{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-seccon-2024-en","result":{"data":{"markdownRemark":{"id":"fe5ee947-d6dc-5771-8f9b-7ecad594be80","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-seccon-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in SECCON CTF 13 with the team 0nePadding.</p>\n<p>Individually I solved 2 Rev challenges, finishing 34th domestically and 89th overall.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ee827d9f5a29c6d8b57f7b9e60bf3460/d6b80/image-20241124191955790.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA1ElEQVQoz42RiWrDMBBE/f9/GUhrEje27lue7K7tEEpjKlgJpNHTjHYopSLGhL6uWD9U7x2s4/WxGDh9Q7FXOgNyLnI/hIhaKwaetDEotPL4E0jFOgbOBPTmjuK+QDx6aAdGBrYNyPRPsKNaawJctEOwE6r/3oEVKWWqJBoBGutEfBr5cKisOKy7w1x+ReYNpc2pu3fgbZphlhFZXzZgzgLzPohmaK3D7g7PYh+RlaHI7gc1jAJkVylniS2R+Q/mRcGH8K+mTA8Fq0bq8kX0W5fjK/ITAYAlj4zhtsAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ee827d9f5a29c6d8b57f7b9e60bf3460/8ac56/image-20241124191955790.webp 240w,\n/static/ee827d9f5a29c6d8b57f7b9e60bf3460/d3be9/image-20241124191955790.webp 480w,\n/static/ee827d9f5a29c6d8b57f7b9e60bf3460/e46b2/image-20241124191955790.webp 960w,\n/static/ee827d9f5a29c6d8b57f7b9e60bf3460/b9f23/image-20241124191955790.webp 1393w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ee827d9f5a29c6d8b57f7b9e60bf3460/8ff5a/image-20241124191955790.png 240w,\n/static/ee827d9f5a29c6d8b57f7b9e60bf3460/e85cb/image-20241124191955790.png 480w,\n/static/ee827d9f5a29c6d8b57f7b9e60bf3460/d9199/image-20241124191955790.png 960w,\n/static/ee827d9f5a29c6d8b57f7b9e60bf3460/d6b80/image-20241124191955790.png 1393w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ee827d9f5a29c6d8b57f7b9e60bf3460/d9199/image-20241124191955790.png\"\n            alt=\"image-20241124191955790\"\n            title=\"image-20241124191955790\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I came away a bit unsatisfied, but lately I haven’t had much time to do thorough post-mortems, so I’ll write up a quick summary for now.</p>\n<h2 id=\"packed-rev\" style=\"position:relative;\"><a href=\"#packed-rev\" aria-label=\"packed rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>packed (Rev)</h2>\n<blockquote>\n<p>Packer is one of the most common technique malwares are using.</p>\n</blockquote>\n<p>Inspecting the challenge binary revealed that it was a UPX-packed file.</p>\n<p>I used the <code class=\"language-text\">upx</code> command to unpack it and then analyzed the unpacked binary in Binary Ninja.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 794px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d20ad935beb73549fa0a9125be730a66/7de01/image-20241123140426723.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4UlEQVQY03VQ2XKDMAzkCmYw+AAc0wnBQMikTdP//7yt5E7ylD5oLGlWezhpfQ47H9AHAe1LCGmh3Qnhesf98Y3LvmFZAqbzBKUU/OhRVRWSJHlfbaNQV/K1MFrRYYMwT3j8EOFlQ1hmrNuK/brj8+uGrrPo+g5CCNSyhqXZWgvZEE9ZkitRwhiNwQ1oVYssz6ObYRj+RIyhvn/1WutIlhOOizm4iqJgTILxY4xRWM0dXXTQkNoc5hjP+yOWNUQiFnYkzERvI7NVBihyJqVElmUoDgXSNI1Hz5fVnzNj/vvDX37nckuVhMOuAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d20ad935beb73549fa0a9125be730a66/8ac56/image-20241123140426723.webp 240w,\n/static/d20ad935beb73549fa0a9125be730a66/d3be9/image-20241123140426723.webp 480w,\n/static/d20ad935beb73549fa0a9125be730a66/ae710/image-20241123140426723.webp 794w\"\n              sizes=\"(max-width: 794px) 100vw, 794px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d20ad935beb73549fa0a9125be730a66/8ff5a/image-20241123140426723.png 240w,\n/static/d20ad935beb73549fa0a9125be730a66/e85cb/image-20241123140426723.png 480w,\n/static/d20ad935beb73549fa0a9125be730a66/7de01/image-20241123140426723.png 794w\"\n            sizes=\"(max-width: 794px) 100vw, 794px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d20ad935beb73549fa0a9125be730a66/7de01/image-20241123140426723.png\"\n            alt=\"image-20241123140426723\"\n            title=\"image-20241123140426723\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, the unpacked binary was implemented to always display a <code class=\"language-text\">Wrong</code> error without ever validating the input, so it was not useful for identifying the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/664904f3827b9e541f872e3581bee6ed/71b12/image-20241123142917256.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAACFUlEQVQoz12SyW7bQBBE9RXRLlGiKIkU932nZMoO7BiGjcBIAAfJIf//DS89dOJDDoUhMJyqrqoeTWczzMDFTyPc0MfyXCzfw3JdTM9hqa2ZTKesNxuKS0d501I1Z7r+nqrrKdozZXchb1ryumU0mc7wuozqtiXLc/KuIWpqvCjG9n0h1JiI6HyxZGvu0Q47tI2GphuCPZudgW7ow3+LtaYIp4Q3BeeHK03bcr2/pewvg1qcF6zk8TChtiHravKzoKjIKxFOU0KF5C/ke/RpPKZ7+sz33z/5+vqd17cfvLz94uXbG1+entF2OmMhXCnCm4asb3gQm4+9CItoLm4UWRAnA0bjyZTkWnP3fM+lv3J9fKS5vUo+asqa9XYzWF4sVzh5iJ0HtIk4qhvcIOAkWe/2hw8MGbptQtHXJGlGKoquKDleIPA+MvxHqGDZJ8nXw7QdjOORnfEfodemlNeGVDJTbUVVR5wWRGH0nqEqZblkZ5voljw0jOHxStuy0XdspRhtu2WpSlGW/XNOfdeRFSVtfyapClmjDF8I1dq8Z6gR5ClRKeHHEUEi91FCWhSCcshPRTBSyoZjYoUuR8/GCR1OcipbB9Mc9m86nw+W3SLGK2NCESqqmkjKsGybk2NzsE7sjyYjv0zIqlyaimX/GnxRT9OYLE3Eckwik+i6zmy+wE6lhMzndHIkkncy3diL/f1wKvwBStw3FmvutXsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/664904f3827b9e541f872e3581bee6ed/8ac56/image-20241123142917256.webp 240w,\n/static/664904f3827b9e541f872e3581bee6ed/d3be9/image-20241123142917256.webp 480w,\n/static/664904f3827b9e541f872e3581bee6ed/e46b2/image-20241123142917256.webp 960w,\n/static/664904f3827b9e541f872e3581bee6ed/5c7ba/image-20241123142917256.webp 1308w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/664904f3827b9e541f872e3581bee6ed/8ff5a/image-20241123142917256.png 240w,\n/static/664904f3827b9e541f872e3581bee6ed/e85cb/image-20241123142917256.png 480w,\n/static/664904f3827b9e541f872e3581bee6ed/d9199/image-20241123142917256.png 960w,\n/static/664904f3827b9e541f872e3581bee6ed/71b12/image-20241123142917256.png 1308w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/664904f3827b9e541f872e3581bee6ed/d9199/image-20241123142917256.png\"\n            alt=\"image-20241123142917256\"\n            title=\"image-20241123142917256\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I tried debugging the original (still-packed) binary with gdb, and found code that checks whether the input length is 0x31 and then validates it against the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 938px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/21f639a2cc74c6f4be53a076f2b9350b/dc333/image-20241123142852426.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+UlEQVQY022QW0/CQBSE99Lt9gZ1FyoB2opQysUXo/7/v/Z5iiTE6MPk5NxmMqMW64ooSCtFViqKvOE8vFOWFUli8d5jU8fMJWwzTyF9Os2cIU01TilcZnBakWqDarstXd/hZbhqhbCJhKeetrnSP7+R5wuiPG1EYHfYc7mcuVzPIlygZP4H0/Lj84uq/iGc7UYWr1dC01GHFa6oCd7SLT3jccVpWHMY9mzbDSEGYowYYx6EL7uecTxRzg3zILabliTLb0tt9K3W8rAscmYSy7yQXqJJrEaLRXO/eRC+9AzDkaLSxEYIlxuS1P86mnLy1oqA/d/mHdP+G4FMchIaWfmqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/21f639a2cc74c6f4be53a076f2b9350b/8ac56/image-20241123142852426.webp 240w,\n/static/21f639a2cc74c6f4be53a076f2b9350b/d3be9/image-20241123142852426.webp 480w,\n/static/21f639a2cc74c6f4be53a076f2b9350b/e5056/image-20241123142852426.webp 938w\"\n              sizes=\"(max-width: 938px) 100vw, 938px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/21f639a2cc74c6f4be53a076f2b9350b/8ff5a/image-20241123142852426.png 240w,\n/static/21f639a2cc74c6f4be53a076f2b9350b/e85cb/image-20241123142852426.png 480w,\n/static/21f639a2cc74c6f4be53a076f2b9350b/dc333/image-20241123142852426.png 938w\"\n            sizes=\"(max-width: 938px) 100vw, 938px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/21f639a2cc74c6f4be53a076f2b9350b/dc333/image-20241123142852426.png\"\n            alt=\"image-20241123142852426\"\n            title=\"image-20241123142852426\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In other words, I suspected the binary had been modified in some way so that part of the code is not included in the UPX-unpacked output.</p>\n<p>I couldn’t immediately think of exactly what kind of modification was applied, so I decided to skip unpacking and analyze the binary dynamically as-is.</p>\n<p>After passing the input-length check, the binary appears to XOR each input character against a hardcoded key.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f1d7ed3512c6fff049d6d06f123110b6/8698d/image-20241123143002581.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 64.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABy0lEQVQ4y52T626dMBCEjcHgC9gYYx+uh6ZJm6Mo7fu/3XRxW1W9psmPTytkaz07s7DjuuNOaVjBob1AXRsUjIMx9jb2fcOaLIIroVQJax289+h7R/Tf6g+qqvp3w3mesW4L6kb8dFAUBTjnmYIXGU68qHBdF7xLE3YX0LcGbSfhbYKWPV0oXj/yddvwPjgchhrpGvORkKY5j3ZyKn1Vw9B22KzBaDm6YODTRiod0UGZFk0jiQaNVKjFGZpAow1koyBqBS4UylqTJefjFGbnDC5rQq0YVNvCuTWPWpYckhRGajqejalhdfpIKnjBcv2jwngJ+Pj0AOcZzOjQ+EgB0culwCQqHNHjbrRYrMoWaFKntM7oE/O1GmPyJCyliNvtCZ1jsJcednuAn6/QllZHlpgDx54YpqQgpYRUktZLEfIXyJK6BrOWXl9XKMvgyMPWLuA0XkGHnALpaPSuojXi/5vycWCiXYyhxDZzjLHFEiLuY8JgO7jBwXYXtDqSr6SAjD/NL3hJgchcv3/nUD59fkYIHsvI8HzPcMwCe1FhJ0WRGs60QsER/YKSVy8rfLw9Yhg80sDw4cqwTRL9EMkrQ4pE9q1t9W9/0t/4AgrbHPaH24vZAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f1d7ed3512c6fff049d6d06f123110b6/8ac56/image-20241123143002581.webp 240w,\n/static/f1d7ed3512c6fff049d6d06f123110b6/d3be9/image-20241123143002581.webp 480w,\n/static/f1d7ed3512c6fff049d6d06f123110b6/e46b2/image-20241123143002581.webp 960w,\n/static/f1d7ed3512c6fff049d6d06f123110b6/62b6b/image-20241123143002581.webp 1239w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f1d7ed3512c6fff049d6d06f123110b6/8ff5a/image-20241123143002581.png 240w,\n/static/f1d7ed3512c6fff049d6d06f123110b6/e85cb/image-20241123143002581.png 480w,\n/static/f1d7ed3512c6fff049d6d06f123110b6/d9199/image-20241123143002581.png 960w,\n/static/f1d7ed3512c6fff049d6d06f123110b6/8698d/image-20241123143002581.png 1239w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f1d7ed3512c6fff049d6d06f123110b6/d9199/image-20241123143002581.png\"\n            alt=\"image-20241123143002581\"\n            title=\"image-20241123143002581\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The key used here can be easily retrieved with gdb.</p>\n<p>The hardcoded byte array ultimately used for comparing against the correct flag was also easy to read out with gdb.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 780px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/aaf5b857a3e0949361d1358a35f933fa/a1792/image-20241123143923869.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 82.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACi0lEQVQ4y51Ta3ObMBAUIJ4CYRCSwQgDNmkezjROmv7/n7Y94eY1mWbaftgRtqS93b0Ti6II5/MjTnf34KkHYxnySqKdzpCiQUD7AedgzIPkPiYlsBiOh47huAux7xNkWUz77AJOh/fjAGMMeMKgWoasiFHIFkXV0X8pokzA9/3XSwkhJfgvJO/BwwjT4YBxmhHGHJX2wEWJzB4gdiOq/RHVMBNxjjji0CqAlAxNE0DVGcqNQhQnYJ4Pzw/A7GBxXI6QZY3OpLBbRvAwtB5UmWFHVieq3AYBdBpBKQ2jFWS2pUgMammRZ+qijkjZcnXE09MZYZigVQxXe4aR8rkeGXQtoHgM43OIKEYpEyLYotsOyPMcaZpCCAHPe4uDOXUP5+/wgxC6YvhGRAd7ITaamtNaaNMijQXikPKMQ7IpUVUb1HWNsiyJ0HsjvLm9xo/nR3BS4hReTwzLwHBDq90pUlJ8Dv4rNNTdru/pR4AiD2CaCPUmRFP71OmcRib6HTj/AsErWEhdTpJklT7OM56ef64WP1b2/h5uDl2wDk2jcDrdYtjbf7P5YQ7pJWTUsUIWFHKF0/0dDfr+/wmzMIQg2z75D2k0MlFAvDTCCy421rH4A7z3K53tCoVO0rDaBa2dyO5AMxmiIrUu26qqqIh7ESXyolizLmh9gYtKlhJplqJWNVhc75GoEZlekNDQLsuBLuY4HGdsiGSax/WgK6SNhh16evcabdfSjG7Xb2v7Na75MIGlVY+0shDmiGzTYSYCV22cxrWyI3KqerrUNA12/Y6en4LZGmjdoCG4PedkmokwJlUOCZEmRYOB3raz6t64pEY5FXku0JEiRUq11qsDp9apc9G4b1e023X4BQnfbp39Fg7lAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/aaf5b857a3e0949361d1358a35f933fa/8ac56/image-20241123143923869.webp 240w,\n/static/aaf5b857a3e0949361d1358a35f933fa/d3be9/image-20241123143923869.webp 480w,\n/static/aaf5b857a3e0949361d1358a35f933fa/8369b/image-20241123143923869.webp 780w\"\n              sizes=\"(max-width: 780px) 100vw, 780px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/aaf5b857a3e0949361d1358a35f933fa/8ff5a/image-20241123143923869.png 240w,\n/static/aaf5b857a3e0949361d1358a35f933fa/e85cb/image-20241123143923869.png 480w,\n/static/aaf5b857a3e0949361d1358a35f933fa/a1792/image-20241123143923869.png 780w\"\n            sizes=\"(max-width: 780px) 100vw, 780px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/aaf5b857a3e0949361d1358a35f933fa/a1792/image-20241123143923869.png\"\n            alt=\"image-20241123143923869\"\n            title=\"image-20241123143923869\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From there, the following solver decrypts the XOR cipher to obtain the correct flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">key <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0xe8</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4a</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x83</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xf9</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x49</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x75</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x44</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x53</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x57</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x48</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x8d</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x37</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xfd</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x5e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x56</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x5b</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xeb</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x2f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x48</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x39</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xce</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x73</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x32</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x56</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x5e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xac</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x80</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x72</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x0a</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x8f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x77</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x06</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x80</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xfe</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x0f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x74</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x06</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x2c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xe8</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x01</span><span class=\"token punctuation\">]</span>\ntarget <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0xbb</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x0f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x43</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x43</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xcd</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x82</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x1c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x25</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x1c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x0c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x24</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xf8</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x2e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x68</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xcc</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x2d</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x09</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3a</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xb4</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x48</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x78</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x56</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xaa</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x2c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x42</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3a</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x6a</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xcf</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x0f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xdf</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x14</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x3a</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xd0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x1f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x37</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xe4</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x17</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x90</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x39</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x2b</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x65</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x1c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x8c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x0f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x7c</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token operator\">^</span>target<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># SECCON{UPX_s7ub_1s_a_g0od_pl4c3_f0r_h1din6_c0d3}</span></code></pre></div>\n<h2 id=\"jump-rev\" style=\"position:relative;\"><a href=\"#jump-rev\" aria-label=\"jump rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Jump (Rev)</h2>\n<blockquote>\n<p>Who would have predicted that ARM would become so popular?</p>\n<p>※ We confirmed the binary of Jump accepts multiple flags. The SHA-1 of the correct flag is c69bc9382d04f8f3fbb92341143f2e3590a61a08 We’re sorry for your patience and inconvenience</p>\n</blockquote>\n<p>I analyzed the ARM binary provided as the challenge binary using Binary Ninja.</p>\n<p>The <code class=\"language-text\">jumper</code> function called from <code class=\"language-text\">main</code> checks whether command-line arguments are present, and if so, executes a RET to the execution address loaded onto the stack.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5598783370f3cbb10c59780651e34f76/bb2fd/image-20241124190335719.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB5UlEQVQoz22S626bQBCFeYwYA3aiysJmYW/AssvNGOKkbVq1qvr+j3I6i91GrfrjEwOaPXsOM0EYbRFGEcLtFhtCNQ2avkflLOrWofI4wlqiWWv/vaQ63u/WM+v5O8Efwegm2H5dsHz/iGEcMM3PmD+9onu+wF1muHmhywaYfoQZBiRPj9iE4b+C0V8O9bWFvfbQVQljO7TnEfVlgCYhSe4LrcCEBJMS8eP+fw7fX7yoeTtjeJthKVI3TuivM0pyIyuDQigUUoMThVKIn0gwvAlufgs+bEI8hDd3vk5VjtwIZJwhMxKnkiNlJxyORxzS9PY8EccUURLfI9/OewLe+Bs58oKDG41MeoEcaZ7jmDEcGcOJYAWDdCWEoj7BocihKEtkzPdla6/vC4YfV7jewdH0+mWieA6K/p12HcqKplo3yCmqtDX6ny9wo4NtO3QTDellgVQUn/6pR1AdtF8uqKm5sSQ4TajPHURtwMkBI9dMCLCcQ5oSvte2tFZ0uZsWGt4rrY+DLCsamIM2FkH/bSGHFta1OC+0FpcRurUk0Kx4cbHWFeznM0xraANq2knaxa6HIrHVIbkTukRgFopWVxBSQdc1eKkpIjVIdUeCa40PhwMNIUGy3yPe7RBT7UmSHZLdO78AjWY1cLYUTF4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5598783370f3cbb10c59780651e34f76/8ac56/image-20241124190335719.webp 240w,\n/static/5598783370f3cbb10c59780651e34f76/d3be9/image-20241124190335719.webp 480w,\n/static/5598783370f3cbb10c59780651e34f76/e46b2/image-20241124190335719.webp 960w,\n/static/5598783370f3cbb10c59780651e34f76/acaf1/image-20241124190335719.webp 1058w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5598783370f3cbb10c59780651e34f76/8ff5a/image-20241124190335719.png 240w,\n/static/5598783370f3cbb10c59780651e34f76/e85cb/image-20241124190335719.png 480w,\n/static/5598783370f3cbb10c59780651e34f76/d9199/image-20241124190335719.png 960w,\n/static/5598783370f3cbb10c59780651e34f76/bb2fd/image-20241124190335719.png 1058w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5598783370f3cbb10c59780651e34f76/d9199/image-20241124190335719.png\"\n            alt=\"image-20241124190335719\"\n            title=\"image-20241124190335719\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This appears to be the key characteristic of this binary: rather than making normal function calls, execution proceeds by RET-ing (ROP-style) to specific code locations within each function. (Probably an anti-analysis technique?)</p>\n<p>When command-line arguments are present, the program jumps to the code immediately after the prologue of the <code class=\"language-text\">target</code> function.</p>\n<p>Inside this function, a switch statement is defined that jumps to various processing paths based on a flag value that is updated during execution.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/287cdaa9f57bb65cb1cc17e0ff8771de/668c6/image-20241124190658529.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABYUlEQVQoz31SWXaCQBDkFrLLLgiyDQMzbBLzcv8jVRo0xvg0H/Vm6e6a6q5RdNPEK6iahhOvIOYJfOjB+x5pWUA1dLyrWaG8C+yIsBgZhmVGOw2oO4Eky6CZBnTjH0LNMPCMO+HQYLosEONIhB2OeX6Pr3jc3wkNy4JhE6wr9NtZpeS0LUidRNlynKoK0TF5SfKHkEuBvGHQdAOqrv+qtMztgR3dZZyIe4GKVMbZactbO1jXDQ97paN2KiHghQHcIIAXhHA8/zonIvTCEMcyJ4UMUZJiTzGX7sI43nL9KEJwOMAPo61eMW0bTuBBfo6QZzLgvKBs+PZAEEekitG5RskbHJIEtuOilA3EzahKcDBCyVvkdQ1F1XSYzh7iMqIfB/oiAwU55NeM6WMBk5KKWnSzREOdrIWu79/GYt3N+YGyzs5ynU3h2n7dSxSM4cQKpEWBhJz1qcWrafbVuCeSR3wD2PcBrLnm/24AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/287cdaa9f57bb65cb1cc17e0ff8771de/8ac56/image-20241124190658529.webp 240w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/d3be9/image-20241124190658529.webp 480w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/e46b2/image-20241124190658529.webp 960w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/f992d/image-20241124190658529.webp 1440w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/e176c/image-20241124190658529.webp 1692w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/287cdaa9f57bb65cb1cc17e0ff8771de/8ff5a/image-20241124190658529.png 240w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/e85cb/image-20241124190658529.png 480w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/d9199/image-20241124190658529.png 960w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/07a9c/image-20241124190658529.png 1440w,\n/static/287cdaa9f57bb65cb1cc17e0ff8771de/668c6/image-20241124190658529.png 1692w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/287cdaa9f57bb65cb1cc17e0ff8771de/d9199/image-20241124190658529.png\"\n            alt=\"image-20241124190658529\"\n            title=\"image-20241124190658529\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>At first glance the implementation looks unreadable, but by using gdb to trace the actual jump targets, I was able to confirm that execution eventually reaches code inside the following <code class=\"language-text\">checker</code> function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">checker</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> arg1<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    data_41203c <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    \n    <span class=\"token keyword\">switch</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span>index<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">0</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// SECC</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">uint64_t</span> var_30_4 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>arg1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int64_t</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span> var_28_4<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> sub_400b48<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// SECC</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">4</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// ON{5</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">uint64_t</span> var_30_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>arg1 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int64_t</span><span class=\"token punctuation\">)</span>index<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int64_t</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span> var_28_1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> sub_400aa8<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// ON{5</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">8</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// h4k3</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">uint64_t</span> var_30_2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>arg1 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int64_t</span><span class=\"token punctuation\">)</span>index<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int64_t</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span> var_28_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> sub_400ae4<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// h4k3</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">0xc</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// _1t_</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">uint64_t</span> var_30_5 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token punctuation\">)</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint32_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>arg1 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int64_t</span><span class=\"token punctuation\">)</span>index<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> <span class=\"token keyword\">const</span> var_28_5 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_400b84<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// _1t_</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">0x10</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// up_5</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_30_7 <span class=\"token operator\">=</span> arg1<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> <span class=\"token keyword\">const</span> var_28_7 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_400bd4<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// up_5</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">0x14</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// BBBB + up_5 = 0x9d949ddd</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_30_3 <span class=\"token operator\">=</span> arg1<span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int64_t</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span> var_28_3<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> sub_400b14<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// BBBB + up_5 = 0x9d949ddd</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">0x18</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// CCCC + BBBB = 0x9d9d6295</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_30 <span class=\"token operator\">=</span> arg1<span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int64_t</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span> var_28<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> sub_400a6c<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// CCCC + BBBB = 0x9d9d6295</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token keyword\">case</span> <span class=\"token number\">0x1c</span><span class=\"token operator\">:</span>  <span class=\"token comment\">// DDDD - CCCC = 0x47cb363b</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_30_6 <span class=\"token operator\">=</span> arg1<span class=\"token punctuation\">;</span>\n            <span class=\"token class-name\">int64_t</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span> var_28_6<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> sub_400ba4<span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>  <span class=\"token comment\">// DDDD - CCCC = 0x47cb363b</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This code is implemented to jump to a different validation routine depending on which position of the flag string (received from command-line arguments) is being checked.</p>\n<p>However, this binary had a bug that caused flag checking to not function correctly, so I stopped the dynamic analysis here and decided to identify the correct flag through static analysis.</p>\n<p>Analyzing the code reveals that the first 16 characters can simply be determined by XOR-ing hardcoded data with a key.</p>\n<p>XOR-ing 4 characters at a time, I identified the first 16 characters as <code class=\"language-text\">SECCON{5h4k3_1t</code>.</p>\n<p>The following 16 characters were validated by checking whether the sum or difference of the previous 4 characters’ hex values matched specific hardcoded integers.</p>\n<p>I worked through the calculations manually from the beginning.</p>\n<p>Ultimately, I identified <code class=\"language-text\">SECCON{5h4k3_1t_up_5h-5h-5h5hk3}</code> as the correct flag.</p>\n<h2 id=\"conclusion\" style=\"position:relative;\"><a href=\"#conclusion\" aria-label=\"conclusion permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Conclusion</h2>\n<p>I was pretty frustrated while analyzing the Jump binary since it wasn’t working properly and finding the flag was taking forever, but when I actually read it carefully the flag turned out to be easily obtainable through static analysis — so that was simply a matter of my own lack of skill. My apologies.</p>\n<p>On the bright side, if the program’s validation had been working correctly, I might have been able to grab the flag with a mindless angr run from the start, so maybe it worked out for the best.</p>\n<p>Every time I do SECCON I hit a wall after the third challenge, so I’d really like to get to a point where I can tackle harder problems soon.</p>","fields":{"slug":"/ctf-seccon-2024-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2024-11-24","description":"Writeup-style notes for SECCON CTF 13 (2024) (Rev: packed, Jump).","tags":["CTF (en)","Rev (en)","English"],"title":"SECCON CTF 13 (2024) Writeup-style Notes (Rev: packed, Jump)","socialImage":{"publicURL":"/static/b6918dd441997e5a2292eb49f43ad0b1/ctf-seccon-2024.png"}}}},"pageContext":{"slug":"/ctf-seccon-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}