Rick has been captured by the council of ricks and in this dimension Morty has to save him, the chamber holding Rick needs a key . Can you help him find the key?
First, let's see what running the program does.
The pairs of numbers are the program, the singular numbers are me typing back to it.
There's nothing particularly clear here, so let's disassemble it in GHidra.
It looks very complicated, but we can ignore the bulk of it. What we need to focus on is the random number generation and what happens to it.
Two random numbers are generated. They are passed into function1
, then we +3
to the result and pass it through function2
. The result of that is then compared with the number we input. If they are not the same, the check
is set to 0.
At the end, if it's not 1 (and if takes under 30 seconds) the flag is read. So clearly we have to receive the numbers, work out what it does and then return the values (repeatedly) to get the flag.
Let's check what the two functions do.
We have a counter
that loops until it is greater than a number; if both numbers are divisible by the counter
the answer gets set to counter
- this is clearly some sort of highest common factor function.
This looks like a weird function, but if you write it in, say, python, it's much clearer what it does:
This is a factorial function.
Now we know what it does, the flow is simple:
And we can write a script that does this for us.
Flag: csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}
I recovered a binary from my teacher's computer. I tried to reverse it but I couldn't.
Running file blaise
gives us this output:
Important thing here is it isn't stripped, that it is dynamically linked, and it's 64-bit, which will make the rev easier.
When we first run the file, we are given a two digit number, like so:
And we are promted for input. Inputting letters seems to end it, however typing a number keeps it running, and we can enter more:
Let's throw it into ghidra to see the pseudo-c code of the file. I've prepared the decompilation by renaming functions and variable already. Here's what our main function looks like:
However there isn't much useful info here, although we know that it calls the functions display_number
and process
Let's decompile display_number
:
We see here that it basically:
generates a random number between 15 and 20 (0xf and 0x14)
prints it
returns it
Let's decompile process
now:
This is most important function, and a lot is going on here:
Firstly, we basically create a for loop using counter and the random number as the end
Then we read the input with scanf
Then with counter, and random number, we call another function called c
, and output is stored in output
. We'll come back to this in a bit
Then it compares this output with our input, and if they aren't equal it sets flagcheck
to false
Increments counter, and starts loop again
Finally, at the end, it checks if flagcheck
is true
, if it is, it gives us the flag
So, in order to do this challenge, we need to write a script that constantly gives a number to the program, that equals the output of c
, then reads the flag
c
Let's decompile c
:
So it makes 3 variables, using the f
function, and then returns a value based on those 3.
Lets' decompile f
:
Just does some maths with the provided number.
To convert our two numbers (random and counter) to what is needed of the program, we'll port these functions to python, like so:
Using these, and pwntools, we can write our final script, like so:
Flag: csictf{y0u_d1sc0v3r3d_th3_p4sc4l's_tr14ngl3}