Rating:
Similar to wasm protected site 1, but this time there is no password, only the flag.
Enter the flag, and the program will check it for you
Author: Andrew
Same as before, we're given a wasm flag checker. I tried a couple of different things including attempting to generate c and look at it in IDA, but ran into
In file included from code.c:10:0:
wasm-rt-impl.h:22:10: fatal error: wasm-rt.h: No such file or directory
#include "wasm-rt.h"
^~~~~~~~~~~
compilation terminated.
and didn't know how to fix it. Eventually settled on using wasm-decompile, which just tries very hard to give something legible. Comments and reasonable variable names are my own.
;; generated with: wasm-decompile code.wasm
export memory memory(initial: 1, max: 0);
data d_bjsxPKMH7ND3bPRe(offset: 1000) =
"bjsxPKMH|"7N\1bD\043b]PR\19e%\7f/;\17";
function cmp(a:int, b:int):int {
var iterator:int;
var v0:int;
var v1:int;
loop L_a {
if ((iterator + v0)[0]:ubyte != ((iterator + v1)[0]:ubyte ^ (iterator * 9 & 127)) &
iterator != 27) { ;; loop limit
return 0
}
iterator = iterator + 1;
if (eqz((iterator - 1 + v0)[0]:ubyte)) { return 1 }
continue L_a;
}
return 0;
}
export function checkFlag(a:int):int {
return cmp(a, 1000)
}
From here I understood what to do - each character of the ciphertext is XOR'd according to its index into the flag, and then compared against my input.
>>> ct = b"bjsxPKMH|\"7N\x1bD\x043b]PR\x19e%\x7f/;\x17"
>>> ''.join([chr(c ^ ((i * 9) & 0x7f)) for i, c in enumerate(ct)])
'bcactf{w4sm-w1z4rDry-Xc0wZ}'
Flag: bcactf{w4sm-w1z4rDry-Xc0wZ}
