CTFtime.org

Rev3

by HealthyEating / HealthyEating

Rating:

# Angstrom CTF : Rev3

**Category:** Reverse Engineering
**Points:** 110

> Let's try Rev 3! For this executable, you will need to figure out what input makes the program return "Correct". You don't need the shell server for this one, but the binary can be found at /problems/rev3/ on the shell server.
>
>
> HINTS
>
> Use a dissasembler or decompiler, then try and figure out how the program is checking your input.

## Write-up
First we run the binary through a free decompiler over at https://retdec.com
```
//
// This file was generated by the Retargetable Decompiler
// Website: https://retdec.com
// Copyright (c) 2018 Retargetable Decompiler <[email protected]>
//

#include <stdint.h>
#include <stdio.h>
#include <string.h>

// ------------------- Function Prototypes --------------------

int32_t encode(char * str, int32_t a2);

// ------------------------ Functions -------------------------

// Address range: 0x80484cb - 0x8048514
int32_t encode(char * str, int32_t a2) {
int32_t len = strlen(str); // 0x80484d7
// branch -> 0x80484eb
for (int32_t i = 0; i < len; i++) {
char v1 = *(char *)(i + (int32_t)str); // 0x80484fb
*(char *)(i + a2) = (v1 ^ 9) - 3;
// continue -> 0x80484eb
}
// 0x8048512
return len;
}

// Address range: 0x8048515 - 0x804862f
int main(int argc, char ** argv) {
// 0x8048515
int32_t v1;
char * str2 = (char *)v1; // bp-64
int32_t v2 = *(int32_t *)20; // 0x8048530
if (argc != 2) {
// 0x8048544
str2 = "Usage: ./rev1 <inputString>";
puts("Usage: ./rev1 <inputString>");
// branch -> 0x804860d
// 0x804860d
if (*(int32_t *)20 != v2) {
// 0x804861b
__stack_chk_fail();
// branch -> 0x8048620
}
// 0x8048620
return 0;
}
int32_t * v3 = (int32_t *)((int32_t)argv + 4); // 0x8048564_0
char * str = (char *)*v3;
str2 = str;
strlen(str);
encode((char *)*v3, (int32_t)&str2;;
strlen((char *)&str2;;
if (strcmp((char *)&str2, "egzloxi|ixw]dkSe]dzSzccShejSi^3q") == 0) {
// 0x80485e6
puts("Congrats, that's right! Enter your input as the flag!");
// branch -> 0x804860d
} else {
// 0x80485f8
puts("Oops, that wasn't right. Please try again!");
// branch -> 0x804860d
}
// 0x804860d
if (*(int32_t *)20 != v2) {
// 0x804861b
__stack_chk_fail();
// branch -> 0x8048620
}
// 0x8048620
return 0;
}
```

The function encode is intersting, specifically this part:
```
char v1 = *(char *)(i + (int32_t)str); // 0x80484fb
*(char *)(i + a2) = (v1 ^ 9) - 3;
```
They also give us a string which compares the encrpted text to it:
```
egzloxi|ixw]dkSe]dzSzccShejSi^3q
```

A simple script I wrote reverses the string back into the flag:
```
string = "egzloxi|ixw]dkSe]dzSzccShejSi^3q"

#Gets the ascii value
dec = [ord(i) for i in string]
flag = ""

#For loop to reverse the encoding function, basically just add 3 then xor 9
for a in dec:
d = a + 3
flag += chr(d ^ 9)

#prints the flag
print(flag)
```

Running the script we get the flag: actf{reversing_aint_too_bad_eh?}

Original writeup (https://github.com/DyllonsHub/AngstromCTF/blob/master/Rev3.md).

Comments