Skip to main content

Phase 6 (175 pts)

Lost your keys again?

Problem Statement

Oh no... I lost the key to my string again :(

Author: treap_treap

Ghidra Analysis

phase6(undefined8 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4,
undefined4 param_5,undefined4 param_6,undefined4 param_7,undefined4 param_8,char *param_9)

{
char *input_dup;
size_t len;
undefined8 in_R8;
undefined8 in_R9;
long in_FS_OFFSET;
undefined4 extraout_XMM0_Da;
undefined in_stack_ffffffffffffff98;
undefined4 result;
int counter;
char target [4];
undefined local_34;
undefined local_33;
undefined local_32;
undefined local_31;
undefined local_30;
undefined local_2f;
undefined local_2e;
undefined local_2d;
undefined local_2c;
undefined local_2b;
undefined local_2a;
undefined local_29;
undefined local_28;
undefined local_27;
undefined local_26;
undefined local_25;
undefined local_24;
undefined local_23;
undefined local_22;
undefined local_21;
long local_20;

local_20 = *(long *)(in_FS_OFFSET + 0x28);
puts("\nOh no... I lost the key to my string again :(");
result = 1;
target[0] = '@';
target[1] = 0x77;
target[2] = 0x23;
target[3] = 0x91;
local_34 = 0xb0;
local_33 = 0x72;
local_32 = 0x82;
local_31 = 0x77;
local_30 = 99;
local_2f = 0x31;
local_2e = 0xa2;
local_2d = 0x72;
local_2c = 0x21;
local_2b = 0xf2;
local_2a = 0x67;
local_29 = 0x82;
local_28 = 0x91;
local_27 = 0x77;
local_26 = 0x26;
local_25 = 0x91;
local_24 = 0;
local_23 = 0x33;
local_22 = 0x82;
local_21 = 0xc4;
input_dup = (char *)calloc(0x29,1);
getInput(extraout_XMM0_Da,param_2,param_3,param_4,param_5,param_6,param_7,param_8,6,param_9,
&DAT_001028d1,input_dup,in_R8,in_R9,in_stack_ffffffffffffff98);
counter = 0;
while( true ) {
len = strlen(target);
if (len <= (ulong)(long)counter) break;
len = strlen(input_dup);
if (len <= (ulong)(long)counter) break;
input_dup[counter] = (byte)((int)input_dup[counter] << 4) | (byte)input_dup[counter] >> 4;
input_dup[counter] = input_dup[counter] ^ 100;
if (input_dup[counter] != target[counter]) {
result = 0;
}
counter = counter + 1;
}
len = strlen(target);
if ((long)counter != len) {
result = 0;
}
free(input_dup);
if (local_20 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return result;
}

Solution

The C code looks meanacing but it is just simple bitwise operations to solve this level. We just spin up a quick Python script to do it for us.

Solve.py

a = [64, 0x77, 0x23, 0x91, 0xb0, 0x72, 0x82, 0x77, 99, 0x31, 0xa2, 0x72, 0x21,
0xf2, 0x67, 0x82, 0x91, 0x77, 0x26, 0x91, 0, 0x33, 0x82, 0xc4]
ans = ""

for n in a:
n = n ^ 100
t = (n >> 4) | ((n << 4) % 128)
ans += chr(t)
print(ans)

Output

Flag

ezpz

Well, luckily I have been paying attention during my CS classes on computer architecture.

Flag

DawgCTF{B1t_Man1pUlaTi0n_1$_Fun}