[CSAW 2016] Key Writeup



So I like to make my life difficult, and instead of a password manager, I make challenges that keep my secrets hidden. I forgot how to solve this one and it is the key to my house… Can you help me out? It’s getting a little cold out here.

NOTE: Flag is not in normal flag format.

Running the file we end up with a message: “?W?h?a?t h?a?p?p?e?n?”
Let’s open the exe in IDA and view it’s strings looking for interesting strings.
.rdata:00AB52B8 00000029 C C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
.rdata:00AB52E4 00000016 C ?W?h?a?t h?a?p?p?e?n?                        
.rdata:00AB52FC 00000021 C |------------------------------|             
.rdata:00AB5320 00000021 C |==============================|             
.rdata:00AB5344 00000021 C \\  /\\  /\\  /\\  /\\==============|        
.rdata:00AB5368 00000021 C  \\/  \\/  \\/  \\/  \\=============|        
.rdata:00AB538C 00000021 C                  |-------------|             
.rdata:00AB53B0 00000015 C Congrats You got it!                         
.rdata:00AB53C8 00000012 C =W=r=o=n=g=K=e=y=

We have 4 interesting strings:

  • A path: C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
  • The known message: ?W?h?a?t h?a?p?p?e?n?
  • Good key: Congrats You got it!
  • Bad key: =W=r=o=n=g=K=e=y=

Visiting the function that uses the path string (X-ref) we understand the program is trying to read the key from it, if it doesn’t exists we would get: ?W?h?a?t h?a?p?p?e?n?

I Created the txt file with “aaa” inside and ran again, this time I set a breakpoint before the decision whether to jump to the success or failure message.


Now let’s see what we have in what seem like the comparison function.

Stepping the lines we can see that my “aaa” is compared with a string.


This string is the key “idg_cni~bjbfi|gsxb” and also the flag to the challenge.



Leave a Reply

Your email address will not be published. Required fields are marked *