Skip to main content

Phase 2 (50 pts)

Phase 1 was easy...? Let's try to crack phase 2 as well!

Problem Statement

Can you help me find my lost key so I can read my string?

Author: treap_treap

Solution

Once again, we can look into Ghidra to see what's going on.

Ghidra

phase2(undefined8 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,
undefined4 param_5,undefined4 param_6,undefined4 param_7,undefined4 param_8,char *param_9)

{
char *__s;
size_t strLen;
undefined8 in_R8;
undefined8 in_R9;
undefined4 extraout_XMM0_Da;
undefined in_stack_ffffffffffffffb8;
undefined4 result;
int counter;

puts("\nCan you help me find my lost key so I can read my string?");
result = 1;
__s = (char *)calloc(0x29,1);
getInput(extraout_XMM0_Da,param_2,param_3,param_4,param_5,param_6,param_7,param_8,2,param_9,
&DAT_001028d1,__s,in_R8,in_R9,in_stack_ffffffffffffffb8);
counter = 0;
while( true ) {
strLen = strlen("[email protected]@2m5a");
if (strLen <= (ulong)(long)counter) break;
strLen = strlen(__s);
if (strLen <= (ulong)(long)counter) break;
if ("[email protected]@2m5a"[counter] != (byte)(__s[counter] ^ 5U)) {
result = 0;
}
counter = counter + 1;
}
strLen = strlen("[email protected]@2m5a");
if ((long)counter != strLen) {
result = 0;
}
free(__s);
return result;
}

Making Sense

After some cleaning up, it is pretty straightforward that there is a for-loop which will loop from an index of 0 to (length of target string) - 1.

For every character (remember, there are no strings in C, only character arrays), the program will check that the input XOR 5 will equals to the corrosponding character in the target string.

Solving it

Similarly, we can quickly obtain the solution using CyberChef to get the flag!

Flag

DawgCTF{An07h3R_rEv3r5aL_mE7h0d}