CTFtime.org

Subject Encallment 100

by nightxade / Nightxade

Tags: trivial rev gdb 

Rating:

Decompile the function with [https://dogbolt.org/](http://). Important code in Ghidra:

```
undefined8 main(void)

{
puts("=====FLAG-GENERATOR-INATOR-3000=====");
sleep(2);
secretFunction();
sleep(2);
return 0;
}

void secretFunction(void)

{
int iVar1;
time_t tVar2;
int local_c;

puts(
" __ __ _______ _______ ___ _ _______ ______ __ __ _______ __ _ ____ _______ ____ _______ "
);
sleep(1);
puts(
"| | | || _ || || | | || || _ | | |_| || _ || | | || | | _ || | | |"
);
sleep(1);
puts(
"| |_| || |_| || || |_| || ___|| | || | || |_| || |_| | | | | | | | | | |___ |"
);
sleep(1);
puts(
"| || || || _|| |___ | |_||_ | || || | | | | |_| | | | | |"
);
sleep(1);
puts(
"| || || _|| |_ | ___|| __ || || || _ | | | |___ | | | | |"
);
sleep(1);
puts(
"| _ || _ || |_ | _ || |___ | | | || ||_|| || _ || | | | | | | | | | | |"
);
sleep(1);
puts(
"|__| |__||__| |__||_______||___| |_||_______||___| |_||_| |_||__| |__||_| |__| |___| |___| |___| |___|"
);
sleep(3);
puts("");
puts("===========================");
tVar2 = time((time_t *)0x0);
srand((uint)tVar2);
for (local_c = 0; local_c < 100; local_c = local_c + 0x14) {
iVar1 = rand();
printf("Loading %d%\n",(ulong)(uint)(local_c + iVar1 % 0x13));
sleep(1);
}
puts("Program Complete.");
sleep(2);
puts("no flag for you :(");
sleep(2);
puts("bye.");
return;
}
```

Clearly, running the function regularly calls the only secretFunction() and ends the program.

However, there's another function called printFlag! Maybe we can call that?

```
void printFlag(void)

{
long lVar1;
undefined8 *puVar2;
undefined8 local_b8;
undefined4 local_b0;
.. (shortened for readability)
undefined4 local_28;
undefined4 local_24;
int local_c;

puVar2 = &local_b8;
for (lVar1 = 0x14; lVar1 != 0; lVar1 = lVar1 + -1) {
*puVar2 = 0;
puVar2 = puVar2 + 1;
}
local_b8._0_4_ = 0x41;
local_b8._4_4_ = 10;
.. (shortened for readability)
local_28 = 0x40;
local_24 = 0x39;

phase1();
phase2();
phase3();
phase4();
phase5();
phase6();
phase7();
phase8();
phase9();
phase10();
phase11();
phase12();
phase13();
phase14();
phase9();
phase2();
phase12();
phase2();
phase6();
phase7();
phase8();
phase11();

for (local_c = 0; local_c < 0x26; local_c = local_c + 1) {
putchar(*(uint *)(keys + (long)local_c * 4) ^ *(uint *)((long)&local_b8 + (long)local_c * 4));
}
puts("");
return;
}
```

Besides all the phases, which seem to mainly be there to make the code harder to read, this code seems like it probably will just print the flag!

Enter GDB and set a breakpoint at main. Run the program and enter "*call (int) printFlag()*" to get the flag!

TCP1P{here_my_number_so_call_me_maybe}

Comments