Tags: reverse-engineering xor 

Rating:

The given file is python 3 bytecode, which can be decompiled using a tool such as `uncompyle6`. The obtained code contains somewhat obfuscated variable and function names, one of the less obfuscated variables - `flagtext` - is hint text that runs across the screen when the program is run.

The program asks for a flag as input so it must check it somewhere. Digging through the code, the part displaying the flag wrapper has variables `input_x` and `cur_x`, which line up with the beginning of the input text and the cursor after it. The cursor position is dependent on the length of `girafix`, which is presumably the input text. `girafix` gets passed to `lababa` once it is `26` characters long, so that is the checker function, where after renaming the variables to something more sensible:

```python 3
def cryptfun1(param):
locarr = [
73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68]
result = ''
for c in range(len(locarr)):
if param[c] != chr(locarr[c] ^ ord(keystring[c])):
return 'bbblalaabalaabbblala'
b2a = ''
a2b = [122, 86, 75, 75, 92, 90, 77, 24, 24, 24, 25, 106, 76, 91, 84, 80, 77, 25, 77, 81, 92, 25, 92, 87, 77, 80, 75, 92, 25, 74, 77, 75, 80, 87, 94, 25, 88, 74, 25, 95, 85, 88, 94]
for bbb in a2b:
b2a += chr(bbb ^ 57)
else:
return b2a
```

where `keystring` (originally `babababa`) is a string from one of the setup functions earlier:

```python 3
babababa = 'you-may-need-this-key-1337'
```

This is a simple xor cipher, and the result is just

```python 3
"".join(chr(locarr[c] ^ ord(keystring[c])) for c in range(26))
# 0bfu5c4710ns_v5_4n1m4710ns
```

Which works in the program and yields the flag `darkCON{0bfu5c4710ns_v5_4n1m4710ns}` when combined with the wrapper.

Original writeup (https://github.com/keyboard-monkeys/ctf-writeups/blob/main/2021-darkctf/reverse_read.md).