Security Forem

Hitanshu Gedam
Hitanshu Gedam

Posted on

picoCTF classic crackme 0x100 writeup

We are given a binary file in this challenge and are asked to reverse engineer it. I download it on my windows laptop and decompile it on DogBolt.

I scroll down till I find the main() function:

decompiled

I find that some variables and arrays are defined. It begins by copying a fixed 51-character string into a buffer called output, which represents the correct "transformed" version of the secret password. Then, it prompts the user to input a password, which is read into the input buffer. The core of the code lies in a nested loop that runs three times: for each character in the input, it performs a complex transformation based on the character's index using bitwise operations and modular arithmetic to shift the character within the lowercase alphabet ('a' to 'z'). After applying this transformation three times, the code compares the resulting input with the predefined output string using memcmp. If the transformed input matches output, it prints a success message and a placeholder flag; otherwise, it prints "FAILED!".

I used wget to download the file on pico webshell and give it executable permissions via the chmod command.

I wrote a python script with the help of ChatGPT:

output = "mpknnphjngbhgzydttvkahppevhkmpwgdzxsykkokriepfnrdm"

def transform_char(c, i_1):
    uVar1 = ((i_1 % 0xff) >> 1 & 0x55) + ((i_1 % 0xff) & 0x55)
    uVar1 = ((uVar1 >> 2) & 0x33) + (uVar1 & 0x33)
    iVar2 = (uVar1 >> 4) + ord(c) - 0x61 + (uVar1 & 0xf)
    result = iVar2 % 26 + ord('a')
    return chr(result)

def transform(s):
    return ''.join(transform_char(c, i) for i, c in enumerate(s))

# Reverse the transformation by brute-force
def reverse_transform(target):
    original = ['?'] * len(target)
    for i, target_c in enumerate(target):
        for c in range(ord('a'), ord('z') + 1):
            trial = chr(c)
            if transform_char(trial, i) == target_c:
                original[i] = trial
                break
    return ''.join(original)

# Apply reverse transformation 3 times
current = output
for _ in range(3):
    current = reverse_transform(current)

print("Recovered password:", current)
Enter fullscreen mode Exit fullscreen mode

And I got the original string. I tried it as an input for the file on the webshell and it succeeded. Now that I was sure of the original string, I used the nc command provided in the challenge to connect to the machine and gave it the string.

webshell

This is how I received the flag!

Top comments (0)