For full writeup: [https://mahaloz.re/ctf/hacktm-2020-hackdex/](https://mahaloz.re/ctf/hacktm-2020-hackdex/)

All logic of the binary can be found in the dex::extra() function. After patching the check for the PRO_VERSION at offset 0xC6CF in the binary, you follow the logic of inputs received by dex::get_input() by entering “9” at the user selection menu. Preceding each call to dex::get_input() we can see an array being initialized with either a 3x4 or a 3x3 table. The tables are boggle tables as listed below:

0: ["zel", "ann", "rig"],
1: ["tkl", "bui", "nrf"],
2: ["fri", "pen", "uad"],
3: ["emz", "bna", "xeh", "wtv"],
4: ["evo", "rux", "com", "gni"],
5: ["plz", "asi", "son"],

There is a board for each call to get more input. Following the logic, we see a ChaCha cipher is initialized at 0xF550B with our input as the key. The cipher is then used to decrypt/encrypt the flag. The program then, after collecting all six words for the user, does a SHA256 checksum on the six words concatenated. The hash must equal: `F550BAA8068D9C17669E140626A9D7BF13EF0A66662AEB5910FC406BE196A287`.
Now we brute force all the possible boggelable words from table 0-5 using the provided hacktm.dex file as our word dictionary. We get the words: learning fun friend team overcoming passion. Inputting these words into the pro-prompt will then decrypt the flag and print out the final message with the flag: `HackTM{wh4t_4_cur10us_pow3r_w0rds_h4v3}`