Rating:
I've got a really sad story for today. It's about a very famous dragon. If you stick around, maybe I'll give you a flag!
Author: micpap25
We're given another ELF file, it writes 32 DWORDs in a jumbled order, and then bitshifts them and adds the index into the variable for the flag. Here's part of the decompiled code...
ciphertext[36] = 179;
ciphertext[14] = 180;
ciphertext[6] = 235;
ciphertext[13] = 207;
...
ciphertext[9] = 87;
ciphertext[22] = 52;
ciphertext[27] = 151;
ciphertext[34] = 126;
for ( i = 0; i <= 36; ++i )
flag[i] = (ciphertext[i] >> 1) + i;
To reorder them I ran the program in gdb and dumped the variable
gef➤ x/36w $rbp-0x710
0x7fffffffda00: 0x000000c5 0x000000c4 0x000000bf 0x000000c1
0x7fffffffda10: 0x000000e0 0x000000c2 0x000000eb 0x000000da
0x7fffffffda20: 0x000000c0 0x00000057 0x000000d5 0x000000a9
0x7fffffffda30: 0x00000048 0x000000cf 0x000000b4 0x00000049
0x7fffffffda40: 0x000000c4 0x0000009d 0x000000a5 0x000000be
0x7fffffffda50: 0x00000040 0x000000a5 0x00000034 0x000000ae
0x7fffffffda60: 0x0000008f 0x0000003d 0x00000039 0x00000097
0x7fffffffda70: 0x000000b6 0x00000037 0x0000009a 0x00000089
0x7fffffffda80: 0x00000022 0x00000097 0x0000007e 0x000000a6
After some munging I got to this awful one-liner:
>>> ''.join([chr(i + (c >> 1) ) for i, c in enumerate(binascii.unhexlify(''.join('c5c4bfc1 e0c2ebda c057d5a9 48cfb449 c49da5be 40a534ae 8f3d3997 b6379a89 22977ea6'.split(' '))))])
'bcactf{th4t_0th3r_dr4g0n_76fw8kc1lav'
I probably just didn't extract the entire thing, so I added the ending curly brace to get...
Flag: bcactf{th4t_0th3r_dr4g0n_76fw8kc1lav}
