Project Sekai - 🩸-reverse-archs

Project Sekai

🔒 WolvCTF 2023 / 🩸-reverse-archs

archs - 500 points

Category: Reverse Description: Yo dawg Files:

https://wolvctf.io/files/e10c0d7b6a07ac03b4780ec00557a701/archs?token=eyJ1c2VyX2lkIjoyNjgsInRlYW1faWQiOjE3MCwiZmlsZV9pZCI6ODN9.ZBTQDg.QAY-cNw8HRwpzx0QJ3cNLGABRSw

Tags: iQlusion#4057

Sutx pinned a message to this channel. 03/17/2023 1:39 PM

@TheBadGod wants to collaborate

so, first stage just prints flag starts with wctf{, then asks for a single byte xor key and decrypts a huge chunk of memory

13:40

983.28 KB

13:40

using the right key (0x40 i think, didn't pay attention) gives this x86 elf

13:42

the x86 binary does some code modification on the fly, 0x81 bytes are xored again with a single byte xor key

13:43

here's the code (as it is in the binary) in hex

BE63565656530556565603EF4B565656DFB30100DB038DDB2B8DDBE65A565656D5BA72A5F23C4B043C5731BE58565656D59246DB33AE08090B95DD527295DD0A7252DD1A725EDD02725AEE52565656070403DFB359625656565656565656565656565656173839223E332476303A373176263724226C760F6609126221315C5656

13:44

correct key probably is 'V' judging from the amount of V in there (edited)

13:46

Another flag part: Y0_D4wg

13:47

next binary is arm64

941.68 KB

13:49

this time reading a string of length max 31

end of flag is ann0y1ng?!}

14:21

wctf{Y0_D4wg

14:22

the remaining part (probably) is bytes.fromhex("1E262502401E2579456B") xored with a constant key, but idk the length of the key

14:23

  printf("Decryptor pass: ");
  scanf("%31s", key);
  start_time = nanotime();
  key_length = strlen(key);
  v5 = v16;
  for ( i = 0LL; i != 10; ++i )
  {
    v7 = i % key_length;
    *v5++ ^= key[v7];
  }
  if ( nanotime() - start_time <= 10000 )
    printf("Another flag part: %s\n", v16);
  else
    domeme();

v16 is the 10 bytes I sent before

14:24

bruh

14:25

_th4t_w4s_

TheBadGod

used /ctf submit

Well done, you got first blood!

guessed the key to be ARM64 (because the decryption key for the last binary was MIPS32, after it asked what the next arch will be)

peepoo

14:38

@TheBadGod fine to give ur handle to author? he wanted to ask sth

sure

Exported 23 message(s)