WRECKCTF 2022
- https://ctftime.org/event/1775
- Sep 30 to Oct 02
- Played with wackers
- Ranking: 74/524 with 3275 points
My Solves/Writeups
Rev
| Challenge Name | Difficulty | Points | Writeup |
|---|---|---|---|
| rev/flag-checker | easy | 235 | jump |
| rev/advanced-flag-checker | easy | 343 | jump |
| rev/reverser | easy | 374 | jump |
Writeups
rev/flag-checker
I implemented this simple flag checker—can you decompile it and get the right flag?
Attachments: chal
Solution
Open in ida and follow the ida variable indexes in order and get the flag
Flag: flag{gdb_1s_y0ur_b35t_fr13nd_6d94620fa6}
rev/advanced-flag-checker
Okay, maybe the last one was a little too easy. This time I’ve added some secret encryption techniques so that you can’t find out my flag!
Attachments: chal
Solution
Looking at the code through dogbolt’s binary ninja decompiler, we can see that it is xoring different hex values together
Xor is directly reversible by performing xor again, so xor each value back together to probably get the hex of the flag
I did this using a small python script
ct = [0x6239a8ba, 0x17f64e0, 0xa14442bb, 0x415c0789, 0xf6e1eb2b, 0xde2c6878, 0x669d2f08, 0xc8d2ae51, 0x6c12677f, 0x3c3cfba3]
bruh = [0x558C4DC, 0x71100C9B, 0xCE3D1DDE, 0x322958FC, 0x8CBE8F4E, 0xB14A374B, 0xEE9707A, 0xF98DDD38, 0x5D715F4D, 0x410B9F90]
flag = ""
for i in range(len(ct)):
flag += hex(ct[i] ^ bruh[i])
print(flag)
The result looks like weird backward hex so it might be something to do with endianess
Plug the resulting hex into cyberchef, swap endianess, and go from hex
Flag: flag{hope_you_used_z3_for_this_128c13d7}
rev/reverser
reverse your strings, free of charge!
nc challs.wreckctf.com 31706
Attachments: program.py
Solution
I tried doing the chall the intended way at first by reversing target back to the license key, but that didn’t go so well so I moved to bruteforcing.
Remaking the check_license function to instead just return the value instead of returning if the value is equal to the target we can bruteforce character by character until the target is met.
def check_license(license):
s = [9]
for c in license:
s.append((s[-1] + int(c, 16)) % 16)
return ''.join(f'{c:x}' for c in s[1:])
bruh = '0123456789abcdef'
target = '51c49a1a00647b037f5f3d5c878eb656'
license = ""
for x in range(len(target)):
for char in bruh:
ihatethis = check_license(license + char)
if ihatethis[x] == target[x]:
license += char
break
print(license)
License key: ccb85179606e3453486a4a87cf16dbf1
put the license key into the nc server with and input after and you will get the flag!
Flag: flag{clock_math_too_hard}