Skip to main content

Phase 6 (175 pts)

Lost your keys again?

Problem Statement#

Oh no... I lost the key to my string again :(
Author: treap_treap

Ghidra Analysis#

phase6(undefined8 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,      undefined4 param_5,undefined4 param_6,undefined4 param_7,undefined4 param_8,char *param_9)
{  char *input_dup;  size_t len;  undefined8 in_R8;  undefined8 in_R9;  long in_FS_OFFSET;  undefined4 extraout_XMM0_Da;  undefined in_stack_ffffffffffffff98;  undefined4 result;  int counter;  char target [4];  undefined local_34;  undefined local_33;  undefined local_32;  undefined local_31;  undefined local_30;  undefined local_2f;  undefined local_2e;  undefined local_2d;  undefined local_2c;  undefined local_2b;  undefined local_2a;  undefined local_29;  undefined local_28;  undefined local_27;  undefined local_26;  undefined local_25;  undefined local_24;  undefined local_23;  undefined local_22;  undefined local_21;  long local_20;
  local_20 = *(long *)(in_FS_OFFSET + 0x28);  puts("\nOh no... I lost the key to my string again :(");  result = 1;  target[0] = '@';  target[1] = 0x77;  target[2] = 0x23;  target[3] = 0x91;  local_34 = 0xb0;  local_33 = 0x72;  local_32 = 0x82;  local_31 = 0x77;  local_30 = 99;  local_2f = 0x31;  local_2e = 0xa2;  local_2d = 0x72;  local_2c = 0x21;  local_2b = 0xf2;  local_2a = 0x67;  local_29 = 0x82;  local_28 = 0x91;  local_27 = 0x77;  local_26 = 0x26;  local_25 = 0x91;  local_24 = 0;  local_23 = 0x33;  local_22 = 0x82;  local_21 = 0xc4;  input_dup = (char *)calloc(0x29,1);  getInput(extraout_XMM0_Da,param_2,param_3,param_4,param_5,param_6,param_7,param_8,6,param_9,           &DAT_001028d1,input_dup,in_R8,in_R9,in_stack_ffffffffffffff98);  counter = 0;  while( true ) {    len = strlen(target);    if (len <= (ulong)(long)counter) break;    len = strlen(input_dup);    if (len <= (ulong)(long)counter) break;    input_dup[counter] = (byte)((int)input_dup[counter] << 4) | (byte)input_dup[counter] >> 4;    input_dup[counter] = input_dup[counter] ^ 100;    if (input_dup[counter] != target[counter]) {      result = 0;    }    counter = counter + 1;  }  len = strlen(target);  if ((long)counter != len) {    result = 0;  }  free(input_dup);  if (local_20 != *(long *)(in_FS_OFFSET + 0x28)) {                    /* WARNING: Subroutine does not return */    __stack_chk_fail();  }  return result;}

Solution#

The C code looks meanacing but it is just simple bitwise operations to solve this level. We just spin up a quick Python script to do it for us.

Solve.py#

a = [64, 0x77, 0x23, 0x91, 0xb0, 0x72, 0x82, 0x77, 99, 0x31, 0xa2, 0x72, 0x21,0xf2, 0x67, 0x82, 0x91, 0x77, 0x26, 0x91, 0, 0x33, 0x82, 0xc4]ans = ""
for n in a:    n = n ^ 100    t = (n >> 4) | ((n << 4) % 128)    ans += chr(t)print(ans)

Output#

Flag

ezpz

Well, luckily I have been paying attention during my CS classes on computer architecture.

Flag#

DawgCTF{B1t_Man1pUlaTi0n_1$_Fun}