PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Reverse Engineering

reverse_cipher

Problem

We have recovered a binary and a text file. Can you reverse the flag. Its also found in /problems/reverse-cipher_0_b784b7d0e499d532eba7269bfdf6a21d on the shell server.

  • Binary

  • Text file

Solution

  1. cat rev_this shows picoCTF{w1{1wq87g_9654g}.

  2. Decompile the binary file using Ghidra (cheat sheet):

     void main(void)

 {
 size_t sVar1;
 char local_58 [23];
 char local_41;
 int local_2c;
 FILE *local_28;
 FILE *local_20;
 uint local_14;
 int local_10;
 char local_9;

 local_20 = fopen("flag.txt","r");
 local_28 = fopen("rev_this","a");
 if (local_20 == (FILE *)0x0) {
     puts("No flag found, please make sure this is run on the server");
 }
 if (local_28 == (FILE *)0x0) {
     puts("please run this on the server");
 }
 sVar1 = fread(local_58,0x18,1,local_20);
 local_2c = (int)sVar1;
 if ((int)sVar1 < 1) {
                     /* WARNING: Subroutine does not return */
     exit(0);
 }
 local_10 = 0;
 while (local_10 < 8) {
     local_9 = local_58[local_10];
     fputc((int)local_9,local_28);
     local_10 = local_10 + 1;
 }
 local_14 = 8;
 while ((int)local_14 < 0x17) {
     if ((local_14 & 1) == 0) {
     local_9 = local_58[(int)local_14] + '\x05';
     }
     else {
     local_9 = local_58[(int)local_14] + -2;
     }
     fputc((int)local_9,local_28);
     local_14 = local_14 + 1;
 }
 local_9 = local_41;
 fputc((int)local_41,local_28);
 fclose(local_28);
 fclose(local_20);
 return;
 }

    This is just a simple script that performs a few shifts on the characters of the flag. Characters 0-7 are left as is. Characters 8-22 alternate between adding 5 and subtracting 2, starting with adding 5. local_14 & 1 does a bitwise AND between the current iteration number and 1. The if statement checks if this equals 0. It will equal 0 every other iteration because & 1 checks if the last bit is 0 or 1 and returns 1 if the last bit is 1, and otherwise returns 0. Finally, the last character (the 23rd one) is added on to the file as is.

  3. Run the script.py to reverse this logic and get the flag.

Flag

picoCTF{r3v3rs39ba4806b}

Previousdroids3Nextdroids4

Last updated 3 years ago

Was this helpful?