WRECKCTF 2022

03 Oct 2022

• https://ctftime.org/event/1775
• Sep 30 to Oct 02
• Played with wackers
• Ranking: 74/524 with 3275 points

My Solves/Writeups

Rev

Challenge Name	Difficulty	Points	Writeup
rev/flag-checker	easy	235	jump
rev/advanced-flag-checker	easy	343	jump
rev/reverser	easy	374	jump

Writeups

rev/flag-checker

I implemented this simple flag checker—can you decompile it and get the right flag?

Attachments: chal

Solution

Open in ida and follow the ida variable indexes in order and get the flag

Flag: flag{gdb_1s_y0ur_b35t_fr13nd_6d94620fa6}

rev/advanced-flag-checker

Okay, maybe the last one was a little too easy. This time I’ve added some secret encryption techniques so that you can’t find out my flag!

Attachments: chal

Solution

Looking at the code through dogbolt’s binary ninja decompiler, we can see that it is xoring different hex values together

Xor is directly reversible by performing xor again, so xor each value back together to probably get the hex of the flag

I did this using a small python script

ct = [0x6239a8ba, 0x17f64e0, 0xa14442bb, 0x415c0789, 0xf6e1eb2b, 0xde2c6878, 0x669d2f08, 0xc8d2ae51, 0x6c12677f, 0x3c3cfba3]
bruh = [0x558C4DC, 0x71100C9B, 0xCE3D1DDE, 0x322958FC, 0x8CBE8F4E, 0xB14A374B, 0xEE9707A, 0xF98DDD38, 0x5D715F4D, 0x410B9F90]

flag = ""

for i in range(len(ct)):
    flag += hex(ct[i] ^ bruh[i])

print(flag)

The result looks like weird backward hex so it might be something to do with endianess

Plug the resulting hex into cyberchef, swap endianess, and go from hex

Flag: flag{hope_you_used_z3_for_this_128c13d7}

rev/reverser

reverse your strings, free of charge!

nc challs.wreckctf.com 31706

Attachments: program.py

Solution

I tried doing the chall the intended way at first by reversing target back to the license key, but that didn’t go so well so I moved to bruteforcing.

Remaking the check_license function to instead just return the value instead of returning if the value is equal to the target we can bruteforce character by character until the target is met.

def check_license(license):
    s = [9]
    for c in license:
        s.append((s[-1] + int(c, 16)) % 16)
    return ''.join(f'{c:x}' for c in s[1:])

bruh = '0123456789abcdef'
target = '51c49a1a00647b037f5f3d5c878eb656'
license = ""

for x in range(len(target)):
    for char in bruh:
        ihatethis = check_license(license + char)
        if ihatethis[x] == target[x]:
            license += char
            break

print(license)

License key: ccb85179606e3453486a4a87cf16dbf1

put the license key into the nc server with and input after and you will get the flag!

Flag: flag{clock_math_too_hard}