Thursday 3 October 2013

Sharif CTF Quals 2013 - Reverse 100 - Vault

Task:
Download
In this task we have to open a huge lock. We are provided with .NET binary and the task is the same as usual: get a flag!

As this is .NET binary (you can check this with file utility or PEiD we can decompile it. A good choice to do that is dotPeek by JetBrains. After decompiling we can see interesting checkFlag method in the Vault class which is probably supposed to check the flag.
When I saw that function I immediately tried the string "d5DpUe529U06d" as a flag. It would be too easy if it was correct. So we have to do some manual work. Let's see what should we do with that string. We have to solve some simple equations to find each char.
d5DpUe529U06d
(object) inp[0] + -> d
(object) (char) ((uint) inp[1] + 5U) + -> 0
(object) (char) ((uint) inp[2] ^ 48U) + -> t
(object) inp[3] + -> p
(object) (char) ((int) inp[4] + 2 ^ 50) + -> e
(object) inp[5] + -> e
(object) (char) (((int) inp[6] - 1) / 2) + -> k
(object) (char) (((int) inp[7] ^ 48) * 50) + -> 1
(object) (char) (((int) inp[8] - 1) / 2) + -> s
(object) (char) (((int) inp[9] ^ 53) + 3) + -> g
(object) inp[10] + -> 0
(object) (char) ((uint) inp[11] + 6U) +  -> 0
(object) inp[12] -> d
 So the flag is "d0tpeek1sg00d".

No comments:

Post a Comment