Difficulty:

  • Baby (Author)
  • Baby (Specki)

Notes:

Rabbit Holes:

Solution:

  • Open rev2 in Ghidra
  • Find main function
  • See strcmp of Input variable with hardcoded bytes
  • Input Variable is modified before comparison by while-loop
    while (i < (int)sVar2 + -1) {
    	input[i] = input[i] ^ (char)i + 10U;
    	input[i] = input[i] - 2;
    	i = i + 1;
    }
    iVar1 = strcmp((char *)input,"lp`7a<qLw\x1ekHopt(f-f*,o}V\x0f\x15J");
    
  • While loop modifies each character by subtracting XOR and subtraction
  • Obfuscation can be easily reversed by applying the reverse instructions in reverse order:
    void rev3()
    {
    	char solution[50] = "lp`7a<qLw\x1ekHopt(f-f*,o}V\x0f\x15J";
    
    	for (auto i = 0; i < 50; i++)
    	{
    		solution[i] += 2; // Revert subtraction
    		solution[i] = solution[i] ^ (char)i + 10U; // Revert XOR
    		std::cout << solution[i]; // Print password
    	}
    	std::cout << std::endl;
    }
    
  • Reversing obfuscation yiels password: dyn4m1c_k3y_gen3r4t10n_y34h
  • netcat to the Server and enter password
  • WIN

Flag

CSCG{pass_1_g3ts_a_x0r_p4ss_2_g3ts_a_x0r_EVERYBODY_GETS_A_X0R}

Remediation:

  • Do not hardcode passwords unencrypted