{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-vishwa-ctf-2024-en","result":{"data":{"markdownRemark":{"id":"f78c9f2b-fdd6-5a7d-b486-a3fd3b58c81c","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-vishwa-ctf-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in VishwaCTF 2024.</p>\n<p>There was only one Rev challenge, so I’m writing up that one here. (It was quite tough.)</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#your-bonusrev\">Your Bonus(Rev)</a></p>\n<ul>\n<li><a href=\"#devil_function\">devil_function</a></li>\n<li><a href=\"#getting-the-string-length\">Getting the string length</a></li>\n<li><a href=\"#zarathos-function\">zarathos function</a></li>\n<li><a href=\"#lucifer-function\">Lucifer function</a></li>\n<li><a href=\"#ghost_ridders_wepon-function\">ghost_ridders_wepon function</a></li>\n<li><a href=\"#matter_manipulation-function\">matter_manipulation function</a></li>\n<li><a href=\"#writing-the-solver\">Writing the Solver</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"your-bonusrev\" style=\"position:relative;\"><a href=\"#your-bonusrev\" aria-label=\"your bonusrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Your Bonus(Rev)</h2>\n<blockquote>\n<p>I am very kind, and you’re my friend too. I was about to share some flags with you, but unfortunately, a ransomware attack occurred on the file containing those flags. All the flags got encrypted by the ransomware. After cross-checking the directories, I found the ransomware file and some other related items.</p>\n<p>I’m going to share that information with you. However, due to the ransomware, I’m unable to provide you with the flags 😥😥. Now, I need your help to recover those flags. Can you assist me, please? Your cooperation would be highly appreciated, and you will receive a reward for your help.</p>\n<p>Note : Ransomware are not meant to be executed as it can harm your systems (although this won’t)</p>\n</blockquote>\n<p>Decompiling the challenge binary reveals that after opening Flags.txt, the following loop is executed:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    piVar4 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>getline<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token punctuation\">(</span>local_1a0<span class=\"token punctuation\">,</span>local_1b8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    bVar1 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>basic_ios<span class=\"token operator\">::</span>operator<span class=\"token punctuation\">.</span>cast<span class=\"token punctuation\">.</span>to<span class=\"token punctuation\">.</span><span class=\"token function\">bool</span>\n                      <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_ios <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span><span class=\"token punctuation\">)</span>piVar4 <span class=\"token operator\">+</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>piVar4 <span class=\"token operator\">+</span> <span class=\"token operator\">-</span><span class=\"token number\">0xc</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>bVar1<span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span>local_1b8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span>local_a0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    pTextLine <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>stack0xfffffe28<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">devil_function</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span>local_6c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">length</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    pTextLine <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>stack0xfffffe28<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">zarathos</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>stack0xfffffe10<span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>basic_string <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>pTextLine<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>stack0xfffffe28<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    pTextLine <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_14<span class=\"token punctuation\">;</span>\n    local_24 <span class=\"token operator\">=</span> <span class=\"token function\">Lucifer</span><span class=\"token punctuation\">(</span>local_54<span class=\"token punctuation\">,</span>local_14<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span>local_54<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">ghost_ridders_wepon</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    pTextLine <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_14<span class=\"token punctuation\">;</span>\n    matter_manipulation<span class=\"token punctuation\">[</span>abi<span class=\"token operator\">:</span>cxx11<span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>stack0xfffffdf8<span class=\"token punctuation\">,</span>local_14<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>stack0xfffffdf8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">Trigon</span><span class=\"token punctuation\">(</span>local_3c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_3c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    local_14 <span class=\"token operator\">=</span> local_14 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>stack0xfffffdf8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>stack0xfffffe10<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>stack0xfffffe28<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Inside this loop, after reading each line as a string, the functions <code class=\"language-text\">devil_function</code>, <code class=\"language-text\">Lucifer</code>, <code class=\"language-text\">ghost_ridders_wepon</code>, <code class=\"language-text\">matter_manipulation</code>, and <code class=\"language-text\">Trigon</code> are called in sequence to produce the encrypted string that is ultimately written to the file.</p>\n<h3 id=\"devil_function\" style=\"position:relative;\"><a href=\"#devil_function\" aria-label=\"devil_function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>devil_function</h3>\n<p>The first function, <code class=\"language-text\">devil_function</code>, appears to do nothing, so it can be ignored.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 731px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cc1da7ce9c67b4414f5912916e5d18f4/6e9ba/image-20240308201831073.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 21.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAq0lEQVQY05WMzW6DMBAGef/3y6GXCAXSYDDYscFrp5ip6zTpuSuN9tsfTWMTfPpEdxdshMtkaccZZRxnZTj1hl5HrtqhrGdehcEF1JpYJDN4eWPkoNEulcfEvFGF/fTgo13pxlj2puxDQapI/+BDEW4oH59CJ2+qUA0jbatYLOwHhLhzUxsZuLsJiUI+nrcX+Zc9/+XX3Mxa010UItRK6YtlCSUdPNJW+3/4BgD6NX339d8yAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cc1da7ce9c67b4414f5912916e5d18f4/8ac56/image-20240308201831073.webp 240w,\n/static/cc1da7ce9c67b4414f5912916e5d18f4/d3be9/image-20240308201831073.webp 480w,\n/static/cc1da7ce9c67b4414f5912916e5d18f4/feeb6/image-20240308201831073.webp 731w\"\n              sizes=\"(max-width: 731px) 100vw, 731px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cc1da7ce9c67b4414f5912916e5d18f4/8ff5a/image-20240308201831073.png 240w,\n/static/cc1da7ce9c67b4414f5912916e5d18f4/e85cb/image-20240308201831073.png 480w,\n/static/cc1da7ce9c67b4414f5912916e5d18f4/6e9ba/image-20240308201831073.png 731w\"\n            sizes=\"(max-width: 731px) 100vw, 731px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cc1da7ce9c67b4414f5912916e5d18f4/6e9ba/image-20240308201831073.png\"\n            alt=\"image-20240308201831073\"\n            title=\"image-20240308201831073\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"getting-the-string-length\" style=\"position:relative;\"><a href=\"#getting-the-string-length\" aria-label=\"getting the string length permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting the string length</h3>\n<p>The following code block appears to retrieve the length of the string read from the current line:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span>local_6c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nstd<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">length</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\npTextLine <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>stack0xfffffe28<span class=\"token punctuation\">;</span></code></pre></div>\n<p>Immediately after <code class=\"language-text\">basic_string::length()</code> executes, the length of the line’s string is returned in the <code class=\"language-text\">eax</code> register.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7c37217b5d08f715f4ca44c9828af44c/d0c2f/image-20240308202520348.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABKUlEQVQY02WRW3ODIBCF8/9/Vjt9bTTRilfUeEnUkAupCTFwCvvWlpkzZzgMH8vuinkfSPw39Hlg5SML3rEvPvE9pKQbeYLLoUAUMQRhiDzPUVUViqIA5xxt25JctkrzAmXd4CIXHIVE1bWYnwv+LrVoAjh19vIwDOj7nlwIgdPphGmasIpjZuk7XK93GxxxGPZ4PhWM1jBGkwMG93kGYwyhrbCua4I5d+q6jjSOowPGttQSUiobTGiaBuIs8NIvqswYQz5boO97YFFE0CDYYu158NY2YxGyLCMoAXe7GvL2wHAY0XQNHuoBrc0voFIK3ibA9oshSWKrBO5umqYoS079I6BvX3EHQlxt0INXHHKW/ypclgVhFGO9CcHdMMqSBuJ+5Pro3O1/AO3qvQ6MC36JAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7c37217b5d08f715f4ca44c9828af44c/8ac56/image-20240308202520348.webp 240w,\n/static/7c37217b5d08f715f4ca44c9828af44c/d3be9/image-20240308202520348.webp 480w,\n/static/7c37217b5d08f715f4ca44c9828af44c/e46b2/image-20240308202520348.webp 960w,\n/static/7c37217b5d08f715f4ca44c9828af44c/66be3/image-20240308202520348.webp 1362w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7c37217b5d08f715f4ca44c9828af44c/8ff5a/image-20240308202520348.png 240w,\n/static/7c37217b5d08f715f4ca44c9828af44c/e85cb/image-20240308202520348.png 480w,\n/static/7c37217b5d08f715f4ca44c9828af44c/d9199/image-20240308202520348.png 960w,\n/static/7c37217b5d08f715f4ca44c9828af44c/d0c2f/image-20240308202520348.png 1362w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7c37217b5d08f715f4ca44c9828af44c/d9199/image-20240308202520348.png\"\n            alt=\"image-20240308202520348\"\n            title=\"image-20240308202520348\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The retrieved string length is stored on the stack at <code class=\"language-text\">[esp+0x8]</code>, and the <code class=\"language-text\">edx</code> register holds a pointer to the address where the line’s string obtained from <code class=\"language-text\">[ebp-0x1D0]</code> is stored.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 417px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/36463f2f7df5898e4fbbf7a64bfc6abe/f27fb/image-20240308203127584.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.333333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABa0lEQVQY0x2Py47TQBBF/dEgNpEQQmxGDLDhe9gxgAYyxK/YsR3Hr8R224njxI8Mk0PFLbWqu27V0b3a/OEH9nyOb9kYj48UcUpbKvbbjCzY4S62dPsDTZ7jPC3YbSLp6TRFSaMKWlXRi367Xb1HMwUUrNdsZcG0TFzPJ4wiSpWj6gHfH7id5+cLK8+T3l56Pkme4ZdrsmLLv5cr42WU+oKm6wa+DMZxzNK20HUdx3Vpmpqq6kQ7c73COHSi2xRlSRisSdMYO1yKGZ+DuKvrilPboi3EvifANM0wDZ3b33FXAivFpQD9DuEJcMBZOgJUBF5AfAPGjqQJ6fuB4/HI6XSWyKZBEHgkSSzABZZlibvjFPNwGEVrp/cgDm3bnOaiaEO+yyan0SYkTSJJGDGOA9rT99e48xmJ8x794Q3LPzM29gdUdMe5+IL9+91UB/WZn99eYfyasfr7ll7d05d3jNU9o/rIpf4E56/8B/7hspXsCwWbAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/36463f2f7df5898e4fbbf7a64bfc6abe/8ac56/image-20240308203127584.webp 240w,\n/static/36463f2f7df5898e4fbbf7a64bfc6abe/b6b2f/image-20240308203127584.webp 417w\"\n              sizes=\"(max-width: 417px) 100vw, 417px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/36463f2f7df5898e4fbbf7a64bfc6abe/8ff5a/image-20240308203127584.png 240w,\n/static/36463f2f7df5898e4fbbf7a64bfc6abe/f27fb/image-20240308203127584.png 417w\"\n            sizes=\"(max-width: 417px) 100vw, 417px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/36463f2f7df5898e4fbbf7a64bfc6abe/f27fb/image-20240308203127584.png\"\n            alt=\"image-20240308203127584\"\n            title=\"image-20240308203127584\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This pointer is then placed at <code class=\"language-text\">[esp+4]</code> on the stack, and finally a pointer to an unknown byte region retrieved from <code class=\"language-text\">[ebp-0x1E8]</code> (initially undefined) is placed at the top of the stack.</p>\n<h3 id=\"zarathos-function\" style=\"position:relative;\"><a href=\"#zarathos-function\" aria-label=\"zarathos function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>zarathos function</h3>\n<p>The <code class=\"language-text\">zarathos</code> function is called with the following values pushed onto the stack:</p>\n<ul>\n<li>A pointer to the unknown byte region</li>\n<li>A pointer to the address holding the string read from the file</li>\n<li>The string length</li>\n</ul>\n<p>The Ghidra decompiler did not interpret the arguments cleanly, so the analysis below includes minor manual corrections:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">/* zarathos(std::__cxx11::basic_string&lt;char, std::char_traits&lt;char>, std::allocator&lt;char> >&amp;, int)\n    */</span>\n\nundefined <span class=\"token operator\">*</span> __cdecl <span class=\"token function\">zarathos</span><span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">,</span>basic_string <span class=\"token operator\">*</span>param_2<span class=\"token punctuation\">,</span><span class=\"token keyword\">int</span> param_3<span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n  undefined <span class=\"token operator\">*</span>puVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> iVar2<span class=\"token punctuation\">;</span>\n  undefined4 uVar3<span class=\"token punctuation\">;</span>\n  undefined4 uVar4<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">time_t</span> tVar5<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> local_2b<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> local_2a<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> local_29<span class=\"token punctuation\">;</span>\n  undefined4 local_28<span class=\"token punctuation\">;</span>\n  undefined4 local_24<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> local_1d<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> local_1c<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> local_18<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> local_14<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> local_10<span class=\"token punctuation\">;</span>\n  \n  local_2b <span class=\"token operator\">=</span> <span class=\"token char\">'5'</span><span class=\"token punctuation\">;</span>\n  puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>_HM<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_2b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token operator\">*</span>puVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0x23</span><span class=\"token punctuation\">;</span>\n  local_10 <span class=\"token operator\">=</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\n  local_14 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">length</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_14 <span class=\"token operator\">=</span> local_14 <span class=\"token operator\">+</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n  std<span class=\"token operator\">::</span>operator<span class=\"token operator\">+</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">,</span>param_2<span class=\"token punctuation\">,</span>param_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_2a <span class=\"token operator\">=</span> <span class=\"token char\">'1'</span><span class=\"token punctuation\">;</span>\n  puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>_HM<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_2a<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token operator\">*</span>puVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0x29</span><span class=\"token punctuation\">;</span>\n  tVar5 <span class=\"token operator\">=</span> <span class=\"token function\">_time</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">time_t</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">_srand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>uint<span class=\"token punctuation\">)</span>tVar5<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  iVar2 <span class=\"token operator\">=</span> <span class=\"token function\">_rand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_18 <span class=\"token operator\">=</span> iVar2 <span class=\"token operator\">%</span> <span class=\"token number\">6</span> <span class=\"token operator\">+</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\n  iVar2 <span class=\"token operator\">=</span> <span class=\"token function\">_rand</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_1c <span class=\"token operator\">=</span> local_10 <span class=\"token operator\">+</span> iVar2 <span class=\"token operator\">%</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>local_14 <span class=\"token operator\">-</span> local_10<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_29 <span class=\"token operator\">=</span> <span class=\"token char\">'6'</span><span class=\"token punctuation\">;</span>\n  puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>_HM<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_29<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token operator\">*</span>puVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">;</span>\n  local_28 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">begin</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar3 <span class=\"token operator\">=</span> __gnu_cxx<span class=\"token operator\">::</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token operator\">+</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_28<span class=\"token punctuation\">,</span>local_1c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar4 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">begin</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  std<span class=\"token operator\">::</span>reverse<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token punctuation\">(</span>uVar4<span class=\"token punctuation\">,</span>uVar3<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar3 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_24 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">begin</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar4 <span class=\"token operator\">=</span> __gnu_cxx<span class=\"token operator\">::</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token operator\">+</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_24<span class=\"token punctuation\">,</span>local_1c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  std<span class=\"token operator\">::</span>reverse<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token punctuation\">(</span>uVar4<span class=\"token punctuation\">,</span>uVar3<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar3 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar4 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">begin</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  std<span class=\"token operator\">::</span>reverse<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token punctuation\">(</span>uVar4<span class=\"token punctuation\">,</span>uVar3<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_1d <span class=\"token operator\">=</span> <span class=\"token char\">'2'</span><span class=\"token punctuation\">;</span>\n  puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>_HM<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_1d<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token operator\">*</span>puVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0x24</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> param_1<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The opening steps copy the received string into an unknown region.</p>\n<p>Why the stored string length appears to be extended to 52 characters at this point is unclear.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/693022e922dbb460261a3b416a7c0246/98432/image-20240308205322057.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB8ElEQVQoz1WSS2/aQBSF+f8/ouoyi+YHtFWyKYsIAW0UErDHxvgx48f4bReDDJzcOy1IjHR1Z+Pjc+Y7EyEEdv4ObbtHnheIsxjD8YDL5QI+112VFRaLJSzbhuu6CILATBiGZjuOgzRNMWFBKSXquifBEjrLULc1xtPIaricz0awKArMZjN4noftdnub3W5H28VqtUIcx5jYwkGcZjjS92XVIS9L5DUJ/nd2PU3TYbPZGDdsgN2wAO+MTPB9GAZMVosXuO+/UUQS0rEhXudYL19QKQ9/tUKfRdhriUxyLBdJkpiYvu8bt+wwz3P6YYNxHElw9h3O60/k3hzRZkqCP6CsKdpocZsumkOHGwgSlFGIKAzMjpWEThN63wJFrtF1HUemdwjoDdsRumiREJjD6T4un67fU2QLH5aDQKWQaQFfpgiTArrqYXshMp2ToGVRFEFQaqSJQkR/Hg4D8TibOZ9PRjAjYA9Pb/jy7OLrk8DjLxvfaB6ndJ/aeHheQfgExSJBTXb3+xORrFF3Na7+uDLX2pRUm+WfN7yvyeXHGkLYhu6WKqQMJIpeVf8E2d3xCGhdoe+7u/5dd9u0cKlrUkZQShm6TJvpMhQeA4Wr0DQ1DgeKlZVU8PbO3U2w7cCdVSo21WG6TJmnpKp1fW8EPwHzE+fCuihASAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/693022e922dbb460261a3b416a7c0246/8ac56/image-20240308205322057.webp 240w,\n/static/693022e922dbb460261a3b416a7c0246/d3be9/image-20240308205322057.webp 480w,\n/static/693022e922dbb460261a3b416a7c0246/e46b2/image-20240308205322057.webp 960w,\n/static/693022e922dbb460261a3b416a7c0246/3f581/image-20240308205322057.webp 1383w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/693022e922dbb460261a3b416a7c0246/8ff5a/image-20240308205322057.png 240w,\n/static/693022e922dbb460261a3b416a7c0246/e85cb/image-20240308205322057.png 480w,\n/static/693022e922dbb460261a3b416a7c0246/d9199/image-20240308205322057.png 960w,\n/static/693022e922dbb460261a3b416a7c0246/98432/image-20240308205322057.png 1383w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/693022e922dbb460261a3b416a7c0246/d9199/image-20240308205322057.png\"\n            alt=\"image-20240308205322057\"\n            title=\"image-20240308205322057\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The next steps generate values randomly.</p>\n<p>After that, what is presumably the 0x36th element of the map has 0x28 stored into it. (The intent of this implementation is also unclear.)</p>\n<p>The following steps are comparatively straightforward: a number of characters equal to the randomly generated value are extracted from the beginning of the string held in the map object passed as an argument.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 544px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d1a5ca9554ecdb32f69314d7f34d363e/b3e51/image-20240308211534796.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABk0lEQVQoz02QW5OaQBSE+f//JLUqatV631QUdbOXx1TWjVdAkAEERhQvEb5MNA85NV2nz3SfrprRdLPBF7tGaW1Q8b5TC8Z0z0MenCfq2z7di0HZHVByv1FyDIUe+voF3R5RWo2Upmb3hWY6onMeoFVWOrpVoWoZVO1XOsmYMSrc7NJL+4oPaYgHasrXMls03RpdX6ezbVPf1GnLR4y8zzA3MK4G2tSdMxMz5mLLKkzZ7CV7dsw8l+AUkSq+jmf8cj+ZewsWYooZfiISwdqxcSMbWezYFVJ1ifbTnjBxPpiKACuRBOcEScKHMntZeOOraMrU+4F7cNhk6n7v4+9CROohjg6xCorz5AatbOmU7TK606eu/rAZjTCKAVWnQyv+qh7fpxF2KNlPSnumJ99o+u+0E+UN3+jKF9rxM4/eq+pjtK0XE/kxsQ+ZBH5zq0icuJ7u/CgDZCwoLjmoQ/EPV+7zf6UtFybL1RLLOuIHcL7cN0wz4pCd7+HRX31CGAYkMmGX+hz3GTuRcpCZchfkRa5Q8Ae3HvqV5mZkUgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d1a5ca9554ecdb32f69314d7f34d363e/8ac56/image-20240308211534796.webp 240w,\n/static/d1a5ca9554ecdb32f69314d7f34d363e/d3be9/image-20240308211534796.webp 480w,\n/static/d1a5ca9554ecdb32f69314d7f34d363e/cd5ab/image-20240308211534796.webp 544w\"\n              sizes=\"(max-width: 544px) 100vw, 544px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d1a5ca9554ecdb32f69314d7f34d363e/8ff5a/image-20240308211534796.png 240w,\n/static/d1a5ca9554ecdb32f69314d7f34d363e/e85cb/image-20240308211534796.png 480w,\n/static/d1a5ca9554ecdb32f69314d7f34d363e/b3e51/image-20240308211534796.png 544w\"\n            sizes=\"(max-width: 544px) 100vw, 544px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d1a5ca9554ecdb32f69314d7f34d363e/b3e51/image-20240308211534796.png\"\n            alt=\"image-20240308211534796\"\n            title=\"image-20240308211534796\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The subsequent steps reverse the extracted leading portion and prepend it to the original string.</p>\n<p>In other words, if 3 characters are taken from <code class=\"language-text\">ABC....XYZ</code>, the result becomes <code class=\"language-text\">CBADEFG...XYZ</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 595px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c3ebba0d3bddda9edad00cb570ddafd0/3dd3e/image-20240308212550418.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.500000000000004%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHklEQVQY001R2ZKDMAzj/78OXsoV7gRarqFcoYWO1nZ3dvZBY+eQIjlOnufoug61qWG0wbwssNZi27Y/7PuOnaq1h/SW11zp3jiOmKZJMPQ9HM/zcL8/YIxGnhcoyxJVVSHLMpRViSRJBL7vQyUplFJIVIw4VsS7IwwCBHTGHBZ3wjAkhz3a9iGbbduiIxitURGYVBQF0jSlWqJpGgEnWyjN5/PB+/3GcRwYBhYMQhLpRJAJxhgi1F9BeqCuG2itRaD4dV+Rc07AMXkkKwn3w4B5nuG4rgtNIkWeIYwiZGkmjhTFimjNETnF7XZDRDH5XMUxjSAQgeu6pE7Pp8zVYduW7G7bKhHWdRVwz+BLr+P7Gf+xEc7zFEGOvO9W+h9L9b+43sxyKwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c3ebba0d3bddda9edad00cb570ddafd0/8ac56/image-20240308212550418.webp 240w,\n/static/c3ebba0d3bddda9edad00cb570ddafd0/d3be9/image-20240308212550418.webp 480w,\n/static/c3ebba0d3bddda9edad00cb570ddafd0/536c8/image-20240308212550418.webp 595w\"\n              sizes=\"(max-width: 595px) 100vw, 595px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c3ebba0d3bddda9edad00cb570ddafd0/8ff5a/image-20240308212550418.png 240w,\n/static/c3ebba0d3bddda9edad00cb570ddafd0/e85cb/image-20240308212550418.png 480w,\n/static/c3ebba0d3bddda9edad00cb570ddafd0/3dd3e/image-20240308212550418.png 595w\"\n            sizes=\"(max-width: 595px) 100vw, 595px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c3ebba0d3bddda9edad00cb570ddafd0/3dd3e/image-20240308212550418.png\"\n            alt=\"image-20240308212550418\"\n            title=\"image-20240308212550418\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The following steps then reverse the portion that was <em>not</em> extracted (<code class=\"language-text\">CDEF...XYZ</code>).</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8c2ded5943ad621a5c6bd1689e803ad7/9ba38/image-20240308212716697.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 19.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8UlEQVQY003NUWuCYBjFcb//F6mbDbbhgpZlVNhGY0XBClNXS1N7fTMro2z958SLPfDjnKvzKGrwSmNn0Dx0efab1NatnI6W9Ohc+5iRTVfccZ9UqMZPVJIHqpGKGmvUTzr1VKdxrhe0rIEyCVfM90uc9ItJOGYWmcWIc/zG/VnjSRc9f/IYtFA3NWqJxkvcY5JOsTIH82JhXeclC2UqfOzEY3la8SlmeXdY7Ba4Z5fgFrKWPqlMyA7AJXcrMyv7n3+ntDcj+vsP3o4D2oFBRwww5DuD05ARQ2xhs1x4+H6AiARCRkQ5uZWFbbwtxLu48AsViyJ9YC2JigAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8c2ded5943ad621a5c6bd1689e803ad7/8ac56/image-20240308212716697.webp 240w,\n/static/8c2ded5943ad621a5c6bd1689e803ad7/d3be9/image-20240308212716697.webp 480w,\n/static/8c2ded5943ad621a5c6bd1689e803ad7/e46b2/image-20240308212716697.webp 960w,\n/static/8c2ded5943ad621a5c6bd1689e803ad7/11f77/image-20240308212716697.webp 1329w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8c2ded5943ad621a5c6bd1689e803ad7/8ff5a/image-20240308212716697.png 240w,\n/static/8c2ded5943ad621a5c6bd1689e803ad7/e85cb/image-20240308212716697.png 480w,\n/static/8c2ded5943ad621a5c6bd1689e803ad7/d9199/image-20240308212716697.png 960w,\n/static/8c2ded5943ad621a5c6bd1689e803ad7/9ba38/image-20240308212716697.png 1329w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8c2ded5943ad621a5c6bd1689e803ad7/d9199/image-20240308212716697.png\"\n            alt=\"image-20240308212716697\"\n            title=\"image-20240308212716697\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As a result, the string becomes <code class=\"language-text\">CBAZYX...FED</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 604px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/91e38171daf7d7292553e7629ed92464/87254/image-20240308212751601.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9ElEQVQY0z2QWZKDMAxEuf/FJh8sYbHxgs0OgUAVxQV6JE8yH65Wg9x6VlSWBdI0hbUWUkoIIYJ659D3A9q2Je3/dBio7uCcxziOaJoGZVmirutw//XaEH0DnfdQSsFoA02qqIm9lAJFUSDLMuR5HgLY8z8exEE8jAcc54lIVBXiOIanj/UnxBgK1Tp4rdUnWJKXIUApHXq2bcO+75imkagd3u8DUUZ0j58HDDXmNPlLwGRcMxXTJUlCJ8WTagaoKoF1XSlsgqfXzfOM46BAa00gYWRjLO3Fhd3wRKZp6PAF9qxd1/7v8LquELIsC0567n3f+AVwsGQTjgfeGgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/91e38171daf7d7292553e7629ed92464/8ac56/image-20240308212751601.webp 240w,\n/static/91e38171daf7d7292553e7629ed92464/d3be9/image-20240308212751601.webp 480w,\n/static/91e38171daf7d7292553e7629ed92464/059a8/image-20240308212751601.webp 604w\"\n              sizes=\"(max-width: 604px) 100vw, 604px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/91e38171daf7d7292553e7629ed92464/8ff5a/image-20240308212751601.png 240w,\n/static/91e38171daf7d7292553e7629ed92464/e85cb/image-20240308212751601.png 480w,\n/static/91e38171daf7d7292553e7629ed92464/87254/image-20240308212751601.png 604w\"\n            sizes=\"(max-width: 604px) 100vw, 604px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/91e38171daf7d7292553e7629ed92464/87254/image-20240308212751601.png\"\n            alt=\"image-20240308212751601\"\n            title=\"image-20240308212751601\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Finally, the entire string is reversed.</p>\n<p>After all these operations, the original string has been transformed into <code class=\"language-text\">DEFG...XYZABC</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 586px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cbed78f181cb2e2345554230c1f67eb8/a76f4/image-20240308212844605.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.500000000000004%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVQY0zWRSXKEMAxFuf+x0iwaTILBDGYemjBTHOFHUoWFyhq+pSfbiaMIdV2jLEtkWSZWNy32fcd1XbjvG+d54jgOibdtF/+xdV0kz7auKxzXdWGSFLawiKi5iQ3yPKczRpIkiI1BSkN4sCbjXJqmUq/rhvIa3vsNpQKBcXzfR24tuq4TMZM2TYOCBvBFWxSI6bLWIb5/QtHwQK01aSvs24ZpmoSOT0cpJYK2baUBT+EmNs9giM7SsMIWkueYtSXV2W/oaZ61+74XEOf19SICI2Sy0v+KWZoIRfTQBQE8XyEkSib2PY+2KOXt5nnGOI7y7g4TDMNAyV9UVSWkPcXjOKCiz+q6XsQd5ZlgIJKR6qz70IrcZFlm6cH+H1T3qxA0qDh5AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cbed78f181cb2e2345554230c1f67eb8/8ac56/image-20240308212844605.webp 240w,\n/static/cbed78f181cb2e2345554230c1f67eb8/d3be9/image-20240308212844605.webp 480w,\n/static/cbed78f181cb2e2345554230c1f67eb8/7fed0/image-20240308212844605.webp 586w\"\n              sizes=\"(max-width: 586px) 100vw, 586px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cbed78f181cb2e2345554230c1f67eb8/8ff5a/image-20240308212844605.png 240w,\n/static/cbed78f181cb2e2345554230c1f67eb8/e85cb/image-20240308212844605.png 480w,\n/static/cbed78f181cb2e2345554230c1f67eb8/a76f4/image-20240308212844605.png 586w\"\n            sizes=\"(max-width: 586px) 100vw, 586px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cbed78f181cb2e2345554230c1f67eb8/a76f4/image-20240308212844605.png\"\n            alt=\"image-20240308212844605\"\n            title=\"image-20240308212844605\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After this function returns, the region at the top of the stack holds a copy of the original string, while the address that originally stored the input now holds the transformed string.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 824px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3e6646b87d51d5248c12aca27a7ffc07/c1c45/image-20240308213327017.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 104.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAACR0lEQVQ4y6VU2XLaQBDU/39UHDtgDBQQ3QKJQyCQuK8nh0BnekAY2zxYDlVT6Fj19nT3rOHYNlzXg2VZSJIxNpsN1uv1t8uo1+twHBcPDz/gej622y1Wq5W+5H/RMhzHRtBuo1atohOGynC1XGIplQMXY1irwbYd/Hp6gi1Mx+MxRqORVKKgOdMvA9qiYbvTQavVQhhFWCwWmM1m17pt/4saCkPHQeX5WZn2+310u120RYbhcFgckO76QQCaE4aRtLnAfD7XyhcVarnZbIq7Hsrlkpqz2+3eARVm2Go14UlcyqUSPP8tNt8BU8DfYgYZvlQqyvC/ARuNhk7K4+NPWOI4IxPHsZpDl4sG3HAusaHbkcRmv99ruD8WmX+8Pz97/9yoVl9gitOMjS8apmmKUZJowHmdphNMJhO9n06n1+tE1iSXdSw+z7IMBjMXSYXC0nFd9OR6MBho25kA6ChKK5ya/Dq/X13GM9dYGQbCigAMcSxFVmcWiTKaTmeXgC9VksAPEAQ+Xl//4N7PoPhvlM8tcYMkGWkLZEm2HEmGPWdzOPzF6XT6VEZbpoSgoZw0bD2OBzrTsYImekZSFm50OBxwOh5xlOLHdxl6kkHmz/c9iY9o2OspI8YnN4BSZFl6loXyyHuyZCI4WfzPS4PNQ4GAHTGGxflmnHgSWZYNjicPCzINpKOubHqe9Ts55GLTtJSdspUPTNMUIPMCaIHhZ6QIQtZkTE3vhd7gznSv1+te2yXLSDTVSNFZ2YRGEZAScIJuw31b/wDZsBQ3l/SX9AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3e6646b87d51d5248c12aca27a7ffc07/8ac56/image-20240308213327017.webp 240w,\n/static/3e6646b87d51d5248c12aca27a7ffc07/d3be9/image-20240308213327017.webp 480w,\n/static/3e6646b87d51d5248c12aca27a7ffc07/5758c/image-20240308213327017.webp 824w\"\n              sizes=\"(max-width: 824px) 100vw, 824px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3e6646b87d51d5248c12aca27a7ffc07/8ff5a/image-20240308213327017.png 240w,\n/static/3e6646b87d51d5248c12aca27a7ffc07/e85cb/image-20240308213327017.png 480w,\n/static/3e6646b87d51d5248c12aca27a7ffc07/c1c45/image-20240308213327017.png 824w\"\n            sizes=\"(max-width: 824px) 100vw, 824px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3e6646b87d51d5248c12aca27a7ffc07/c1c45/image-20240308213327017.png\"\n            alt=\"image-20240308213327017\"\n            title=\"image-20240308213327017\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"lucifer-function\" style=\"position:relative;\"><a href=\"#lucifer-function\" aria-label=\"lucifer function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Lucifer function</h3>\n<p>The <code class=\"language-text\">Lucifer</code> function is called immediately after <code class=\"language-text\">zarathos</code> completes.</p>\n<p>It receives the rearranged string from <code class=\"language-text\">zarathos</code> and the character count as arguments.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/42d95f6ba835dd3b3c6d9911879bd938/3d405/image-20240308225255920.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABwUlEQVQoz3VTybKbMBDk/z8slUMOrrL9zCZAGIgNSOzLY+uMZOPkOclUdWkuak13jwzmMaRpAZEXiJMYdVtjWRao2rZNQ5XIBUzThO/7GMcRwzCgaRp0XacxTZO+ZzDmIssqSFmBXwPcshuW+R+EQsJxXFwuFxRFibIsMc8z3su4XjmqsoMUBZKfEZqufpKtLzwmzGHbDhhjNFGPvu/1lPujO4wwJJn1DCEbki7RtAPG6UGyPfEgLIjQhkeE0zRjXVctcVewnwb3vqEuPIj7GVf+HentB6bBBRaObQ40sHKILIRlk+SPDyJaXxJ3opdk3zdRyBR5GiFJGMZPiXVpsa3dC8BAE961hxYF07StlqyCePfaYJ5PhjeEEnGcQJDh4+f0W/JzABWK6xKhZVEvNBTpn4Taw4AHlFqnPeJhgExm2h9F956yCsS2LUp3wf/K4CGlXA2a8J7eH69uX19VldMeqpVRu6h6KSWdOQVaoyUL1Bqp3uCco20G2sUcURyhH/6WsU94OBw0oUmyz6cTTqcz4aTTd12GKIpgeJ5HZOXzp0SouurLKuy9lAWOxyMcuuw4jg5H7aXyNAjIqizTE/8C8PxHzyeZhNcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/42d95f6ba835dd3b3c6d9911879bd938/8ac56/image-20240308225255920.webp 240w,\n/static/42d95f6ba835dd3b3c6d9911879bd938/d3be9/image-20240308225255920.webp 480w,\n/static/42d95f6ba835dd3b3c6d9911879bd938/e46b2/image-20240308225255920.webp 960w,\n/static/42d95f6ba835dd3b3c6d9911879bd938/4d989/image-20240308225255920.webp 1348w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/42d95f6ba835dd3b3c6d9911879bd938/8ff5a/image-20240308225255920.png 240w,\n/static/42d95f6ba835dd3b3c6d9911879bd938/e85cb/image-20240308225255920.png 480w,\n/static/42d95f6ba835dd3b3c6d9911879bd938/d9199/image-20240308225255920.png 960w,\n/static/42d95f6ba835dd3b3c6d9911879bd938/3d405/image-20240308225255920.png 1348w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/42d95f6ba835dd3b3c6d9911879bd938/d9199/image-20240308225255920.png\"\n            alt=\"image-20240308225255920\"\n            title=\"image-20240308225255920\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The most notable part of the <code class=\"language-text\">Lucifer</code> implementation is the following:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">local_38<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\nlocal_38<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">0xfffffffe</span><span class=\"token punctuation\">;</span>\nlocal_38<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">0xffffffff</span><span class=\"token punctuation\">;</span>\nlocal_38<span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\nlocal_28 <span class=\"token operator\">=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">;</span>\nlocal_24 <span class=\"token operator\">=</span> <span class=\"token number\">3</span><span class=\"token punctuation\">;</span>\nlocal_10 <span class=\"token operator\">=</span> <span class=\"token function\">random_pick</span><span class=\"token punctuation\">(</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nlocal_3c <span class=\"token operator\">=</span> local_38<span class=\"token punctuation\">[</span>local_10<span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>The values in <code class=\"language-text\">local_38</code> are expressed in two’s complement, which makes them harder to read, but they appear to define the range from -3 to 4 (with some values).</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 531px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/897eebbbd029a6205f48909fea02b2cb/d4713/image-20240308225928105.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 27.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHklEQVQY023Q607CQBBAYd7//RSNAnvpZXvvbmlLoexxsGhi4vyefDkzuyzL8f1C00DfR5YF7utKmgXu98hj6qoizx1V1dB3KUNomdqZwQ30jScNKbY3FINjp5Whay9UJRQuMk0bqHTH+gSdYMZY8qygqZUEVJzLEW88TdFxbI+8la+oTrFTSsvSRF1DWQo4b6Ax/W9h4QqsTQQu5RJN8DXnaiIkQcCWXMrG68h8m6VQG1nawErA+fIE7V8weYBuA72A4wO0gdo1uHPJz8jJ+huUN8mvBHwW6v8KBWxbQwgNo1zlrf8G86EAWY0xsnt5P6GzEetApRF5CWFe2R86wiUy3uBocvafhg+VkxQWnaZkOuAOnpMtUb0UX2FYIl8PHMd/8crsRQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/897eebbbd029a6205f48909fea02b2cb/8ac56/image-20240308225928105.webp 240w,\n/static/897eebbbd029a6205f48909fea02b2cb/d3be9/image-20240308225928105.webp 480w,\n/static/897eebbbd029a6205f48909fea02b2cb/a33a1/image-20240308225928105.webp 531w\"\n              sizes=\"(max-width: 531px) 100vw, 531px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/897eebbbd029a6205f48909fea02b2cb/8ff5a/image-20240308225928105.png 240w,\n/static/897eebbbd029a6205f48909fea02b2cb/e85cb/image-20240308225928105.png 480w,\n/static/897eebbbd029a6205f48909fea02b2cb/d4713/image-20240308225928105.png 531w\"\n            sizes=\"(max-width: 531px) 100vw, 531px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/897eebbbd029a6205f48909fea02b2cb/d4713/image-20240308225928105.png\"\n            alt=\"image-20240308225928105\"\n            title=\"image-20240308225928105\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The return value of <code class=\"language-text\">random_pick(4,0)</code> is unclear, but since it is used as the index in <code class=\"language-text\">local_3c = local_38[local_10]</code>, it is reasonable to assume that <code class=\"language-text\">local_10</code> receives a random value between -3 and 3.</p>\n<p>The subsequent code retrieves the argument string object, creates an iterator, and implements a loop:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">local_14 <span class=\"token operator\">=</span> param_1<span class=\"token punctuation\">;</span>\nlocal_40 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">begin</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nlocal_44 <span class=\"token operator\">=</span> std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    uVar2 <span class=\"token operator\">=</span> __gnu_cxx<span class=\"token operator\">::</span>operator<span class=\"token operator\">!=</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>local_40<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_44<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token punctuation\">)</span>uVar2 <span class=\"token operator\">==</span> <span class=\"token char\">'\\0'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    pcVar3 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>__gnu_cxx<span class=\"token operator\">::</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_40<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    local_15 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span>pcVar3<span class=\"token punctuation\">;</span>\n    local_1c <span class=\"token operator\">=</span> local_15 <span class=\"token operator\">+</span> local_3c<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">adfedd</span><span class=\"token punctuation\">(</span>extraout_ECX<span class=\"token punctuation\">,</span>extraout_EDX<span class=\"token punctuation\">,</span>local_1c<span class=\"token punctuation\">,</span>param_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    __gnu_cxx<span class=\"token operator\">::</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token operator\">++</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_40<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Here, the previously obtained <code class=\"language-text\">local_3c</code> is added to each character, and then an unknown function called <code class=\"language-text\">adfedd</code> is invoked.</p>\n<p>The decompilation of this function is as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">/* adfedd(int, int) */</span>\n<span class=\"token keyword\">void</span> __fastcall <span class=\"token function\">adfedd</span><span class=\"token punctuation\">(</span>__cxx11 <span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">,</span>undefined4 param_2<span class=\"token punctuation\">,</span>undefined4 param_3<span class=\"token punctuation\">,</span>undefined4 param_4<span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n  basic_string local_24 <span class=\"token punctuation\">[</span><span class=\"token number\">7</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  \n  std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span><span class=\"token function\">to_string</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">,</span>param_3<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">append</span><span class=\"token punctuation\">(</span>local_24<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token operator\">~</span><span class=\"token function\">basic_string</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>It appears that the first argument (the value of each character plus <code class=\"language-text\">local_3c</code>) is converted to its decimal representation, and then each digit is appended as a string character.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7a1c0e6acdfe07d33bf975b63b95b033/5440e/image-20240308231205983.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLUlEQVQY021R22qDQBT0/z+mjy2k5KWvjUWzao0aibpuvOuKyTamcbq7LS2FHBgOHIa5cAzy8gBKVmDbNQ5vj0jMJ2QSpbNC5T6jkrvx1oh8B5a9BaUURVEgz3PQnKKua31L0gTDMMAIohhNzyFmoOMT+tOEe5MkKTabV3iehyiKEIYh9vu9vCdaMMsy9H0P410SaJZimi4ojkdUdYl5vmC53SQ+f3CTiZgUiHQ6xiiappYCAzjnGMdRY55nGL7vo20biPNVEhn4yHWiZVl+oUZVDIJAco66puKWZYm26/RWCc9nAUNFr6oKH+Kq3Xs+3BWM4ximaerKu93uD0GIVIoxln9XVq7K8XSaZY0WnXQUQvwTVXM4JLAsC4QQ2LYN13VBHKJF0zTVDdRTvgAIJ73xj88OAwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7a1c0e6acdfe07d33bf975b63b95b033/8ac56/image-20240308231205983.webp 240w,\n/static/7a1c0e6acdfe07d33bf975b63b95b033/d3be9/image-20240308231205983.webp 480w,\n/static/7a1c0e6acdfe07d33bf975b63b95b033/e46b2/image-20240308231205983.webp 960w,\n/static/7a1c0e6acdfe07d33bf975b63b95b033/365b6/image-20240308231205983.webp 1419w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7a1c0e6acdfe07d33bf975b63b95b033/8ff5a/image-20240308231205983.png 240w,\n/static/7a1c0e6acdfe07d33bf975b63b95b033/e85cb/image-20240308231205983.png 480w,\n/static/7a1c0e6acdfe07d33bf975b63b95b033/d9199/image-20240308231205983.png 960w,\n/static/7a1c0e6acdfe07d33bf975b63b95b033/5440e/image-20240308231205983.png 1419w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7a1c0e6acdfe07d33bf975b63b95b033/d9199/image-20240308231205983.png\"\n            alt=\"image-20240308231205983\"\n            title=\"image-20240308231205983\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This result is temporarily mapped to the previously mysterious region at <code class=\"language-text\">0x417148</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1b693e2d621e7967bb9504517ade51c4/0931d/image-20240308231405174.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABKklEQVQY01WQy26DMBBF8//f1GWlLqPQAE0wECrHQHjGrcGUx+14kkVraXSN0Jw5413w/oLP9BWTOaGvPCj5BjuEwJJgm2OqhO4xrMkgRIw0TVEUBfI859RaYxxH9H2PqqqwC8MIt1uLdQX6boLKK0wz+GzPcsfaBVEUIUkShpVlSVmgaRqGtW1LHAKePkJcLilPud81rleJr29NAxbGbdvKae3IhkIISCnZzqWDOzMHfhqGPIEN2wFmMNRsMc8PzW17ONrRQkSCijaiRtdc1zVJ3GGMIUZH3w12vu+T1ZUAK608Ii8VWt1hYcM/QDvheDwiCAIud3cyrt89RZZltPKNgPQjjmMMAz1sZyCVRKed8foPOE0/BPEZdjgcsN/v4Xke5/l8hlKKgb/EzcIk8oeSFwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1b693e2d621e7967bb9504517ade51c4/8ac56/image-20240308231405174.webp 240w,\n/static/1b693e2d621e7967bb9504517ade51c4/d3be9/image-20240308231405174.webp 480w,\n/static/1b693e2d621e7967bb9504517ade51c4/e46b2/image-20240308231405174.webp 960w,\n/static/1b693e2d621e7967bb9504517ade51c4/082bf/image-20240308231405174.webp 1373w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1b693e2d621e7967bb9504517ade51c4/8ff5a/image-20240308231405174.png 240w,\n/static/1b693e2d621e7967bb9504517ade51c4/e85cb/image-20240308231405174.png 480w,\n/static/1b693e2d621e7967bb9504517ade51c4/d9199/image-20240308231405174.png 960w,\n/static/1b693e2d621e7967bb9504517ade51c4/0931d/image-20240308231405174.png 1373w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1b693e2d621e7967bb9504517ade51c4/d9199/image-20240308231405174.png\"\n            alt=\"image-20240308231405174\"\n            title=\"image-20240308231405174\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"ghostridderswepon-function\" style=\"position:relative;\"><a href=\"#ghostridderswepon-function\" aria-label=\"ghostridderswepon function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ghost<em>ridders</em>wepon function</h3>\n<p>The next function, <code class=\"language-text\">ghost_ridders_wepon</code>, was honestly difficult to understand.</p>\n<p>It simply creates a map object, stores <code class=\"language-text\">0x5e</code> and <code class=\"language-text\">0x2a</code> into it, and returns.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">/* ghost_ridders_wepon() */</span>\n<span class=\"token keyword\">void</span> <span class=\"token function\">ghost_ridders_wepon</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  undefined <span class=\"token operator\">*</span>puVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> local_e<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> local_d <span class=\"token punctuation\">[</span><span class=\"token number\">9</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  \n  local_e <span class=\"token operator\">=</span> <span class=\"token char\">'4'</span><span class=\"token punctuation\">;</span>\n  puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>_HM<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_e<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token operator\">*</span>puVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0x5e</span><span class=\"token punctuation\">;</span>\n  local_d<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token char\">'0'</span><span class=\"token punctuation\">;</span>\n  puVar1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>_HM<span class=\"token punctuation\">,</span>local_d<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token operator\">*</span>puVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0x2a</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"matter_manipulation-function\" style=\"position:relative;\"><a href=\"#matter_manipulation-function\" aria-label=\"matter_manipulation function permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>matter_manipulation function</h3>\n<p>When this function is called, it returns a pointer to the region containing the encrypted byte sequence.</p>\n<p>Since this is what ultimately gets written to the encrypted file, it is highly likely that this function performs the actual encryption.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5218dff83b524a3c44646d497ab599e2/f868f/image-20240308232810400.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLklEQVQY03WQ206EMBRF+f9fMtEnX0xmIshwa0EuQksHaJmiw0yAbWnig4nuZCV9OF375Dj+ywNS7wmcHlEEz6DeI2R5hGZv0I1nmZiLriYgNEVZliiKwlKWFRhjGIYBbdtCKQUnCCOwVuBr3tCeOyit8Vcu+hO+74OmFEIIK6jr2kgktPnTdR3GcYQThaFpaTBNN7CGoRUc9/sN27ZhW1eshj1DP+BwOFip57kW1915BaUUVVXZIocQgjzPIeUEYTblHceyLlZipYY9Uioj8XAKTgijAIQkSJLYEFnZTt/3ZsMosndRagLnLXo5/JL9CPVFm00IEhogzWJ81BXec4q8oGhYjaZpMM8znDiOkWUZRjnaA/fqH6GebLE4m/txbmd3uHmP4wXX6xXLsuAbUfG/kk85zU4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5218dff83b524a3c44646d497ab599e2/8ac56/image-20240308232810400.webp 240w,\n/static/5218dff83b524a3c44646d497ab599e2/d3be9/image-20240308232810400.webp 480w,\n/static/5218dff83b524a3c44646d497ab599e2/e46b2/image-20240308232810400.webp 960w,\n/static/5218dff83b524a3c44646d497ab599e2/2482d/image-20240308232810400.webp 1382w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5218dff83b524a3c44646d497ab599e2/8ff5a/image-20240308232810400.png 240w,\n/static/5218dff83b524a3c44646d497ab599e2/e85cb/image-20240308232810400.png 480w,\n/static/5218dff83b524a3c44646d497ab599e2/d9199/image-20240308232810400.png 960w,\n/static/5218dff83b524a3c44646d497ab599e2/f868f/image-20240308232810400.png 1382w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5218dff83b524a3c44646d497ab599e2/d9199/image-20240308232810400.png\"\n            alt=\"image-20240308232810400\"\n            title=\"image-20240308232810400\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The implementation looks like this:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 710px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6340638609c0b07c84454afc136633c2/7131f/image-20240308232911922.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 71.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB9UlEQVQ4y4VTDZOrIBDz///O62urgHwuCGpesL072+nMMbOzOGJMsmEwMeDmLO7e4a4ztI9wUcO7AhEgy4p93/G9zvtPa/DJYg4zJpa1BElAjA2lAK1ltCpYll4JbW1/gg42OrLqgA6TWjDPO5xtSB4oEiHZEDwgZ4da69+ASTRCUFA+4GIDvlhjrzHAOI/b5Pi+YNvaD1DvjzrvHzXY2WN2I1Sg9JwxpwyTBLoIDBkaVZFS6TAnHvtbPzGMsWAki5txMF22EVyvK9QklOohlCuUK0I/24513dnx3IPMt4P9tj2GNyz8yM7/oJWHUiMcn30uCHlBoGd+aRAixAhK3wm8wjnA+53P9Lksh8elpAegcGP8BM2o3LSChB6VjUMgi7qxEhaeqTUeU/+Vun+WnHh4siNG/vY2JbLcoHSB1p0Np8yhdcldfo/Pbx7xeSjCQ9prKJvpo+Brdrj06d4Ft2vEdDeIJiHxAsToyXR/+rYe/T1Gw9IqLD1zOcER3NdylJTKTDLk9C26xmxu9I75ZPCXpTwZl5cYHYBBPEJysExyTBX9TMkbeobXdWFxukcvP4xe1lvIB5tmZtBgZA6niTfF7GT2mGrO9JDvhT8VsS835VwvgPdZcJkYGQZcT8yfagReGYuN8ugfp19rZ1hfPDuDnUH/A1/lRM2bq92jAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6340638609c0b07c84454afc136633c2/8ac56/image-20240308232911922.webp 240w,\n/static/6340638609c0b07c84454afc136633c2/d3be9/image-20240308232911922.webp 480w,\n/static/6340638609c0b07c84454afc136633c2/457aa/image-20240308232911922.webp 710w\"\n              sizes=\"(max-width: 710px) 100vw, 710px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6340638609c0b07c84454afc136633c2/8ff5a/image-20240308232911922.png 240w,\n/static/6340638609c0b07c84454afc136633c2/e85cb/image-20240308232911922.png 480w,\n/static/6340638609c0b07c84454afc136633c2/7131f/image-20240308232911922.png 710w\"\n            sizes=\"(max-width: 710px) 100vw, 710px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6340638609c0b07c84454afc136633c2/7131f/image-20240308232911922.png\"\n            alt=\"image-20240308232911922\"\n            title=\"image-20240308232911922\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It defines a vector table, repeatedly appends strings inside a loop, and then returns a pointer to the region holding those appended strings.</p>\n<p>In summary, the value retrieved by <code class=\"language-text\">pcVar2 = (char *)std::map&lt;>::at(&amp;local_25);</code> is appended to the output string via <code class=\"language-text\">std::__cxx11::basic_string&lt;>::operator+=(param_1,*pcVar2);</code> to build the final return value.</p>\n<p>Since <code class=\"language-text\">local_25</code> is an iterator, the input value is processed here.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    uVar1 <span class=\"token operator\">=</span> __gnu_cxx<span class=\"token operator\">::</span>operator<span class=\"token operator\">!=</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>local_2c<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_30<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token punctuation\">)</span>uVar1 <span class=\"token operator\">==</span> <span class=\"token char\">'\\0'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    pcVar2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>__gnu_cxx<span class=\"token operator\">::</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_2c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    local_25 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span>pcVar2<span class=\"token punctuation\">;</span>\n    local_14 <span class=\"token operator\">=</span> <span class=\"token number\">0x68</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>vector<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">push_back</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>vector<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_14<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    local_13 <span class=\"token operator\">=</span> <span class=\"token number\">0x61</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>vector<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">push_back</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>vector<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_24<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_13<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    pcVar2 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>std<span class=\"token operator\">::</span>map<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span><span class=\"token function\">at</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>local_25<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    std<span class=\"token operator\">::</span>__cxx11<span class=\"token operator\">::</span>basic_string<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token operator\">+=</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">,</span><span class=\"token operator\">*</span>pcVar2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    __gnu_cxx<span class=\"token operator\">::</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span><span class=\"token operator\">::</span>operator<span class=\"token operator\">++</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>__normal_iterator<span class=\"token operator\">&lt;</span><span class=\"token operator\">></span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>local_2c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>At this point, what the iterator is traversing is the string of decimal digit characters produced by the earlier conversion step.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1dc529f362bcccae18887c230a891f40/b1001/image-20240308233306254.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCklEQVQY022QzU6DQBRGef8XcWXsytidcWNMDCbUUCqUAQpMIYWByo/aluMwi8aFNzm5uYs58+WznKdbNs93JPaS4GXB6vEG8bqgfF9SrB40S0rnntx/YxtGZFlGWZYcjy3jODIMA6fTib7rzG19bAXFoaUfoawUqu/5b5q2w7ZtXNcliiLCMDSkaWoQQpDnEstbu+x2OxrVIfOMSh34/vliupwNFw1M1FWN46y0cH2VBUFg5PP7JEkoigJrrYV5vqdtR71nYc3ZSLRmmgzzqFppoYPnecRxbBIJESHlXldQ4Pu+SWptNh4iinWCTzKZoo7NVfJX2DSNSSWlpKoqk3jeM3On8yeD7vAXJTFzgdAgn90AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1dc529f362bcccae18887c230a891f40/8ac56/image-20240308233306254.webp 240w,\n/static/1dc529f362bcccae18887c230a891f40/d3be9/image-20240308233306254.webp 480w,\n/static/1dc529f362bcccae18887c230a891f40/e46b2/image-20240308233306254.webp 960w,\n/static/1dc529f362bcccae18887c230a891f40/445df/image-20240308233306254.webp 1380w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1dc529f362bcccae18887c230a891f40/8ff5a/image-20240308233306254.png 240w,\n/static/1dc529f362bcccae18887c230a891f40/e85cb/image-20240308233306254.png 480w,\n/static/1dc529f362bcccae18887c230a891f40/d9199/image-20240308233306254.png 960w,\n/static/1dc529f362bcccae18887c230a891f40/b1001/image-20240308233306254.png 1380w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1dc529f362bcccae18887c230a891f40/d9199/image-20240308233306254.png\"\n            alt=\"image-20240308233306254\"\n            title=\"image-20240308233306254\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In the subsequent <code class=\"language-text\">pcVar2 = (char *)std::map&lt;>::at(&amp;local_25);</code> call, passing the first character <code class=\"language-text\">8</code> as the argument returns the character <code class=\"language-text\">%</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9409bab009f94df696c4611794911157/fbfd6/image-20240308234026337.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVQY02WP3XKCMBCFef+36n1vtIUgiPyGBIEIAiZQ5DSJjtOOmzmT3WT227PO9/4DyekTbR2Dl18QjQ85pcCdY/thWtzmauLw/QBJkqAocmRZ9rpZySCEwDiOcFyX6EeKrp/BqxqX7oplucPE9pQJKWdE0QllWWpQgTzPkaYpUj2Ac4au6zBNExzPc+3Ui+hBaQHRC9z12bbtJRNKSoRh+ARlD5iWqTnnqOsa5/PZOHTtY99LMMbAKga1qIfDv0ClEAQBwmNkm42aptF9PeTthmEY7NoOIR5oQfWHQlVVaC4NlnV5A85qxm63h+sRvXqEw+FgZYbEcWy3NMasQ0oprldlrbeixbqu78B5ASHEQnzf/5eHx6OtsyzHL0nkwWIDgiXfAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9409bab009f94df696c4611794911157/8ac56/image-20240308234026337.webp 240w,\n/static/9409bab009f94df696c4611794911157/d3be9/image-20240308234026337.webp 480w,\n/static/9409bab009f94df696c4611794911157/e46b2/image-20240308234026337.webp 960w,\n/static/9409bab009f94df696c4611794911157/00474/image-20240308234026337.webp 1357w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9409bab009f94df696c4611794911157/8ff5a/image-20240308234026337.png 240w,\n/static/9409bab009f94df696c4611794911157/e85cb/image-20240308234026337.png 480w,\n/static/9409bab009f94df696c4611794911157/d9199/image-20240308234026337.png 960w,\n/static/9409bab009f94df696c4611794911157/fbfd6/image-20240308234026337.png 1357w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9409bab009f94df696c4611794911157/d9199/image-20240308234026337.png\"\n            alt=\"image-20240308234026337\"\n            title=\"image-20240308234026337\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Although the actual vector table mapping could not be found statically, tracing values through dynamic analysis revealed the following correspondence:</p>\n<ul>\n<li><code class=\"language-text\">%</code> : 8</li>\n<li><code class=\"language-text\">^</code> : 4</li>\n<li><code class=\"language-text\">#</code> : 5</li>\n<li><code class=\"language-text\">(</code> : 6</li>\n<li><code class=\"language-text\">)</code> : 1</li>\n<li><code class=\"language-text\">@</code> : 3</li>\n<li><code class=\"language-text\">$</code> : 2</li>\n<li><code class=\"language-text\">*</code> : 0</li>\n<li><code class=\"language-text\">&amp;</code> : 9</li>\n<li><code class=\"language-text\">!</code> : 7</li>\n</ul>\n<p>This was also confirmed by observing that the string <code class=\"language-text\">8485868762636465666768697071727374757677787980818283</code> was replaced with <code class=\"language-text\">%^%#%(%!($(@(^(#(((!(%(&amp;!*!)!$!@!^!#!(!!!%!&amp;%*%)%$%@</code>.</p>\n<h3 id=\"writing-the-solver\" style=\"position:relative;\"><a href=\"#writing-the-solver\" aria-label=\"writing the solver permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Writing the Solver</h3>\n<p>Based on the analysis so far, the encryption is performed in the following steps:</p>\n<ol>\n<li>Extract a random number of characters from the beginning of the original string, reverse them, and prepend the reversed portion to the original string (e.g., extracting 3 characters from <code class=\"language-text\">ABC....XYZ</code> yields <code class=\"language-text\">CBADEFG...XYZ</code>).</li>\n<li>Reverse the portion that was not extracted (reversing <code class=\"language-text\">CDEF...XYZ</code> gives <code class=\"language-text\">CBAZYX...FED</code>).</li>\n<li>Reverse the entire string (resulting in <code class=\"language-text\">DEFG...XYZABC</code>).</li>\n<li>Randomly select one of the values from -3 to 3 (approximately).</li>\n<li>For each character in the transformed string, subtract the value from step 4 and convert to decimal, then concatenate each digit as a string (for character <code class=\"language-text\">D</code>, the digits <code class=\"language-text\">6</code> and <code class=\"language-text\">8</code> would be appended).</li>\n<li>Replace each digit in the resulting digit string with the corresponding symbol.</li>\n</ol>\n<p>Of the steps above, the number of characters to extract in step 1 and the value selected in step 4 are both set randomly.</p>\n<p>However, since both ranges are small enough, brute-forcing is feasible for recovering the flag.</p>\n<p>Since brute-forcing the rearrangement step is not strictly necessary, the following solver was written:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">table <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token string\">'*'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'0'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">')'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'1'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'$'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'2'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'@'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'3'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'^'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'4'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'#'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'5'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'('</span><span class=\"token punctuation\">:</span><span class=\"token string\">'6'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'!'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'7'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'%'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'8'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'&amp;'</span><span class=\"token punctuation\">:</span><span class=\"token string\">'9'</span><span class=\"token punctuation\">}</span>\n\nhacked_texts <span class=\"token operator\">=</span> <span class=\"token triple-quoted-string string\">r\"\"\"%##^!)@#(!!(!$%)%&amp;%#(!^&amp;%#^(#*##^&amp;^%&amp;)&amp;)%^!)%)!*($($%$(#(%%&amp;%#@^@)^%!)!)((&amp;@##&amp;$###^^*&amp;@\n##@@^&amp;#^&amp;@@%####!$!@!@(#!)&amp;)%#%&amp;!$#^@^^%!*%)&amp;)&amp;@@((@!@@@(%!@(@(@!^%)%&amp;!!%#!!%###($@^\n((!^#!%#()^&amp;#)&amp;@#*%*^&amp;&amp;@(^^&amp;(@(%%@!^%&amp;#(@&amp;&amp;)&amp;)(%^(!&amp;%^!)%)!*%#(@(#%$(%%&amp;%*#*!(#)&amp;$@^(%!^(!#%\n^&amp;&amp;@%#@(#)#*%@%$^(^(%###(%%@!^%&amp;#(@&amp;&amp;)&amp;)!(%$((#*%^!)%)!*(%%&amp;(((%%#!(#)^(()^&amp;##^%%##*%*#*#*%!#)&amp;@#*%*\n!@((!!!(@&amp;@%@&amp;##!$((!#^&amp;###^!#()#%(*(!##^&amp;!$!)%#%@((((%#%&amp;%@!*!)(@!(&amp;@#(&amp;)%&amp;#(#!&amp;)%##^#^($!)#^@^!)!@\n!#%##*%*^&amp;#)&amp;@(^^&amp;(@%@%$!)(%%@!^#&amp;()&amp;@(*%&amp;#(@&amp;&amp;)&amp;)%^!)%)!*%#(@(#%$(%%&amp;#%&amp;@#*%*^&amp;&amp;@%*#*!(#)^(\n%)((%^@&amp;!(!(%^(^%@%&amp;#####*#^&amp;)@%^*@^@(&amp;)##^&amp;^*@(@@@&amp;()(*#%(*!!!!%#!)^&amp;#((@!)!$((@&amp;@%%)!@%#\n@&amp;^&amp;#^^%#^#@#@()(*#%#(!)%)^*@(@@^%&amp;)%&amp;&amp;)(%%#((%&amp;&amp;)%^!)%)!*(#%$(%%&amp;####^%#^^*@(#^^&amp;%@%#!(((@%\n(*()()%&amp;#&amp;&amp;@!!(((%^%@#@@#)!@(!%*!!%)!#(!!!(%!%%#&amp;)!)!!%$&amp;@%$!*!)!((&amp;%)&amp;@#*(@%*!@!@%#^*@((*(*\n%!!*&amp;@&amp;@%!%#@^@#%&amp;&amp;)^(#@%!%#(!!(@%^((&amp;@^@#%!%#(!%^&amp;@@#%!%#@&amp;@@@#%!@)%&amp;@@%!@^&amp;$%@%#%*!*%$(^&amp;)%#@#\n\"\"\"</span>\n\n<span class=\"token keyword\">for</span> n <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">3</span><span class=\"token punctuation\">,</span><span class=\"token number\">4</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> hacked_text <span class=\"token keyword\">in</span> hacked_texts<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        flag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n        buf <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n        <span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span>word <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>hacked_text<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            buf <span class=\"token operator\">+=</span> table<span class=\"token punctuation\">[</span>word<span class=\"token punctuation\">]</span>\n            <span class=\"token keyword\">if</span> i <span class=\"token operator\">%</span> <span class=\"token number\">2</span> <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">:</span>\n                flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span><span class=\"token operator\">+</span>n<span class=\"token punctuation\">)</span>\n                buf <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n        <span class=\"token keyword\">if</span> <span class=\"token string\">\"CTF\"</span> <span class=\"token keyword\">in</span> flag<span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this produces the following output:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">DL<span class=\"token punctuation\">;</span>W?35_4R3_B3AFUL<span class=\"token punctuation\">[</span>:<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span>F0QVISHWACTF<span class=\"token punctuation\">[</span>R4N5^<span class=\"token variable\">$FLE</span><span class=\"token operator\">&lt;</span>\n<span class=\"token assign-left variable\">MW4R35_B3AUTIFUL</span><span class=\"token operator\">=</span>?_<span class=\"token operator\">></span><span class=\"token punctuation\">[</span>:<span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span>VISHWACTF<span class=\"token punctuation\">[</span><span class=\"token operator\">&lt;</span>_4R3_R4N50\n<span class=\"token punctuation\">)</span><span class=\"token number\">382877</span>?<span class=\"token operator\">></span><span class=\"token operator\">&lt;</span>:IS*<span class=\"token operator\">&amp;</span><span class=\"token comment\">#2][]FWD[]VISHCTF[9928*&amp;83UWND(</span></code></pre></div>\n<p>The middle line, <code class=\"language-text\">MW4R35_B3AUTIFUL=?_>[:)]]VISHWACTF[&lt;_4R3_R4N50</code>, appears to match the expected flag format.</p>\n<p>Manually rearranging the pieces reveals that <code class=\"language-text\">VISHWACTF[4R3_R4N50MW4R35_B3AUTIFUL=]</code> is the correct flag.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>That was exhausting. My reverse-engineering skills clearly need more work…</p>","fields":{"slug":"/ctf-vishwa-ctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/english/"]},"frontmatter":{"date":"2024-03-08","description":"VishwaCTF 2024 Writeup","tags":["Rev (en)","English"],"title":"VishwaCTF 2024 Writeup","socialImage":{"publicURL":"/static/43712c165357eda25cb8c21582fd21f4/ctf-vishwa-ctf-2024.png"}}}},"pageContext":{"slug":"/ctf-vishwa-ctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}