Created
September 14, 2022 22:47
-
-
Save komen205/8b60daa7a28302743b3a8ba17f363c3e to your computer and use it in GitHub Desktop.
CSAW CTF Qualification Round 2022 - GAME reverse
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
By connecting to the server we see that it requires one or more inputs, when the input is something like 1 then 1. We encounter a door which requires a password. Now we can look at the binary file. | |
I used Ghidra to decompile the file at first, then only later used IDA. First, by looking at the strings we can see some strings that we saw on the server output. I traced them back and found this method. | |
https://imgur.com/AijEsVe | |
It is interesting that the function call has an unusual name “fnv_1a_32”. If we search this on google the first search is a wikipedia page “Fowler–Noll–Vo hash function”. | |
https://imgur.com/NYkjCRm | |
I changed the names of the variables for purposes of this writeup but we can see that the code is the same as the pseudocode shown in the wikipedia page. | |
There is an array with some chars, and those keywords are interesting. | |
https://imgur.com/3d5Pgv8 | |
Those keywords are “cook”, “flawed”, “gravel”,”king”,”decisive”. | |
So now we know that there is a hash, we have some keywords and we know that the input is in decimal. I asked myself if the answer wouldn’t be the hash of those keys. | |
We might wanna try this. I searched on Google and found this tool https://md5calc.com/hash/fnv1a32 that encodes the string. All we need to do is then convert it to decimal. | |
Those are the keywords, hash and their decimal value. | |
fnv1a32 decisive 649df323 1688072995 | |
fnv1a32 king da13e3d6 3658736598 | |
fnv1a32 flawed 42b03586 1118844294 | |
fnv1a32 cook ef3e2929 4013828393 | |
fnv1a32 gravel b2def4fa 3000956154 | |
Those are the doors, the decimal value and the answer. | |
1-1 4013828393 flag{e@5+er_ | |
2-3-3 1118844294 e995_6ehind_ | |
1-3-1-3 3000956154 p@yw@115_i5_ | |
1-3-1-2-2-1 3658736598 +he_dum6e5+_ | |
1-3-1-2-2-2-2 1688072995 ide@_ever!!} | |
FLAG: flag{e@5+er_e995_6ehind_p@yw@115_i5_+he_dum6e5+_ide@_ever!!} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment