This challenge involves reverse engineering a binary to determine the required input that produces the desired output. The solution involves XOR operations and understanding the binary’s constants and register values.
Solution
The following Python script demonstrates the solution:
import struct
# Constants from the binaryconstant = [
0x2a8c7f3acdf36ffb, # First 8 bytes of the constant0x8cc2eef32660caaa, # Next 8 bytes0xefa1fd61d7a3b592, # Next 8 bytes0xa9ddc2d22a90025e# Last 8 bytes]
# YMM7 register values from GDB (converted to 4x 64-bit integers)ymm7 = [
0x1eca2043bfc01980,
0xd386a3ba753fbe9f,
0x87d5cc1688d185ea,
0xd4aebbb741cf3001]
defqwords_to_bytes(qwords):
returnb''.join(struct.pack('<Q', q) for q in qwords)
constant_bytes = qwords_to_bytes(constant)
ymm7_bytes = qwords_to_bytes(ymm7)
required_input = bytes(a ^ b for a, b in zip(constant_bytes, ymm7_bytes))
flag =b"gigem"+ required_input
print("Raw bytes:", flag)
# Try to decode as ASCII (some bytes may not be printable)try:
print("ASCII:", flag.decode('ascii'))
exceptUnicodeDecodeError:
print("Contains non-ASCII bytes")
Malakar has ensnared you with a dark spell, banishing you to the depths of the Nether world. Escape hinges on recalling the ancient enchantments of your forefathers. Wield their arcane power to shatter the Aether gateways and reclaim your freedom. Only the correct incantation—32 bytes of mystical precision—will unlock the path back to the mortal realm. Can you decipher the spell and blast through the barriers of this infernal trap?
The challenge presents a seemingly simple ncurses-based program where the player navigates through a maze-like interface. The goal is to uncover a hidden flag by understanding the program’s intricate mechanics.
Key Observations
The program uses ncurses library for terminal-based interaction
Allows movement using arrow keys
Displays terminal dimensions
Contains a specific hidden mechanism when terminal is exactly 13x37
Reverse Engineering Approach
Code Breakdown
The main function reveals several interesting characteristics:
Writeup: Solving the Reverse Engineering Challenge
This writeup details the process of solving a reverse engineering challenge involving an ELF64 x86-64 binary named chall. The goal is to determine the correct input string that, when provided to the program via ./chall, results in the output:
Congratss!! you can now submit the flag
Through disassembly, analysis of the .rodata section, and reverse engineering, we derive the 40-character flag: nexus{vm_revers1ng_1s_f45c1n4t1ng_4nd_3xtremely_p41nful}.
This writeup details the process of solving a Capture The Flag (CTF) challenge that involves reverse-engineering a virtual machine (VM) implemented in C. The VM reads instructions from a binary file (code.bin), processes an input flag, and outputs “Correct!” if the flag is valid. The goal is to determine the correct flag by analyzing the VM’s behavior and extracting the necessary computations from code.bin.
This challenge involves reverse-engineering a C++ program to uncover a hidden flag in the format nexus{...}, commonly used in Capture The Flag (CTF) competitions. The program performs a series of bitwise transformations and XOR operations on provided byte arrays (fakeflag, key, affus, and key2) and attempts to read a file whose name and contents are derived from these arrays. A provided Python script replicates the necessary transformations to compute the flag directly.
The provided Python script, patch_pong.py, modifies the MS-DOS COM executable pong.com to reveal a hidden flag in a Capture The Flag (CTF) challenge. The script applies two byte patches to ensure the program jumps directly to the flag-displaying routine and exits cleanly, displaying the flag when run in DOSBox. This writeup explains the problem, the script’s functionality, and its effect.
Problem Context
The pong.com binary is a DOS-based game (likely Pong) containing a hidden flag. The flag is displayed when the game state byte at memory address 0x086B (referred to as byte_1086B, file offset 0x086B - 0x0100 = 0x076B) is set to 0x03. This triggers a routine at 0x0796 that prints:
This writeup details the steps to reverse engineer and analyze the binary rustySteps. The challenge has 7 solves and is tagged as “easy”. The flag is nexus{RusT_R3v_15_Fun_Right}.
Step 1: Identifying UPX Packing
After running the strings command on the binary, we observe indications of UPX packing:
To unpack the binary, we use the following command:
upx -d rustySteps
Step 2: Analyzing with strings Again
After unpacking, running strings again reveals more interesting strings. This gives us clues for further analysis.
Upon analyzing the provided files, we observed the following directory structure:
➜ solver ls
decrypted.png enc main reconstructed_data.txt sol.py
The main objective is to decrypt the file enc to retrieve an image. By inspecting main, we determined that it applies a Fourier transformation, meaning the encryption likely involves transforming the image into the frequency domain.
