Phase 3 (75 pts)

This is a little more challenging but still nonetheless manageable.

Problem Statement

Reflections? Rotations? Translations? This is starting to sound like geometry...

Author: treap_treap

Solution

Sounds complex. Let's look at it using Ghidra.

Ghidra

phase3
func3_1
func3_2

bool phase3(undefined8 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,
           undefined4 param_5,undefined4 param_6,undefined4 param_7,undefined4 param_8,char *param_9
           )

{
  int strCmpRes;
  char *__s1;
  char *outputStr;
  undefined8 in_R8;
  undefined8 in_R9;
  undefined4 extraout_XMM0_Da;
  undefined in_stack_ffffffffffffffc8;
  char *inputPtr;

  puts("\nReflections? Rotations? Translations? This is starting to sound like geometry...");
  __s1 = (char *)calloc(0x29,1);
  getInput(extraout_XMM0_Da,param_2,param_3,param_4,param_5,param_6,param_7,param_8,3,param_9,
           &DAT_001028d1,__s1,in_R8,in_R9,in_stack_ffffffffffffffc8);
  inputPtr = __s1;
  while (*inputPtr != '\0') {
    outputStr = func3_1(inputPtr);
    *inputPtr = *outputStr;
    outputStr = func3_2(inputPtr);
    *inputPtr = *outputStr;
    inputPtr = inputPtr + 1;
  }
  strCmpRes = strcmp(__s1,"\"_9~Jb0!=A`G!06qfc8\'_20uf6`2%7");
  free(__s1);
  return strCmpRes == 0;
}

char * func3_1(char *character)

{
  char cVar1;

  if (('@' < *character) && (*character < '[')) {
    *character = *character + -0xd;
    if (*character < 'A') {
      cVar1 = '\x1a';
    }
    else {
      cVar1 = '\0';
    }
    *character = cVar1 + *character;
  }
  if (('`' < *character) && (*character < '{')) {
    *character = *character + -0xd;
    if (*character < 'a') {
      cVar1 = '\x1a';
    }
    else {
      cVar1 = '\0';
    }
    *character = cVar1 + *character;
  }
  return character;
}

char * func3_2(char *character)

{
  char cVar1;

  if ((' ' < *character) && (*character != '\x7f')) {
    *character = *character + -0x2f;
    if (*character < '!') {
      cVar1 = '^';
    }
    else {
      cVar1 = '\0';
    }
    *character = cVar1 + *character;
  }
  return character;
}

Understanding

Initially, I had spent a huge amount of time trying to reverse the functions by coding a Python script to attempt to go backwards from the given string back to the flag.

However, I realise that it might not be an onto function, where every output can easily be mapped back to the original flag.

Hence, I decided to replicate the 2 functions in Python and brute force the flag using the 127 different characters in ASCII.

Solve.py

target = "\"_9~Jb0!=A`G!06qfc8\'_20uf6`2%7"
flag = ""

for c in target:
    for i in range(1, 128):
        tmp = i
        # Function3_1
        if tmp > ord('@') and tmp < ord('['):
            tmp -= 0xd
            if tmp < ord('A'):
                tmp += 0x1a

        if tmp > ord('`') and tmp < ord('{'):
            tmp -= 0xd
            if tmp < ord('a'):
                tmp += 0x1a

        # Function3_2
        if tmp > ord(' ') and tmp != 0x7f:
            tmp -= 0x2f
            if tmp < ord('!'):
                tmp += ord('^')

        if (chr(tmp) == c):
            flag += chr(i)
            break

print(flag)

Flag

DawgCTF{D0uBl3_Cyc1iC_rO74tI0n_S7r1nGs}

Phase 3 (75 pts)

Problem Statement​

Solution​

Ghidra​

Understanding​

Solve.py​

Flag​