# CSAW CTF Quals 2016 - deedeedee

Points: 150
Category: Reversing
Description
(I lost the description to this challenge)
deedeedee

This is a reversing challenge. Given a binary, our objective was to find the flag. I vaguely remember that the description of this challenge was something along the lines of being able to execute instructions at compile time.

We’re given a 64-bit ELF.

Running the binary in my CTF environment tells us that we have the encrypted flag, and that the flag was generated at compile time.

The hexencoded flag decodes to glgzt2mqlt2_leu4qr1gsalmhnf_hs^gs8^4^3wesy1n2}. Keep this in mind, we will need it later. You could use python to decode the hex encoded string or simply use any hex->text converter online.

### Analysis

Running objdump -x on the binary shows that there are many functions defined, and instincts tells me that at least one of these would contain the routine required to decrypt our flag.

Doing a simple grep for encrypt finds the function we are searching for:

Note that the names are all mangled, but we can still roughly make out the meaning of the functions.

The disassembly for the function shows some kind of chained function calls where the result of one call is used as argument for the other call.

What we can notice from the disassembly is:

1. Each function takes in two argument, registers $rdi and$rsi.
2. The function names are slightly different, first one has 313131 and second one has 323232 in it.

The next logical thing to do is to disassemble one of the function calls:

What I noticed is that the arguments provided is xor’ed with the string located at 0x49fa5c, which is 0x31. Remember the 0x313131 contained in the name of the function?

Now with these, I have some idea of how the encryption is done (probably a chain of xors with some constant byte values, 0x31 in this case). We can further verify this by doing dynamic analysis.

We first set a breakpoint at main, and run the binary in gdb. We then jump to 0x000000000044CDE0, which is the start of the encrypt function.

Remember that the chain of function takes in two argument from register $rsi and$rdi, I assume that one of this register contains a pointer to the string we are encoding and the other pointer containing the len of the string.

With that assumption, we set the register to the correct values. We can do so by running the following gdb calls. We also set a breakpoint at the first xor instruction, so that we can verify the xor values.

We see that the $ebx contains 0x3 which is the length we set at register$rdi as well. Thus, in this function, every byte in the input string is xor’ed with 0x31 as well as the length of the input string.

In python, the particular function would look something like the following

Now that we have confirmed our assumptions, the flag can be easily decrypted by running the same function with the flag and the length as input.

And we have our flag!