riftCTF - Rev 2 Writeup

The challenge

Value: 100points

The file required to solve the challenge is attached in the directory with the name: chall2.elf

Message: 1. find the correct password for the crackme to display the “Correct Password” message. 2. your goal is not to make the app display “Correct Password” but to find the correct password which does that for you. 3. brute-forcing won’t help but you can do whatever you want. 4. don’t expose this challenge on a real work environment. 5. flag format ritsCTF{<---flag-here--->}. Good Luck!

author - X3eRo0

Looking at the decompiled source in Ghidra and with some variable renaming, we get this:

undefined8 realMain(void)

  int iVar1;
  long in_FS_OFFSET;
  char password [72];
  long local_10;
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  puts("--=[ Not So Easy Crackme ]=--");
  printf("passwd > ");
  iVar1 = decrypter(password,&encodedFlag,0x25);
  if (iVar1 == 0) {
    puts("Correct Password...");
  else {
    puts("Wrong Password...");
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
  return 0;

The cleaned up decrypter function accepts our input password and the flag from the datasegment and a size of 0x25 bytes as paramters. It then goes on and xor-s each char byte with 0x55.

ulong decrypter(long myInput,long encodedFlag,int integerOf25)

  uint i;
  int j;
  i = 0;
  j = 0;
  while (((j < integerOf25 && (*(char *)(myInput + j) != '\0')) &&
         (*(char *)(encodedFlag + j) != '\0'))) {
    i = i | (int)(char)(*(byte *)(encodedFlag + j) ^ *(byte *)(myInput + j) ^ 0x55);
    j = j + 1;
  return (ulong)i;

I extracted the encoded flag via BinaryNinja as a C character array and xor’ed with python:

encodedFlag = [
	0x27, 0x3c, 0x33, 0x21, 0x16, 0x01, 0x13, 0x2e, 0x21, 0x27, 0x61, 0x36, 0x3c, 0x3b, 0x32, 0x0a,
	0x31, 0x65, 0x66, 0x26, 0x3b, 0x21, 0x0a, 0x22, 0x65, 0x27, 0x3e, 0x0a, 0x34, 0x3b, 0x2c, 0x18,
	0x65, 0x27, 0x66, 0x66, 0x28

decoded = []
for n in encodedFlag:
	decoded.append(chr(n ^ 0x55))


Flag: riftCTF{tr4cing_d03snt_w0rk_anyM0r33}

About the author

All your $rip belong to us.