01</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x60</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x75</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xce</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xcc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x04</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x67</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x92</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x93</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdd</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x13</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x95</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x81</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x88</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x47</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x05</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xed</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x63</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xcb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x06</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x57</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbe</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbd</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xec</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x59</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x26</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x86</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd7</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x70</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x37</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x71</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x77</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdf</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xba</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x55</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x79</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x07</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x83</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x97</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x61</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x40</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xab</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x89</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xae</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x51</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x78</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfd</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfa</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x87</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xef</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xee</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x10</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xcf</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x49</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x48</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x21</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x76</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x42</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x50</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x58</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span> <span class=\"token punctuation\">]</span>\n\nenc <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x6a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x63</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xed</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbe</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xfd</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x3d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xed</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x50</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xec</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x50</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe8</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xec</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7f</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token comment\"># unk is a random 1-byte value</span>\n<span class=\"token comment\"># bVar1 = calc_xor(message[k],unk);</span>\n<span class=\"token comment\"># message[k] = sbox[bVar1];</span>\n\n<span class=\"token comment\"># for i in range(256):</span>\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">for</span> e <span class=\"token keyword\">in</span> enc<span class=\"token punctuation\">:</span>\n    bVar1 <span class=\"token operator\">=</span> sbox<span class=\"token punctuation\">.</span>index<span class=\"token punctuation\">(</span>e<span class=\"token punctuation\">)</span>\n    flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>bVar1 <span class=\"token operator\">^</span> <span class=\"token number\">0xca</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"yaro-misc\" style=\"position:relative;\"><a href=\"#yaro-misc\" aria-label=\"yaro misc permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>YARO (Misc)</h2>\n<blockquote>\n<p>There may be malware on the server. Find it with your perfect signature.</p>\n</blockquote>\n<p>A relatively rare YARA challenge — this got me excited!</p>\n<p>The server accepts YARA rule text and returns the result of applying the submitted rules against the files under <code class=\"language-text\">/root</code>, including the matching rule names.</p>\n<p>Multiple rules can be sent at once, and the server reports which rule names matched.</p>\n<p>Since we can extract one character at a time, I first determined the character set and length of the Flag.</p>\n<p>I started by binary-searching the Flag length using rules like:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span>.<span class=\"token punctuation\">{</span><span class=\"token number\">20,30</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/\n<span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span>.<span class=\"token punctuation\">{</span><span class=\"token number\">25,30</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/\n<span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span>.<span class=\"token punctuation\">{</span><span class=\"token number\">28,30</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/\n<span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span>.<span class=\"token punctuation\">{</span><span class=\"token number\">28</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/</code></pre></div>\n<p>The Flag content inside the braces turned out to be 28 characters.</p>\n<p>Next I determined the character set with rules like:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span>-9<span class=\"token operator\">|</span>A-Z<span class=\"token operator\">|</span>a-z<span class=\"token punctuation\">]</span><span class=\"token punctuation\">{</span><span class=\"token number\">28</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/\n<span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span>-9<span class=\"token operator\">|</span>a-z<span class=\"token operator\">|</span>_<span class=\"token punctuation\">]</span><span class=\"token punctuation\">{</span><span class=\"token number\">28</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/\n<span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span><span class=\"token punctuation\">[</span>A-Z<span class=\"token operator\">|</span>a-z<span class=\"token operator\">|</span>_<span class=\"token punctuation\">]</span><span class=\"token punctuation\">{</span><span class=\"token number\">28</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/\n<span class=\"token variable\">$ctf4b_string</span> <span class=\"token operator\">=</span> /.*ctf4b<span class=\"token punctuation\">\\</span><span class=\"token punctuation\">{</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span>-9<span class=\"token operator\">|</span>A-Z<span class=\"token operator\">|</span>_<span class=\"token punctuation\">]</span><span class=\"token punctuation\">{</span><span class=\"token number\">28</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">\\</span><span class=\"token punctuation\">}</span>.*/</code></pre></div>\n<p>The Flag uses uppercase letters, lowercase letters, digits, and underscores.</p>\n<p>I then wrote the following solver script to determine the Flag one character at a time:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    allrule <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n    p <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"yaro.beginners.seccon.games\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5003</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> <span class=\"token string\">\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_\"</span><span class=\"token punctuation\">:</span>\n        c <span class=\"token operator\">=</span> c\n        R <span class=\"token operator\">=</span> <span class=\"token string\">\".\"</span> <span class=\"token operator\">*</span> i\n        L <span class=\"token operator\">=</span> <span class=\"token number\">28</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token operator\">-</span>i\n        sig <span class=\"token operator\">=</span> R <span class=\"token operator\">+</span> c <span class=\"token operator\">+</span> <span class=\"token string\">\"[0-9|A-Z|a-z|_]{\"</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>L<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span><span class=\"token string\">\"}\"</span>\n        <span class=\"token keyword\">if</span> c <span class=\"token operator\">==</span> <span class=\"token string\">\"_\"</span><span class=\"token punctuation\">:</span>\n            c <span class=\"token operator\">=</span> <span class=\"token string\">\"ubar\"</span>\n        rule <span class=\"token operator\">=</span> <span class=\"token string\">\"rule check_\"</span> <span class=\"token operator\">+</span> c <span class=\"token operator\">+</span><span class=\"token triple-quoted-string string\">\"\"\" {\n    strings:\n        $ctf4b_string = /.*ctf4b\\{\"\"\"</span> <span class=\"token operator\">+</span> sig <span class=\"token operator\">+</span> <span class=\"token triple-quoted-string string\">\"\"\"\\}.*/\n    condition:\n        $ctf4b_string\n}\n\"\"\"</span>\n        allrule <span class=\"token operator\">+=</span> rule\n\n    r <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"rule:\\n\"</span><span class=\"token punctuation\">)</span>\n    p<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>allrule<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    r <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Not found: ./server.py\\n\"</span><span class=\"token punctuation\">)</span>\n    r <span class=\"token operator\">=</span> p<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span>\n    p<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_Y]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_3]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_t]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_ubar]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_A]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_n]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_0]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_t]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_h]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_3]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_r]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_ubar]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_R]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_3]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_4]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_d]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_ubar]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_O]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_p]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_p]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_0]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_r]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_t]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_u]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_n]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_1]\\n'</span>\n<span class=\"token comment\"># b'Found: ./flag.txt, matched: [check_t]\\n'</span>\n\n<span class=\"token comment\"># ctf4b{Y3t_An0th3r_R34d_Opp0rtun1ty}</span></code></pre></div>\n<h2 id=\"wrap-up\" style=\"position:relative;\"><a href=\"#wrap-up\" aria-label=\"wrap up permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wrap-up</h2>\n<p>The gap to the top teams is real, but it was still an enjoyable event.</p>\n<p>Team 0nePadding has been growing a bit lately, which makes things more fun — looking forward to more competitions.</p>","fields":{"slug":"/ctf-sec4b-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/misc-en/","/tag/english/"]},"frontmatter":{"date":"2023-06-04","description":"SECCON Beginners CTF 2023 Writeup.","tags":["CTF (en)","Rev (en)","Misc (en)","English"],"title":"SECCON Beginners CTF 2023 Writeup","socialImage":{"publicURL":"/static/1bfd4cd0fea6a9c48d5416f52eb429fa/ctf-sec4b-2023.png"}}}},"pageContext":{"slug":"/ctf-sec4b-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}