Skip to main content

Day 2: Gift Wrapping

challenge description
The elves won't let you into their secret hideout without the password. 
Luckily, they've given it to you as a gift! But it seems to be wrapped up tight...

Poking around

We are provided with a binary that looked innocent. It asks for a magic word. Let's decompile it using Ghidra.

However, it seems gibberish! Looking at strings, we see it is packed using UPX. We can unpack it using upx tool.

Decompiling it with Ghidra this time shows much better results.

  printf("What\'s the magic word? ");
__isoc99_scanf("%256s",&local_118);
for (local_11c = 0; local_11c < 0x100; local_11c = local_11c + 1) {
*(byte *)((long)&local_118 + (long)(int)local_11c) =
*(byte *)((long)&local_118 + (long)(int)local_11c) ^ 0xf3;
}
iVar1 = thunk_FUN_004010e6(CHECK,&local_118,0x17);
if (iVar1 == 0) {
puts("Welcome inside...");
}
else {
puts("Wrong password! Who are you?!?");
}

It simply XORs each entered character with 0xf3 and check the final String with the bytes stored in CHECK.

Obtaining the bytes in CHECK, we can reverse and get back the flag.

solve.py
CHECK = [0xbb, 0xa7, 0xb1, 0x88, 0x86, 0x83, 0x8b, 0xac, 0xc7, 0xc2, 0x9d, 0x87, 0xac, 0xc6, 0xc3, 0xac, 0x9b, 0xc7, 0x81, 0x97, 0xd2, 0xd2, 0x8e]

flag = ''
for i in CHECK:
rev = i ^ 0xf3
flag += chr(rev)

print(flag)

Flag

HTB{upx_41nt_50_h4rd!!}