Rating: 5.0

The `main` program provides a fake flag(uiuctf{v3Ry_r341\_@rTT}), but by looking into the pointers to the fake flag, I found some weird strings at 0x555555554f80 to 0x55555555505f.

Also, the fake flag string is referenced at 0x55555555491a. And this func_91a is called at 0x555555554a5a.

So, this func_a5a xor each byte from 0x555555554973 to 0x555555554973+0x7e with a constant value returned by func_91a. However, the xor-ed part is in a RX segment and is not writable, so I manually edit the code by python.

```
f = open("ReddsArt_raw.bin", "rb")
code = f.read()
f.close()

# print hexdump(code[0x973:])
header = code[0:0x973]
body = code[0x973:0x973 + 0xe7]
footer = code[0x973 + 0xe7:]
new_body = "".join([chr(ord(x) ^ 0x1e) for x in body])
new_code = header + new_body + footer

new_f = open("new_ReddsArt", "wb")
new_f.write(new_code)
new_f.close()
```
Now ghidra gives the disassembly code and decompiled code at 0x555555554973. Here's the psudocode:
```
void magic(void)

{
char cVar1;
size_t sVar2;
ulong uVar3;
int local_2c;
int local_28;

cVar1 = *(char *)((long)cRam0000000000000009 + 9);
local_2c = 0;
while( true ) {
sVar2 = strlen(PTR_s_hthzgubI>*ww7>z+Ha,m>W,7z+hmG`_555555756028);
if (sVar2 <= (ulong)(long)local_2c) break;
PTR_s_hthzgubI>*ww7>z+Ha,m>W,7z+hmG`_555555756028[local_2c] =
PTR_s_hthzgubI>*ww7>z+Ha,m>W,7z+hmG`_555555756028[local_2c] + cVar1;
local_2c = local_2c + 1;
}
uVar3 = FUN_55555555491a();
local_28 = 0;
while( true ) {
sVar2 = strlen(PTR_s_hthzgubI>*ww7>z+Ha,m>W,7z+hmG`_555555756028);
if (sVar2 <= (ulong)(long)local_28) break;
PTR_s_hthzgubI>*ww7>z+Ha,m>W,7z+hmG`_555555756028[local_28] =
PTR_s_hthzgubI>*ww7>z+Ha,m>W,7z+hmG`_555555756028[local_28] ^ (byte)uVar3;
local_28 = local_28 + 1;
}
return;
}
```

Basically the code does 2 things on string 0x555555554fc0, first each char is added to cVar1, then each char is xor-ed with uVar3.

From the disassembly, I'm not sure if I did this correctly, but there's a line of `movzx eax, byte ptr [9]` at 0x555555554988, and this is relavent to cVar1. So I write this script to bruteforce all 0x100 cases of cVar1 and got the flag.

```
from pwn import *

def str_len(content):
length = 0
for x in content:
if x == "\x00":
return length
else:
length += 1
return length

f = open("ReddsArt_raw.bin", "rb")
code = f.read()
f.close()

# print hexdump(code[0x973:])
header = code[0:0x973]
body = code[0x973:0x973 + 0xe7]
footer = code[0x973 + 0xe7:]

new_body = "".join([chr(ord(x) ^ 0x1e) for x in body])

new_code = header + new_body + footer

new_header = new_code[:0xfc0]
new_body = new_code[0xfc0:0xfc0 + 0x1e]
new_footer = new_code[0xfc0 + 0x1e:]

# new_body is "hthzgubI>*ww7>z+Ha,m>W,7z+hmG`"
original = new_body[::]

uVar3 = 0x1e
for cVar1 in range(0, 0x100):
tmp = list(original)
local_2c = 0
while True:
sVar2 = str_len(tmp)
if sVar2 <= local_2c:
break
else:
tmp[local_2c] = chr((ord(tmp[local_2c]) + cVar1) % 0x100)
local_2c += 1

local_2c = 0
while True:
sVar2 = str_len(tmp)
if sVar2 <= local_2c:
break
else:
tmp[local_2c] = chr(ord(tmp[local_2c]) ^ uVar3)
local_2c += 1

outcome = "".join(tmp)
if "uiuc" in outcome or "UIUC" in outcome:
print outcome

```