Written by shakuganz

NahamCon CTF 2022 – babyrev (Reverse Engineering)

Hi everyone! NahamCon CTF 2022 was held from 29/4-30/4. This babyrev challenge is on reversing the encoded flag to decode it. Let’s get started!

Files provided

You can download by reversed engineered IDA Freeware 7.7 database file for babyrev here.

Overview

We can see in the main(), it will prompt us for a username and a password. The username is “bossbaby” as our input username undergoes strcmp() with “bossbaby”. The password will be sent to a password_checker(). (Note that password_checker() was not named that original. I renamed it after reverse-engineering it to know its functionality.)

Everything in password_checker() seems complex and confusing. What we are interested in is just the red boxes I have drawn below. The password will be used to undergo some kind of encoding before comparing with a global array’s content. See that password_checker() returns matched_length, now know why at main(), the result of password_checker() will be compared with 38. This means our password is most likely 38 characters and our password is actually the flag since no flag will be printed to us.

Looking at encoded_passwd_array, we can see it is made up of 38 integers in the array.

Finally, we left with encoding(). We can see that it indeed does some form of simple encoding.

Script to decode & get flag

Since we know that the password is the flag, we know the encoding algorithm, and we know the encoded values, we can just decode the values by reversing the encoding algorithm. This is easier via a script to help us decode the values to get the flag. Below shows babyrev_script.py:

flag = ""
encoded_passwd_array = [0x66, 0xD9, 0x188, 0x341, 0x7C0, 0x6F9, 0x18A4, 0x95, 0x10A, 0x1D5, 0x37C, 0x3A9, 0x7B0, 0x1969, 0x127, \
    0x1A3, 0x1C4, 0x2B9, 0x754, 0x889, 0xF50, 0x1F0, 0x254, 0x2D9, 0x558, 0x571, 0x924, 0x1019, 0x342, \
    0x3AD, 0x508, 0x6E9, 0x0A30, 0x10E1, 0x1284, 0x500, 0x5D2, 0x74D]

print(len(encoded_passwd_array))

for counter, value in enumerate(encoded_passwd_array):
    flag += chr((value - (counter * counter)) >> (counter % 7))

print(flag)


C:\> py .\babyrev_script.py
38
flag{7bdeac39cca13a97782c04522aece87a}

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.