dvCTF rocca pia Write Up

Details:

Points: 50

Jeopardy style CTF

Category: reverse engineering

Write up:

First I checked what type of file this was, it was a 64 bit elf file, so I went and opened it in a decompiler.

The main function was:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax

  if ( argc == 2 )
  {
    if ( (unsigned int)transform(argv[1], argv, envp) )
      puts("Nice try");
    else
      puts("Nice flag");
    result = 0;
  }
  else
  {
    printf("Usage: %s <password>\n", *argv);
    result = 1;
  }
  return result;
}

It was fairly obvious that I would need to look into the transform function so thats where I started off.

int __fastcall transform(__int64 a1)
{
  int i; // [rsp+14h] [rbp-1Ch]
  char *s2; // [rsp+18h] [rbp-18h]

  for ( i = 0; i < strlen(PASSWD); ++i )
  {
    if ( (i & 1) != 0 )
      s2[i] = *(_BYTE *)(i + a1) ^ 0x37;
    else
      s2[i] = *(_BYTE *)(i + a1) ^ 0x13;
  }
  return strncmp(PASSWD, s2, 0x16uLL);
}

This function took the input and then xor'ed it to get a new string, that string was then compared against PASSWD. Looking into the file data I saw that the passwd string was:

[0x77, 0x41, 0x50, 0x63, 0x55, 0x4C, 0x5A, 0x68, 0x7F, 0x06, 0x78, 0x04, 0x4C, 0x44, 0x64, 0x06, 0x7E, 0x5A, 0x22, 0x59, 0x74, 0x4A]

I then wrote a python script to work backwards from the passwd string to get the output:

# passwd string bytes
passw = [0x77, 0x41, 0x50, 0x63, 0x55, 0x4C, 0x5A, 0x68, 0x7F, 0x06, 0x78, 0x04, 0x4C, 0x44, 0x64, 0x06, 0x7E, 0x5A, 0x22, 0x59, 0x74, 0x4A]

# empty flag to write to
flag = ""

# loop through length of passwd
for x in range(0, len(passw)):
    # if the current int anded with 1 is not 0
	if (x&1)!=0:
        # xor with 0x37
		flag += chr(passw[x]^0x37)
	else:
        # else xor with 0x13
		flag += chr(passw[x]^0x13)

# print the flag
print(flag)

Once run the script returned:

dvCTF{I_l1k3_sw1mm1ng}