Tags: rev 

Rating: 0

# Writeup
We open the binary with IDA and we realize that the binary gets an input from stdin. Also the input password needs a 44 lenght value so we start with something like that `aaaaaaaaaaabbbbbbbbbbbcccccccccccddddddddddd`. We set a breakpoint here `0x0040341F` and patch this instruction with `jnz`.
After the `fgets` function call we will analyze important functions.
## sub_4018D9
We are in this part of lenght `bbbbbbbbbbb` because of this instruction `movzx eax, byte ptr [eax]` move 0x62 byte.
Here `cmp dl, al` we realize that this compare with the first byte of hardcoded key `(mv|GLp+Gv+` xored, with our input byte xored two times so we need resolve this:
```
input[0] = ?
xor1 = 0xb
xor2 = 0x13
al = 0x28
```

The first input should be 0x30 or 0 if we want that this comparation is equal to `al` register. After all iteration we will have `0und_Th3_n3` so we have currently this --> `aaaaaaaaaaa0und_Th3_n3cccccccccccddddddddddd`

## sub_401AB9
Next part we enter in this function and we realize that corresponds to the first part of the flag as it uses `aaaaaaaaaaa`.
In this instruction `cmp bl, al` we see that this compare with the first byte of hardcoded key `}[2waHmrgxj` with our input 0x61 + two bytes, so this 0x63. Also with + four bytes after sixth iteration. We need resolve this:
```
0x63-0x2 = 0x61 (our input)
0x7d-0x2 = 0x7b or { (correct input)
```

We get `{Y0u_Finctf` and the correct will be `inctf{Y0u_F`. We have currently this --> `inctf{Y0u_F0und_Th3_n3cccccccccccddddddddddd`
In `sub_4018A0` function we enter into and we realize that there is an **IsDebuggerPresent** so we just need patch the instruction with `jnz`.

## sub_401E73
Next function we see that correspond with this part of lenght password `ddddddddddd`.
In this code we need that `eax` register will be 0 after `strncmp` function call.
```
lea eax, [ebp+var_2A]
mov [esp+48h+Str2], eax ; Str2
lea eax, [ebp+var_1F]
mov [esp+48h+Str1], eax ; Str1
call strncmp
mov [ebp+var_14], eax
```

Str1 is hardcoded string {`I5z%u5dL~` and Str2 is our input 0x64 + one byte, so this 0x65.
```
0x65-0x1 = 0x64 (our input)
0x7b-0x1 = 0x7a or z (correct input)
```

The string will be `z_H4y$t4cK}`. We have currently this --> `inctf{Y0u_F0und_Th3_n3cccccccccccz_H4y$t4cK}`

## sub_4024C3
In last function we see that our input starts from the end towards the beginning so we replace this part `ccccccccccc` with `ABCDEFGHIJK`. To resolve this problem we have a key `7D 15 41 1E 70 39 66 55 39 5D 6E` and other xored value:
```
First:
0x4a+0x1 = 0x4b (our input)
0x7d-0x1 = 0x7c or | (correct input)
Second:
xor = 0x4b^0x7d #0x4b = input and 0x7d second value of key.
R= 0x15^0x7d = 0x68 or h (correct input) #0x15 third value of key.
Third:
xor = 0x49^0x15 #0x49 = input and 0x15 third value of key.
R= 0x41^0x15 = 0x54 or T (correct input) #0x41 third value of key.
And so on...
```

Finally we get this string value `3dl3_In_Th|` so the flag is: `inctf{Y0u_F0und_Th3_n33dl3_In_Th|z_H4y$t4cK}`
by @naivenom
**PKTeam**