Tags: reverse
Rating: 2.0
Decompile it with IDA:
__int64 __fastcall sub_1230(unsigned int a1)
{
int v1; // eax
int i; // ecx
int v3; // edi
v1 = 0;
for ( i = 0; i != 32; ++i )
{
v3 = __ROR4__(a1 * a1, i);
a1 = v1 ^ (4919 * v3 + 69210935);
v1 += 322376503;
}
return HIBYTE(a1) + a1 + HIWORD(a1) + (a1 >> 8);
}
__int64 __fastcall main(int a1, char **a2, char **a3)
{
size_t v3; // rax
__int64 v4; // rsi
unsigned int *v5; // r8
char v7[264]; // [rsp+0h] [rbp-108h] BYREF
puts("Welcome to CTFd+!");
puts("So far, we only have one challenge, which is one more than the number of databases we have.\n");
puts("Very Doable Pwn - 500 points, 0 solves");
puts("Can you help me pwn this program?");
puts("#include <stdio.h>\nint main(void) {\n puts(\"Bye!\");\n return 0;\n}\n");
puts("Enter the flag:");
fgets(v7, 256, stdin);
v3 = strcspn(v7, "\n");
v4 = 0LL;
v5 = (unsigned int *)&unk_4060;
v7[v3] = 0;
do
{
if ( (unsigned __int8)sub_1230(v5[v4]) != v7[v4] )
{
puts("Incorrect flag.");
return 0LL;
}
++v4;
}
while ( v4 != 47 );
puts("You got the flag! Unfortunately we don't exactly have a database to store the solve in...");
return 0LL;
}
then use dynamic debugging and set breakpoint at the if statement (patched return 0LL; to NOP).
You can also use hook or re-compile the program to output the flag.
lactf{m4yb3_th3r3_1s_s0m3_m3r1t_t0_us1ng_4_db}
