Ctfs on

Emulator

Mon, 28 Jul 2025 19:41:23 +0100

WorldWideCTF 2025: rev/Emulator

Team: TroJeun

Challenge Details:

Points: 500
Category: Mobile
Author: em07robot

Description

“Inside an emulator, reality bends—only shadows find the hidden truth.”

We are provided with a large zstd-compressed file:

└─$ zstd -d chall_dist.zst 
chall_dist.zst : 10778972160 bytes

Initial Analysis

After decompression, we get an Android Virtual Device (AVD) directory structure:

└─$ tar -tvf chall_dist
drwxrwxr-x em07robot/em07robot 0 2025-07-10 17:16 chall.avd/
-rw-r--r-- em07robot/em07robot 69206016 2025-07-10 17:16 chall.avd/cache.img
-rw-r--r-- em07robot/em07robot 1966149 2025-07-10 17:16 chall.avd/encryptionkey.img.qcow2
-rw------- em07robot/em07robot 0 2025-07-10 17:16 chall.avd/bootcompleted.ini
-rw-rw-r-- em07robot/em07robot 1245 2025-07-10 17:16 chall.avd/config.ini
-rw-rw-r-- em07robot/em07robot 18 2025-07-10 17:16 chall.avd/quickbootChoice.ini
-rw-rw-r-- em07robot/em07robot 4227 2025-07-10 17:16 chall.avd/hardware-qemu.ini
drwxr--r-- em07robot/em07robot 0 2025-07-10 17:16 chall.avd/snapshots/
<..SNIP..>
-rw-rw-r-- em07robot/em07robot 116 2025-07-10 17:16 chall.ini
-rw-rw-r-- em07robot/em07robot 939493689 2025-07-10 17:10 chall.zst.bk
-rw-rw-r-- em07robot/em07robot 76 2025-07-10 17:13 chal

This appears to be an Android emulator reverse engineering challenge. The first step is to set up and run the emulator using the Android Command Line Tools.

Nim Yong Un

Sun, 27 Jul 2025 19:41:23 +0100

WorldWideCTF 2025: rev/Nim Yong Un

Challenge Description

Our agents captured some North Korean military software. Your task: find the correct launch code!

Approach & Solution

What We’re Dealing With

I got my hands on this Windows PE binary that was asking for a 42-character flag. Right off the bat, I could tell this wasn’t going to be your typical reverse engineering challenge when I threw some random input at it.

bilingual

Mon, 21 Jul 2025 19:41:23 +0100

DownUnderCTF 2025: rev/bilingual

Challenge Description

Two languages are better than one!

Regards, FozzieBear (cybears)

Approach & Solution

We are given this script bilingual.py:

DATA = "eNrtfQt8k0XW96RNei8p0mBBxIDBFhAoTXUrpZp........."
import argparse, base64, ctypes, zlib, pathlib, sys
PASSWORD = "cheese"
FLAG = "jqsD0um75+TyJR3z0GbHwBQ+PLIdSJ+rojVscEL4IYkCOZ6+a5H1duhcq+Ub9Oa+ZWKuL703"
KEY = "68592cb91784620be98eca41f825260c"
HELPER = None

def decrypt_flag(password):
 A = "utf-8"
 flag = bytearray(base64.b64decode(FLAG))
 buffer = (ctypes.c_byte * len(flag)).from_buffer(flag)
 key = ctypes.create_string_buffer(password.encode(A))
 result = get_helper().Decrypt(key, len(key) - 1, buffer, len(buffer))
 return flag.decode(A)

def get_helper():
 global HELPER
 if HELPER:
 return HELPER
 data = globals().get("DATA")
 if data:
 dll_path = pathlib.Path(__file__).parent / "hello.bin"
 if not dll_path.is_file():
 with open(dll_path, "wb") as dll_file:
 dll_file.write(zlib.decompress(base64.b64decode(data)))
 HELPER = ctypes.cdll.LoadLibrary(dll_path)
 else:
 0
 return HELPER

def check_three(password):
 return check_ex(password, "Check3")

def check_four(password):
 return check_ex(password, "Check4")

def check_ex(password, func):
 GetIntCallbackFn = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_wchar_p)
 class CallbackTable(ctypes.Structure):
 _fields_ = [("E", GetIntCallbackFn)]
 @GetIntCallbackFn
 def eval_int(v):
 return int(eval(v))
 table = CallbackTable(E=eval_int)
 helper = get_helper()
 helper[func].argtypes = [ctypes.POINTER(CallbackTable)]
 helper[func].restype = ctypes.c_int
 return helper[func](ctypes.byref(table))

def check_two(password):
 @ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int)
 def callback(i):
 return ord(password[i - 3]) + 3
 return get_helper().Check2(callback)

def check_one(password):
 if len(password) != 12:
 return False
 return get_helper().Check1(password) != 0

def check_password(password):
 global PASSWORD
 PASSWORD = password
 checks = [check_one, check_two, check_three, check_four]
 result = True
 for check in checks:
 result = result and check(password)
 return result

def main():
 parser = argparse.ArgumentParser(description="CTF Challenge")
 parser.add_argument("password", help="Enter the password")
 args = parser.parse_args()
 if check_password(args.password):
 flag = decrypt_flag(args.password)
 print("Correct! The flag is DUCTF{%s}" % flag)
 return 0
 else:
 print("That is not correct")
 return 1

if __name__ == "__main__":
 sys.exit(main())

When running this on Linux, I encountered an error due to an invalid ELF header. This suggests that hello.bin is not a native Linux binary, but rather a Windows DLL or some other non-ELF format. The script attempts to load it using ctypes.cdll.LoadLibrary, which confirms it’s expecting a shared library (DLL) to call functions . This behavior is evident in the get_helper function.

Neon_Deceit

Sun, 06 Jul 2025 22:29:05 +0100

Neon Deceit

15 solves | Reverse

Challenge Description

In the neon-lit underbelly of the city, even your tools are programmed to betray you. Trust nothing… the lies are embedded in the code.

Initial Analysis

Starting with the binary from R3CTF, I ran it to see what happens:

➜ neon_deceit ./neon_deceit 
hello world
➜ neon_deceit

That’s weird—a simple “hello world” program that’s 400 KB? Something’s definitely not right here.

➜ neon_deceit ls -l neon_deceit
-rwxrwxrwx 1 user user 407640 Jul 4 15:40 neon_deceit
➜ neon_deceit

A basic hello world program shouldn’t be nearly half a megabyte. Time to dig into the decompilation and see what’s really going on.

Dna

Thu, 19 Jun 2025 19:41:23 +0100

smileyCTF2025 :

rev/DNA

Description

deoxy ribo nucleic acid deoxy meaning without oxygen ribo meaning the 5-carbon sugar backbone nucleic meaning of the nucleus acid meaning proton donor

Solution

Initial Recon

We start by looking at the challenge directory:

➜ dna ls
main.cpython-310.pyc vm.dna

We can see that this is a virtual machine challenge, and the Python code has been compiled with Python 3.10 into a .pyc file ,Before diving into the challenge, let’s take a moment to understand what a virtual machine (VM) is.

brainrot

Tue, 17 Jun 2025 22:29:05 +0100

tamu2025 - rev Challenge: brainrot

Description

This challenge involves reverse engineering a custom “brain” simulation to extract a flag. The brain operates on a set of neurons and performs transformations using a combination of hashing, rotation, and matrix operations. The goal is to deduce the input that produces the required outputs.

Solution

The solution involves implementing the brain simulation in Python and using the Z3 solver to reverse the transformations. Below is the code and explanation:

otp

Tue, 17 Jun 2025 22:29:05 +0100

tamu2025 - rev Challenge: otp

Description

This challenge involves reverse engineering and cryptographic analysis to extract keys and decrypt an encrypted flag. The solution uses GDB scripting to automate the extraction of keys from memory frames and applies XOR decryption to retrieve the original flag.

Solution

GDB Script: ExtractKeys

The following GDB script automates the extraction of keys from memory frames:

import gdb
import re

class ExtractKeys(gdb.Command):
 def __init__(self):
 super(ExtractKeys, self).__init__("extract_keys", gdb.COMMAND_USER)

 def parse_gdb_line(self, line):
 """
 Extracts byte values from a single line of GDB output.
 Example input: "0x7ffe603d0100: 0x45 0x65 0x41 0x15 0x57 0xc0 0xdb 0xda"
 Returns: ["45", "65", "41", "15", "57", "c0", "db", "da"]
 """
 match = re.search(r":\s+((?:0x[0-9a-f]{2}\s*)+)", line)
 if match:
 return re.findall(r"0x([0-9a-f]{2})", match.group(1))
 return []

 def parse_gdb_output(self, gdb_output):
 """
 Parses the entire GDB output to extract key bytes.
 Returns a single hex string.
 """
 key_bytes = []
 for line in gdb_output.split("\n"):
 key_bytes.extend(self.parse_gdb_line(line))
 return "".join(key_bytes)

 def invoke(self, arg, from_tty):
 start_frame, end_frame = 4, 1003
 with open("keys.txt", "w") as key_file:
 for frame_id in range(start_frame, end_frame + 1):
 try:
 gdb.execute(f"frame {frame_id}", to_string=True)
 key_output = gdb.execute(f"x/59bx key", to_string=True)
 key_hex_string = self.parse_gdb_output(key_output)
 if key_hex_string:
 key_file.write(key_hex_string + "\n")
 except gdb.error:
 print(f"[-] Skipping frame {frame_id} (No key found)")
 continue
 print("[✔] All keys extracted to keys.txt")

ExtractKeys()

Decryption Process

The decryption process involves loading the encrypted flag and the extracted keys, then applying XOR decryption in reverse order:

xorox

Tue, 17 Jun 2025 22:29:05 +0100

tamu2025 - rev Challenge: xorox

Description

This challenge involves reverse engineering a binary to determine the required input that produces the desired output. The solution involves XOR operations and understanding the binary’s constants and register values.

Solution

The following Python script demonstrates the solution:

import struct

# Constants from the binary
constant = [
 0x2a8c7f3acdf36ffb, # First 8 bytes of the constant
 0x8cc2eef32660caaa, # Next 8 bytes
 0xefa1fd61d7a3b592, # Next 8 bytes
 0xa9ddc2d22a90025e # Last 8 bytes
]

# YMM7 register values from GDB (converted to 4x 64-bit integers)
ymm7 = [
 0x1eca2043bfc01980,
 0xd386a3ba753fbe9f,
 0x87d5cc1688d185ea,
 0xd4aebbb741cf3001
]

def qwords_to_bytes(qwords):
 return b''.join(struct.pack('<Q', q) for q in qwords)

constant_bytes = qwords_to_bytes(constant)
ymm7_bytes = qwords_to_bytes(ymm7)

required_input = bytes(a ^ b for a, b in zip(constant_bytes, ymm7_bytes))

flag = b"gigem" + required_input

print("Raw bytes:", flag)

# Try to decode as ASCII (some bytes may not be printable)
try:
 print("ASCII:", flag.decode('ascii'))
except UnicodeDecodeError:
 print("Contains non-ASCII bytes")

Flag

The flag for this challenge is:

Rev/gateway

Tue, 17 Jun 2025 19:41:23 +0100

FIRST CHALLENGE: Gateway

Challenge Description

Malakar has ensnared you with a dark spell, banishing you to the depths of the Nether world. Escape hinges on recalling the ancient enchantments of your forefathers. Wield their arcane power to shatter the Aether gateways and reclaim your freedom. Only the correct incantation—32 bytes of mystical precision—will unlock the path back to the mortal realm. Can you decipher the spell and blast through the barriers of this infernal trap?

Rev/imagepro

Tue, 17 Jun 2025 19:41:23 +0100

Impossimaze Writeup

Challenge Overview

Name: Impossimaze
Difficulty: Medium
Category: Reverse Engineering / Exploitation

Initial Analysis

Challenge Description

The challenge presents a seemingly simple ncurses-based program where the player navigates through a maze-like interface. The goal is to uncover a hidden flag by understanding the program’s intricate mechanics.

Key Observations

The program uses ncurses library for terminal-based interaction
Allows movement using arrow keys
Displays terminal dimensions
Contains a specific hidden mechanism when terminal is exactly 13x37

Reverse Engineering Approach

Code Breakdown

The main function reveals several interesting characteristics:

Rev/crackme

Sat, 10 May 2025 19:41:23 +0100

Writeup: Solving the Reverse Engineering Challenge

This writeup details the process of solving a reverse engineering challenge involving an ELF64 x86-64 binary named chall. The goal is to determine the correct input string that, when provided to the program via ./chall, results in the output:

Congratss!! you can now submit the flag

Through disassembly, analysis of the .rodata section, and reverse engineering, we derive the 40-character flag: nexus{vm_revers1ng_1s_f45c1n4t1ng_4nd_3xtremely_p41nful}.

Challenge Overview

Binary: chall, an ELF64 x86-64 executable.

Rev/crackmev2

Sat, 10 May 2025 19:41:23 +0100

CTF Writeup: Virtual Machine Flag Extraction

This writeup details the process of solving a Capture The Flag (CTF) challenge that involves reverse-engineering a virtual machine (VM) implemented in C. The VM reads instructions from a binary file (code.bin), processes an input flag, and outputs “Correct!” if the flag is valid. The goal is to determine the correct flag by analyzing the VM’s behavior and extracting the necessary computations from code.bin.

Rev/nativi

Sat, 10 May 2025 19:41:23 +0100

CTF Challenge Writeup: NATIVI

Challenge Overview

This challenge involves reverse-engineering a C++ program to uncover a hidden flag in the format nexus{...}, commonly used in Capture The Flag (CTF) competitions. The program performs a series of bitwise transformations and XOR operations on provided byte arrays (fakeflag, key, affus, and key2) and attempts to read a file whose name and contents are derived from these arrays. A provided Python script replicates the necessary transformations to compute the flag directly.

Rev/pong.com

Sat, 10 May 2025 19:41:23 +0100

Writeup: Patching `pong.com` with Python Script

Overview

The provided Python script, patch_pong.py, modifies the MS-DOS COM executable pong.com to reveal a hidden flag in a Capture The Flag (CTF) challenge. The script applies two byte patches to ensure the program jumps directly to the flag-displaying routine and exits cleanly, displaying the flag when run in DOSBox. This writeup explains the problem, the script’s functionality, and its effect.

Problem Context

The pong.com binary is a DOS-based game (likely Pong) containing a hidden flag. The flag is displayed when the game state byte at memory address 0x086B (referred to as byte_1086B, file offset 0x086B - 0x0100 = 0x076B) is set to 0x03. This triggers a routine at 0x0796 that prints:

Rev/rusty

Sat, 10 May 2025 19:41:23 +0100

Rusty Steps Writeup

Overview

This writeup details the steps to reverse engineer and analyze the binary rustySteps. The challenge has 7 solves and is tagged as “easy”. The flag is nexus{RusT_R3v_15_Fun_Right}.

Step 1: Identifying UPX Packing

After running the strings command on the binary, we observe indications of UPX packing:

To unpack the binary, we use the following command:

upx -d rustySteps

Step 2: Analyzing with `strings` Again

After unpacking, running strings again reveals more interesting strings. This gives us clues for further analysis.

Printer

Sun, 23 Feb 2025 22:24:57 +0100

IngeHack2k25 - reverse/mjsc Write-up

Challenge Overview

Challenge Name: reverse/printer
Category: Reverse Engineering
Event: IngeHack 2k25
Difficulty: Medium
Flag: ingehack{...}

Fourier Transformation-Based Image Decryption

Challenge Analysis

Upon analyzing the provided files, we observed the following directory structure:

➜ solver ls 
decrypted.png enc main reconstructed_data.txt sol.py

The main objective is to decrypt the file enc to retrieve an image. By inspecting main, we determined that it applies a Fourier transformation, meaning the encryption likely involves transforming the image into the frequency domain.

Mjsc

Sun, 23 Feb 2025 22:24:52 +0100

ingehack2k25 - reverse/mjsc

MJSC CTF Challenge Write-up

Challenge: reverse/mjsc
Event: IngeHack 2k25
Author: 4ymen
Points: 469
Solves: 4
Difficulty: Medium
Original Challenge Author: itskarudo

Challenge Information

Category: Reverse Engineering
Type: Web/JavaScript
Flag: ingehack{i_hate_js_rev_chals_they_never_have_a_new_idea}

Initial Analysis

The challenge presented us with a web application that needed to be analyzed. The initial reconnaissance showed:

Web interface requiring input validation
Heavy use of JavaScript for validation
Obfuscated code to hide the validation logic

Technical Environment

Platform: Web
Primary Language: JavaScript
Key Components:
 - React Application
 - Obfuscated JavaScript
 - Client-side validation

Investigation Process

Source Code Retrieval

Dados

Sun, 23 Feb 2025 22:24:46 +0100

ingehack2k25 - reverse/dados

Write-Up Author : 4ymen
Flag: ingehack{security_by_obscurity}

Challenge Description:

infinite luck in exchange for a flag

dados.apk

title: "Reverse Engineering Challenge "
difficulty: Easy
category: Reverse Engineering
platform: Android
tools: ["apktool", "smali", "Frida", "adb"]
author : "godsword"
date: "2025-02-23"
tags: ["Reverse Engineering", "Android", "Frida", "Smali", "CTF"]
---

Write up

Step 1: Identifying the Main Activity

After decompiling dados.apk, I checked AndroidManifest.xml to find the app’s entry point. The <activity> tag with <intent-filter> containing android.intent.action.MAIN and android.intent.category.LAUNCHER revealed that the main activity is:

Mon, 01 Jan 0001 00:00:00 +0000

smileyCTF2025 :

rev/DNA

Flag : .;,;.{we_ought_to_start_storing_our_data_as_dna_instead}

Description

deoxy ribo nucleic acid deoxy meaning without oxygen ribo meaning the 5-carbon sugar backbone nucleic meaning of the nucleus acid meaning proton donor

Solution

Initial Recon

We start by looking at the challenge directory:

➜ dna ls
main.cpython-310.pyc vm.dna
➜ dna

Ctfs on

Emulator

WorldWideCTF 2025: rev/Emulator

Team: TroJeun

Description

Initial Analysis

Nim Yong Un

WorldWideCTF 2025: rev/Nim Yong Un

Challenge Description

Approach & Solution

What We’re Dealing With

bilingual

DownUnderCTF 2025: rev/bilingual

Challenge Description

Approach & Solution

Neon_Deceit

Neon Deceit

Challenge Description

Initial Analysis

Dna

smileyCTF2025 :

rev/DNA

Description

Solution

Initial Recon

brainrot

tamu2025 - rev Challenge: brainrot

Description

Solution

otp

tamu2025 - rev Challenge: otp

Description

Solution

GDB Script: ExtractKeys

Decryption Process

xorox

tamu2025 - rev Challenge: xorox

Description

Solution

Flag

Rev/gateway

FIRST CHALLENGE: Gateway

Challenge Description

Rev/imagepro

Impossimaze Writeup

Challenge Overview

Initial Analysis

Challenge Description

Key Observations

Reverse Engineering Approach

Code Breakdown

Rev/crackme

Writeup: Solving the Reverse Engineering Challenge

Challenge Overview

Rev/crackmev2

CTF Writeup: Virtual Machine Flag Extraction

Rev/nativi

CTF Challenge Writeup: NATIVI

Challenge Overview

Rev/pong.com

Writeup: Patching pong.com with Python Script

Overview

Problem Context

Rev/rusty

Rusty Steps Writeup

Overview

Step 1: Identifying UPX Packing

Step 2: Analyzing with strings Again

Printer

IngeHack2k25 - reverse/mjsc Write-up

Challenge Overview

Fourier Transformation-Based Image Decryption

Challenge Analysis

Mjsc

ingehack2k25 - reverse/mjsc

MJSC CTF Challenge Write-up

Challenge Information

Initial Analysis

Technical Environment

Investigation Process

Writeup: Patching `pong.com` with Python Script

Step 2: Analyzing with `strings` Again