Tags: beginner python rev xor reverse
Rating:
# Beginner Rev
Category: Rev
Files:
- BeginnerREV
## Description
To all the new CTFers who are starting to dip their toes in the wonderful world of cybersecurity, we wish you all the best in your CTF journey!
## Writeup
decompile program from dogbolt
/* This file was generated by the Hex-Rays decompiler version 8.3.0.230608.
Copyright (c) 2007-2021 Hex-Rays <info@hex-rays.com>
Detected compiler: GNU C++
*/
#include <defs.h>
//-------------------------------------------------------------------------
// Function declarations
__int64 (**init_proc())(void);
__int64 sub_401020(); // weak
// int puts(const char *s);
// size_t strlen(const char *s);
// int printf(const char *format, ...);
// __int64 __isoc99_scanf(const char *, ...); weak
// void __noreturn exit(int status);
void __fastcall __noreturn start(__int64 a1, __int64 a2, void (*a3)(void));
void dl_relocate_static_pie();
char *deregister_tm_clones();
__int64 register_tm_clones();
char *_do_global_dtors_aux();
__int64 frame_dummy();
int __fastcall main(int argc, const char **argv, const char **envp);
void _libc_csu_fini(void); // idb
void term_proc();
// int __fastcall _libc_start_main(int (__fastcall *main)(int, char **, char **), int argc, char **ubp_av, void (*init)(void), void (*fini)(void), void (*rtld_fini)(void), void *stack_end);
// __int64 _gmon_start__(void); weak
//-------------------------------------------------------------------------
// Data declarations
_UNKNOWN _libc_csu_init;
char byte_402010[32] =
{
'2',
'6',
' ',
',',
'1',
'\x02',
'\x15',
'\a',
':',
'\x19',
'q',
'\x13',
'\x1E',
'(',
'/',
'7',
'q',
'-',
'4',
'5',
'(',
'q',
'/',
'\x1E',
'(',
't',
'\x1E',
'\"',
'q',
'q',
'-',
'<'
}; // weak
__int64 (__fastcall *_frame_dummy_init_array_entry)() = &frame_dummy; // weak
__int64 (__fastcall *_do_global_dtors_aux_fini_array_entry)() = &_do_global_dtors_aux; // weak
__int64 (*qword_404010)(void) = NULL; // weak
char _bss_start; // weak
//----- (0000000000401000) ----------------------------------------------------
__int64 (**init_proc())(void)
{
__int64 (**result)(void); // rax
result = &_gmon_start__;
if ( &_gmon_start__ )
return (__int64 (**)(void))_gmon_start__();
return result;
}
// 404090: using guessed type __int64 _gmon_start__(void);
//----- (0000000000401020) ----------------------------------------------------
__int64 sub_401020()
{
return qword_404010();
}
// 401020: using guessed type __int64 sub_401020();
// 404010: using guessed type __int64 (*qword_404010)(void);
//----- (0000000000401080) ----------------------------------------------------
// positive sp value has been detected, the output may be wrong!
void __fastcall __noreturn start(__int64 a1, __int64 a2, void (*a3)(void))
{
__int64 v3; // rax
int v4; // esi
__int64 v5; // [rsp-8h] [rbp-8h] BYREF
char *retaddr; // [rsp+0h] [rbp+0h] BYREF
v4 = v5;
v5 = v3;
_libc_start_main(
(int (__fastcall *)(int, char **, char **))main,
v4,
&retaddr,
(void (*)(void))_libc_csu_init,
_libc_csu_fini,
a3,
&v5;;
__halt();
}
// 40108A: positive sp value 8 has been found
// 401091: variable 'v3' is possibly undefined
//----- (00000000004010B0) ----------------------------------------------------
void dl_relocate_static_pie()
{
;
}
//----- (00000000004010C0) ----------------------------------------------------
char *deregister_tm_clones()
{
return &_bss_start;
}
// 404050: using guessed type char _bss_start;
//----- (00000000004010F0) ----------------------------------------------------
__int64 register_tm_clones()
{
return 0LL;
}
//----- (0000000000401130) ----------------------------------------------------
char *_do_global_dtors_aux()
{
char *result; // rax
if ( !_bss_start )
{
result = deregister_tm_clones();
_bss_start = 1;
}
return result;
}
// 404050: using guessed type char _bss_start;
//----- (0000000000401160) ----------------------------------------------------
__int64 frame_dummy()
{
return register_tm_clones();
}
//----- (0000000000401170) ----------------------------------------------------
int __fastcall main(int argc, const char **argv, const char **envp)
{
__int64 i; // rax
char v5[56]; // [rsp+0h] [rbp-38h] BYREF
printf("Please enter the flag:");
__isoc99_scanf("%33s", v5);
if ( strlen(v5) != 32 )
{
LABEL_6:
puts("The flag entered is incorrect!");
exit(0);
}
for ( i = 0LL; i != 32; ++i )
{
if ( v5[i] != ((unsigned __int8)byte_402010[i] ^ 0x41) )
goto LABEL_6;
}
puts("Congratulations! You found the flag!");
return 0;
}
// 401060: using guessed type __int64 __isoc99_scanf(const char *, ...);
// 401170: using guessed type char var_38[56];
//----- (0000000000401200) ----------------------------------------------------
void __fastcall _libc_csu_init(unsigned int a1, __int64 a2, __int64 a3)
{
signed __int64 v3; // rbp
__int64 i; // rbx
init_proc();
v3 = &_do_global_dtors_aux_fini_array_entry - &_frame_dummy_init_array_entry;
if ( v3 )
{
for ( i = 0LL; i != v3; ++i )
(*(&_frame_dummy_init_array_entry + i))();
}
}
// 403E10: using guessed type __int64 (__fastcall *_frame_dummy_init_array_entry)();
// 403E18: using guessed type __int64 (__fastcall *_do_global_dtors_aux_fini_array_entry)();
//----- (0000000000401270) ----------------------------------------------------
void _libc_csu_fini(void)
{
;
}
//----- (0000000000401278) ----------------------------------------------------
void term_proc()
{
;
}
// nfuncs=24 queued=12 decompiled=12 lumina nreq=0 worse=0 better=0
// ALL OK, 12 function(s) have been successfully decompiled
==========================================
inspect data and create program to xor by \x41 for each char
char byte_402010[32] =
{
'2',
'6',
' ',
',',
'1',
'\x02',
'\x15',
'\a',
':',
'\x19',
'q',
'\x13',
'\x1E',
'(',
'/',
'7',
'q',
'-',
'4',
'5',
'(',
'q',
'/',
'\x1E',
'(',
't',
'\x1E',
'\"',
'q',
'q',
'-',
'<'
};
==============================
program: xor.py
def xor_string(input_string, key):
return ''.join(chr(ord(char) ^ key) for char in input_string)
characters = ['2', '6', ' ', ',', '1', '\x02', '\x15', '\a', ':', '\x19', 'q', '\x13', '\x1E', '(', '/', '7', 'q', '-', '4', '5', '(', 'q', '/', '\x1E', '(', 't', '\x1E', '\"', 'q', 'q', '-', '<']
xor_result = xor_string(''.join(characters), 0x41)
print("Original Characters:", ''.join(characters))
print("XOR Result:", xor_result)
===================================
swampCTF{X0R_inv0luti0n_i5_c00l}
