Skip to main content

Phase 2 (50 pts)

Phase 1 was easy...? Let's try to crack phase 2 as well!

Problem Statement#

Can you help me find my lost key so I can read my string?
Author: treap_treap

Solution#

Once again, we can look into Ghidra to see what's going on.

Ghidra#

phase2(undefined8 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,      undefined4 param_5,undefined4 param_6,undefined4 param_7,undefined4 param_8,char *param_9)
{  char *__s;  size_t strLen;  undefined8 in_R8;  undefined8 in_R9;  undefined4 extraout_XMM0_Da;  undefined in_stack_ffffffffffffffb8;  undefined4 result;  int counter;
  puts("\nCan you help me find my lost key so I can read my string?");  result = 1;  __s = (char *)calloc(0x29,1);  getInput(extraout_XMM0_Da,param_2,param_3,param_4,param_5,param_6,param_7,param_8,2,param_9,           &DAT_001028d1,__s,in_R8,in_R9,in_stack_ffffffffffffffb8);  counter = 0;  while( true ) {    strLen = strlen("Dk52m6WZw@s6w0dIZh@2m5a");    if (strLen <= (ulong)(long)counter) break;    strLen = strlen(__s);    if (strLen <= (ulong)(long)counter) break;    if ("Dk52m6WZw@s6w0dIZh@2m5a"[counter] != (byte)(__s[counter] ^ 5U)) {      result = 0;    }    counter = counter + 1;  }  strLen = strlen("Dk52m6WZw@s6w0dIZh@2m5a");  if ((long)counter != strLen) {    result = 0;  }  free(__s);  return result;}

Making Sense#

After some cleaning up, it is pretty straightforward that there is a for-loop which will loop from an index of 0 to (length of target string) - 1.

For every character (remember, there are no strings in C, only character arrays), the program will check that the input XOR 5 will equals to the corrosponding character in the target string.

Solving it#

Similarly, we can quickly obtain the solution using CyberChef to get the flag!

Flag#

DawgCTF{An07h3R_rEv3r5aL_mE7h0d}