We get a file called r100, let’s check it out:
h0rst@ctf:rev100$ file r100 r100: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0f464824cc8ee321ef9a80a799c70b1b6aec8168, stripped
When we execute it, it asks us for a password:
Enter the password: AAAA
Let’s fire up IDApro and decompile it:
After asking us for the password a function is called to validate our input.
From the range of the for-loop in line 9 we can tell that the password is 12 characters long.
In line 11 each of the 12 characters then is checked and if we entered the correct password, 0 is returned and the challenge is solved.
So every character of the password has to solve:
v3[(i % 3)*8 + 2 * (i / 3)] - password[i] == 1)
Which is equivalent to:
v3[(i % 3)*8 + 2 * (i / 3)] - 1 == password[i]) // -1 // + password[i]
So with knowing v3 we can simply print out the password:
v3 = 'Dufhbmf\0pG`imos\0ewUglpt\0' flag = '' for i in range(0,12): flag += chr(ord(v3[(i % 3)*8 + 2 * (i / 3)]) - 1) print flag
h0rst@ctf:rev100$ python r100_solver.py