Tags: upx ida re
Rating: 2.5
### Given
```
My plaintext has been encrypted by an innocent friend of mine while playing around cryptographic libraries, can you help me to recover the plaintext , remembers it's just numbers and there's a space between some numbers which you need to remove the space and submit the recovered plain text as a flag.
Author: ElementalX
```
+ ELF file skidw4re
### Analysis
Running the program gives the following output:
```
This is the only message--------> ae385c6f1dd72132b2afcd4c25b9d35e0000000000000000
32 The message has been encrypted and written
```
A quick look in ida suggests its UPX packed, we unpack it with upx
`upx -d skidw4re`
When we open the unpacked program in IDA we find a lot of subroutines. But one named `main_EncryptAES` catches my eye.
![analysis](https://luftenshjaltar.info/writeups/0x41414141ctf/rev/ware/analysis.png)
We can see that it accepts a plaintext and encrypts it. I set a breakpoint at the end of the subroutine and start the debugger.
![debug](https://luftenshjaltar.info/writeups/0x41414141ctf/rev/ware/debug.png)
We can see that we indeed have a plaintext and that it it is a bunch of numbers with a space in between.
### Implementation
Nothing much to do here. `321174068998067 98980909` was extracted from the debug.
Knowing that the format of a flag is `flag{x}` and the intro text said `remembers it's just numbers and there's a space between some numbers which you need to remove the space and submit the recovered plain text as a flag.`.
I reconstruct the flag as `flag{32117406899806798980909}`
### Flag found! flag{32117406899806798980909}