[Pragyan CTF] Roller Coaster Ride



Bobby has been into Reverse Engineering and Binary Exploitation lately.
One day, he went to an amusement park in his city. It was very famouse for its Roller Coaster Rides.
But, Bobby, being 12 years old, was not allowed on those rides, as it was open for people who were 14 years or older.
This made Bobby very angry. On reaching home, he hacked into the servers of the amusement park, got hold of the validation software for the Roller Coaster rides, and modified it, so that nobody is allowed to have a ride on those Roller Coasters.



We are given with a file, lets run file command on it determine its type.

Megabeets$ file validation
validation.elf: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=f18f0acc149e2330b7549976f9e25c1b4e97e4f8, not stripped

Okay, it’s an ELF file. Lets execute it:

Megabeets$ ./validation

 Authenticate yourself

 Enter your name :- Megabeets

 Enter your age :- 74

 You are not old enough !!
 Go home Megabeets, and complete your homework ..

 This is not your cup of tea !!   -_-    -_-


Okay let’s disassemble the file and look at the functions call tree:

Oh, we have lot of functions. All of them looks something like this:

An hex value is moved to r9 (smetimes r8) and then xord with hex value that was moved to rax. I manually xord all the values by order of calls, turn the results to characters and end up with the flag:

>>> flag = chr(0x1a^0x68)+chr(0x85^181)+chr(0xfc^0xcd)+chr(0xa0^0xcc)+chr(0x2a^1)+chr(0xe2^0x96)+chr(0x4d^0x25)+chr(0x84^0xb7)+chr(0x0^0x6d)+chr(0xc2^0x9d)+chr(0xf1^0xc5)+chr(0x2^0x33)+chr(0xbc^0x8d)+chr(0x14^0x39)+chr(0xde^0xae)+chr(0xf2^0x87)+chr(0xde^0xae)+chr(0x68^0x47)+chr(0xb0^0xf0)+chr(0x82^0xec)+chr(0x3a^0x5e)+chr(0x96^0xe8)+chr(0x89^0xbd)+chr(0xee^0x99)+chr(0x56^0x16)+chr(0x5c^0x25)
>>> print flag

The flag was pragyanctf{r01l+th3m_411-up/@nd~4w@y}

[H4CK1T 2016] Crypt00perator – Ethiopia Writeup



Long time ago one security module has been written. But for now its sources have been missed somehow. We have forgotten th3 access k3y, which, as we remember, has been hardcoded inside the module. Help us to recollect th3 k3y!11


This is a pretty basic reverse challenge. We can solve it in many different ways but I will show you only two of them. The first one is the quickest method that will work only for this challenge, and the second is for those of you who want to understand better how to solve such challenges in the future.

So, we got an exe file and we need to find the access key. We are given with a hint that the key is somehow hardcoded in the file itself. Let’s run the file and see what will happen.

Megabeets D:\Downloads\h4ckit\ethiopia
> crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe
Enter th3 k3y :
> Megabeets


Seems like all it does is to ask for the key, let’s take a deeper look and see if we the key is stored clear-text in the file. Open the file in IDA pro and press Shift+F12 to open the Strings subview. The strings that written by the programmer will usually be stored in close adresses. Her’e are snip of the strings. I marked the most meaningful:

.text:0000000000468093  00000005 C G u$E                                           
.data:0000000000472020  00000029 C o3dl6s|41a42344d110746d574e35c2f77ab6>3z        
.rdata:0000000000488000 00000008 C Allowed                                         
.rdata:000000000048800E 00000007 C Denied                                          
.rdata:0000000000488015 00000010 C Enter th3 k3y :                                 
.rdata:0000000000488070 00000011 C basic_ios::clear                                
.rdata:0000000000488090 00000025 C ios_base::_M_grow_words is not valid            
.rdata:00000000004880B8 0000002A C ios_base::_M_grow_words allocation failed       
.rdata:00000000004880F2 00000006 C POSIX                                           
.rdata:0000000000488100 00000012 C std::future_error                               
.rdata:0000000000488120 00000024 C __gnu_cxx::__concurrence_lock_error             
.rdata:0000000000488148 00000026 C __gnu_cxx::__concurrence_unlock_error                                          

We can easily notice the strings which we already faced when executing the program: ‘Denied’ and ‘Enter th3 k3y :’. The ‘Allowed’ string will probably be printed after entering the right key. But what is this strange string: ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’? Is it the key? Let’s try.

Megabeets D:\Downloads\h4ckit\ethiopia
> crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe
Enter th3 k3y :
> o3dl6s|41a42344d110746d574e35c2f77ab6>3z


No luck. It is not the key, but what is it? It should be meaningful somehow but I don’t yet know how the program is using this string. I decided to debug the program and set a breakpoint before the decision whether the input is the right key or not is made.

Let’s go to the main function and set a breakpoint before the calling to the Checker method:



Now let’s run the program with that long string as the input and look at the registers. We can see that RAX is pushed to the Checker function. The checker function is comparing RAX with the long string and if RAX==long_string we get the Allowed message. But our RAX is different then the long string although we use the long string as our input what means that the inputted string is being manipulated and then compared to the original long string. So, what is our RAX? Let’s hover RAX with the cursor.



Well, RAX is looking like the flag. We will get the Denied message but at least we now have the flag.

Megabeets D:\Downloads\h4ckit\ethiopia
> crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe
Enter th3 k3y :
> h4ck1t{36f35433c667031c203b42d5a00fe194}



So we solved the challenge but now let’s see what is happening behind the scenes of this program. We can find out what the program is doing without getting too deep into the assembly code. We already know that the program is taking our input and perform some manipulation on it. After that it compares the manipulated string to this long string ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’. The best approach in this cases is to see what is the result of different inputs, I’ll show few examples that can teach us about the program:


[table id=1 /]


As you can see, this is probably a Substitution cipher implementation. Every character is replaced  always with the same another character. We can write a short python script to figure out what is the key using our a-z0-9{} input and the matching RAX string:


input = "abcdefghijklmnopqrstuvwxyz0123456789{}"     
rax = "fedcba`onmlkjihwvutsrqp_~}76543210?>|z"        
expected = "o3dl6s|41a42344d110746d574e35c2f77ab6>3z"                                       
flag= ''   

for c in expected:                                    
	flag += input[rax.index(c)]                       

print flag
# flag: h4ck1t{36f35433c667031c203b42d5a00fe194}

We got the flag 🙂

If you have any questions feel free to ask and I’ll explain more.

Flag: h4ck1t{36f35433c667031c203b42d5a00fe194}


[H4CK1T 2016] PhParanoid – Malaysia Writeup




Task: PhParanoid – Malaysia – 225 – Rever$e

EN: I am so paranoid! I try to hide everything from this mad world! I have already obfuscated my calculator sources, my javascript site sources and I`m not going to stop! And u will never know what I hide, haha!

In this challenge we got Phb, i.e php file that compiled using BCompiler (PHP Bytecode Compiler). We can Decompile it using this.

The decompilation process is very simple and we easily got this php file (I deleted repeated parts to decrease size):

$secret ="The";
do {
	$is_secret_exists = false;

	if (isset($secret)) {
		$is_secret_exists = true;
	else {

	$is_secret_valid = false;
	if (strstr($secret, "The") && (strpos($secret, "The") == 0)) {
		$is_secret_valid = true;
		echo $secret;

	$c0 = chr(ord($secret[0]) + 20);

	if ((ord($c0) + (-20)) != 84) {

	$c1 = chr(ord($secret[1]) + (-52));

	if ((ord($c1) + 52) != 104) {

	$c43 = chr(ord($secret[43]) + (-35));

	if ((ord($c43) + 35) != 103) {

	$c44 = chr(ord($secret[44]) + 79);

	if ((ord($c44) + (-79)) != 46) {
} while (false);



So what we have here is a manipulation on char codes to check if the secret variable is valid. Let’s find out which char codes we need to use in order to find the flag.

Every if statement in the code looks like the following code. I added a comments for explanation

# the first character of the flag is the first character of the 'secret' + 20
$c0 = chr(ord($secret[0]) + 20);

# check if the char code of the first character of the flag -20 equals 84
if ((ord($c0) + (-20)) != 84) {

So, from this we can assume that the flag starts with chr(20+84) which is ‘h’. Make sense because we know that the flag is starting with “h4ck1t{“. I made some manipulation on the script (Lot of replaces in Notepad++ to keep only the relevant char codes) to create a list of the char codes and then converted them to chars with python.

>>> charcodes = [+20 +84,-52 +104,-2 +101,-7 +114,-52 +101,+43 +73,+8 +115,+1 +78,-63 +111,+22 +82,-10 +105,-55 +103,+8 +104,-49 +116,-17 +65,-42 +110,-49 +100,-34 +87,-19 +114,-40 +111,-62 +110,+13 +103,+49 +46,-35 +84,-26 +104,-48 +101,-65 +114,-33 +101,-28 +79,-15 +110,-31 +108,-16 +121,+8 +70,-66 +117,-15 +110,-12 +65,-61 +110,-33 +100,+9 +66,-16 +111,-37 +114,-56 +105,+0 +110,-35 +103,+79 +46]
>>> flag = ''
>>> for c in charcodes:
...     flag+=chr(c)
>>> print flag


[CSAW 2016] Gametime Writeup



Guess what time it is! That’s right! Gametime! Wowwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww!!!!!!!!!!!!

Author: Brad Antoniewicz

note: flag is not in flag{} format


To be honest, I downloaded the file, played the game once and got the key. It is possible for humans to win the game, or maybe it’s just my Super-Vegan powers LOL.
But I wanted, of course, to get the key using RE. I opened IDA and searched for interesting strings.
.rdata:00A17858 00000014 C \rGet ready to play\n                                     
.rdata:00A17970 00000033 C \rZOMGZOMG           YOU DID IT!!!        ZOMGOZMG\n      
.rdata:00A179E0 0000000F C key is %s (%s)                                            
.rdata:00A179F4 0000002C C \nWhen you see an 's', press the space bar\n\n            
.rdata:00A17A20 0000002C C \nWhen you see an '%c', press the '%c' key\n\n            
.rdata:00A17A50 00000010 C key is %s (%s)\r                                          
.rdata:00A17A60 0000002B C \rUDDER FAILURE! http://imgur.com/4Ajx21P \n              
.rdata:00A17A8C 00000024 C \r                                 \r                     
.rdata:00A17AB0 0000002A C UDDER FAILURE! http://imgur.com/4Ajx21P \n                
.rdata:00A17ADC 00000005 C %02x                                                      
.rdata:00A17B20 00000010 C \tkey is %s (%s)                                          
.rdata:00A17B30 00000034 C \r\tZOMGZOMG                                ZOMGZOMG\n    
.rdata:00A17B64 00000034 C \r\tZOMGZOMG     TAP TAP REVOLUTION!!!!!!!  ZOMGZOMG\n    
.rdata:00A17BD0 00000020 C \r\t              R U READDY?!\n\n\n                      
.rdata:00A17BF0 0000001D C \rThe game is starting in...\n                            
.rdata:00A17C10 00000033 C \rTRAINING COMPLETE!                              \n      
.rdata:00A17C48 0000002A C \rNow you know everything you need to know                
.rdata:00A17C74 0000001F C \n\n\nfor the rest of your life!\n                        
.rdata:00A17C94 0000000D C LETS PLAY !\n                                             
.rdata:00A17CA4 00000016 C \rooooh, you fancy!!!\n                                   
.rdata:00A17CBC 00000011 C NIIICE JOB)!!!!\n                                         
.rdata:00A17CD0 00000012 C \rTURBO TIME!    \n

I highlighted the important lines: The success message (I know, I got it when I played) and the failure messages. Using X-Refs I found where the failure messages are printed out and patched the program to jump to the success instead. Notice that you’ll need to change two functions.

1st jump to change:


2nd jump to change:


Now apply the patches to the program and run it. Let the game play alone and the key will be printed.

The key is: (no5c30416d6cf52638460377995c6a8cf5)

[CSAW 2016] Key Writeup



So I like to make my life difficult, and instead of a password manager, I make challenges that keep my secrets hidden. I forgot how to solve this one and it is the key to my house… Can you help me out? It’s getting a little cold out here.

NOTE: Flag is not in normal flag format.

Running the file we end up with a message: “?W?h?a?t h?a?p?p?e?n?”
Let’s open the exe in IDA and view it’s strings looking for interesting strings.
.rdata:00AB52B8 00000029 C C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
.rdata:00AB52E4 00000016 C ?W?h?a?t h?a?p?p?e?n?                        
.rdata:00AB52FC 00000021 C |------------------------------|             
.rdata:00AB5320 00000021 C |==============================|             
.rdata:00AB5344 00000021 C \\  /\\  /\\  /\\  /\\==============|        
.rdata:00AB5368 00000021 C  \\/  \\/  \\/  \\/  \\=============|        
.rdata:00AB538C 00000021 C                  |-------------|             
.rdata:00AB53B0 00000015 C Congrats You got it!                         
.rdata:00AB53C8 00000012 C =W=r=o=n=g=K=e=y=

We have 4 interesting strings:

  • A path: C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
  • The known message: ?W?h?a?t h?a?p?p?e?n?
  • Good key: Congrats You got it!
  • Bad key: =W=r=o=n=g=K=e=y=

Visiting the function that uses the path string (X-ref) we understand the program is trying to read the key from it, if it doesn’t exists we would get: ?W?h?a?t h?a?p?p?e?n?

I Created the txt file with “aaa” inside and ran again, this time I set a breakpoint before the decision whether to jump to the success or failure message.


Now let’s see what we have in what seem like the comparison function.

Stepping the lines we can see that my “aaa” is compared with a string.


This string is the key “idg_cni~bjbfi|gsxb” and also the flag to the challenge.