Rating: 4.0

[](ctf=blaze-2018)
[](type=re)
[](tags=game)
[](techniques=bruteforce)

# smokemebaby (re-420)

```
get this files

solve at: smokeme.420blaze.in tcp 12345

author: vito

solves: ~30
```

This was a rust compiled binary. In main()->check(), there were 39 check_i functions to verify the i'th character based on some equations.
If the check failed check_i() returned i as the exit code. This made it perfect for bruteforce. Iterate through your keyspace unless the exit code increases, repeat.

driver script

```python
import subprocess
import string

prev = ["A" for i in xrange(42)]

#flag = "on anntada ona? Somebnefbbeafd roia me a"
flag = ""
for i, j in enumerate(flag):
prev[i] = j

for i in xrange(len(flag),42):
cnt = []
for j in string.lowercase+string.digits+string.uppercase+" <>,.?/\"\':;{}[]\\~`!@#$%^&*()_+=-":
prev[i] = j
open("input", "w+").write("".join(prev))
d = subprocess.Popen("gdb -q -x ./plz.py ", shell=True, stdout=subprocess.PIPE).stdout.read().strip()
try:
c = int(d.split(":::::")[1])
# print c,
except:
c = -1
cnt.append((c,j))
print cnt
best = sorted(cnt ,key=lambda x: x[0], reverse=True)[0]
prev[i] = best[1]
print "".join(prev)

"""
echo -ne "on anntada ona? Somebnefbbeafd roia me a"| base64 |nc smokeme.420blaze.in 12345
send your solution as base64, followed by a newline
96667aaad70646abc06a8b44b1016e94e3897dd5a95dff21b6e7a9628a823d06
The flag is: blaze{a0ddb69ede14231576e7f0241623723385814f32}
"""
```

gdb helper

```python
import gdb

gdb.execute('file ../96667aaad70646abc06a8b44b1016e94e3897dd5a95dff21b6e7a9628a823d06')
gdb.execute("set verbose off")
gdb.execute("run < input > output")
gdb.execute("set confirm off")
exit = int(gdb.parse_and_eval("$_exitcode").cast(gdb.lookup_type('uint32_t')))
print(":::::%d:::::" % exit)
gdb.execute('quit')
```

Original writeup (https://github.com/ByteBandits/writeups/tree/master/blaze-ctf-2018/re/smokemebaby/sudhackar).