Rating:
## krev (reverse, 200)
### Solution
What making this challenge complex is that it's wrapped in a NetBSD kernel module.
We're given a NetBSD VM with gdb to debug, but I simply copy the `chall1.kmod` from the VM.
Try to decompile the module, we'll se some functions.
* `chall1_close`
* `chall1_open`
* `chall1_write`
* `chall1_modcmd`
* `md5hash`
* `sha1hash`
* `get_flag_ready`
* `chall1_read`
We're intereseted in `chall1_read`
```c
int __cdecl chall1_read(int a1, int a2, int a3)
{
  int result; // eax
  char *v4; // ebx
  size_t v5; // eax
  size_t v6; // eax
  char s; // [esp+10h] [ebp-58h]
  if ( *buf != 'g'
    || buf[1] != 'i'
    || buf[2] != 'v'
    || buf[3] != 'e'
    || buf[4] != '_'
    || buf[5] != 't'
    || buf[6] != 'h'
    || buf[7] != 'i'
    || buf[8] != 's'
    || buf[9] != '_'
    || buf[10] != 't'
    || buf[11] != 'o'
    || buf[12] != '_'
    || buf[13] != 'g'
    || buf[14] != 'e'
    || buf[15] != 't'
    || buf[16] != '_'
    || buf[17] != 'f'
    || buf[18] != 'l'
    || buf[19] != 'a'
    || buf[20] != 'g' )
  {
    snprintf(&s, 0x19u, "%s", "Why don't you try again?");
    result = uiomove(&s, 24, a3);
  }
  else
  {
    get_flag_ready();
    v4 = flag;
    v5 = strlen(flag);
    snprintf(&s, v5 + 1, "%s", v4);
    v6 = strlen(flag);
    result = uiomove(&s, v6 + 1, a3);
  }
  return result;
}
```
Looks like, if `buf` equals `give_this_to_get_flag`, then it will call `get_flag_ready` and return the flag to user space.
Let's see what's in `get_flag_ready` next.
```c
size_t get_flag_ready()
{
  size_t i; // ebx
  size_t key_len; // eax
  char code[41]; // [esp+4h] [ebp-2Ch]
  code[0] = 0x56;
  code[1] = 0x5C;
  code[2] = 0x50;
  code[3] = 5;
  code[4] = 0x4D;
  code[5] = 0xF;
  code[6] = 0x53;
  code[7] = 0x47;
  code[8] = 0x76;
  code[9] = 0x57;
  code[10] = 0x21;
  code[11] = 0x3A;
  code[12] = 0x5E;
  code[13] = 6;
  code[14] = 0x3B;
  code[15] = 0xD;
  code[16] = 0x11;
  code[17] = 0x16;
  code[18] = 2;
  code[19] = 9;
  code[20] = 0xB;
  code[21] = 0x67;
  code[22] = 0x1B;
  code[23] = 0x52;
  code[24] = 0x41;
  code[25] = 0x6B;
  code[26] = 0x40;
  code[27] = 0x5D;
  code[28] = 0x56;
  code[29] = 0x17;
  code[30] = 0x5D;
  code[31] = 1;
  code[32] = 0x3A;
  code[33] = 4;
  code[34] = 0x13;
  code[35] = 0x1D;
  code[36] = 0x68;
  code[37] = 0x50;
  code[38] = 6;
  code[39] = 0x45;
  md5hash();
  sha1hash();
  for ( i = 0; ; ++i )
  {
    key_len = strlen(key);
    if ( i >= key_len )
      break;
    flag[i] = code[i] ^ key[i];
  }
  return key_len;
}
```
`flag` is computed by XOR `code` with `key`, but what is `key`?
```c
int md5hash()
{
  const char *data; // esi
  unsigned int len; // eax
  char *p; // esi
  char *output; // ebx
  int result; // eax
  char digest[16]; // [esp+10h] [ebp-70h]
  char ctx; // [esp+20h] [ebp-60h]
  MD5Init(&ctx;;
  data = buf;
  len = strlen(buf);
  MD5Update(&ctx, data, len);
  p = digest;
  MD5Final(digest, &ctx;;
  output = buf2;
  do
  {
    result = snprintf(output, 5u, "%02x", (unsigned __int8)*p++);
    output += 2;
  }
  while ( output != (char *)&unk_80006D4 );
  return result;
}
```
In `md5hash`, `buf` is hashed by md5 and written to `buf2`. In `sha1hash`, it will perform similar work, hashes `buf2` into `key`. Finally, now we know `key` is `sha1(md5(buf))`, so `flag = code ^ sha1(md5(buf))`.
Here's the script to decrypt it.
```python
#!/usr/bin/env python3
from hashlib import md5, sha1
key = b"give_this_to_get_flag"
key = md5(key).hexdigest().encode()
key = sha1(key).hexdigest().encode()
code =  b'\x56\x5c\x50\x05\x4d\x0f\x53\x47'
code += b'\x76\x57\x21\x3a\x5e\x06\x3b\x0d'
code += b'\x11\x16\x02\x09\x0b\x67\x1b\x52'
code += b'\x41\x6b\x40\x5d\x56\x17\x5d\x01'
code += b'\x3a\x04\x13\x1d\x68\x50\x06\x45'
print("".join([chr(a ^ b) for a, b in zip(key, code)]))
```
The flag is `flag{netB5D_i5_4ws0m3_y0u_sh0uld_7ry_i7}`