Blaise

Analysis

File Info

Running file blaise gives us this output:

Important thing here is it isn't stripped, that it is dynamically linked, and it's 64-bit, which will make the rev easier.

Running the file

When we first run the file, we are given a two digit number, like so:

And we are promted for input. Inputting letters seems to end it, however typing a number keeps it running, and we can enter more:

Ghidra

Let's throw it into ghidra to see the pseudo-c code of the file. I've prepared the decompilation by renaming functions and variable already. Here's what our main function looks like:

However there isn't much useful info here, although we know that it calls the functions display_number and process

Let's decompile display_number:

We see here that it basically:

• generates a random number between 15 and 20 (0xf and 0x14)

• prints it

• returns it

Let's decompile process now:

This is most important function, and a lot is going on here:

• Firstly, we basically create a for loop using counter and the random number as the end

• Then we read the input with scanf

• Then with counter, and random number, we call another function called c, and output is stored in output

So, in order to do this challenge, we need to write a script that constantly gives a number to the program, that equals the output of c, then reads the flag

function c

Let's decompile c:

So it makes 3 variables, using the f function, and then returns a value based on those 3.

Lets' decompile f:

Just does some maths with the provided number.

Scripting

To convert our two numbers (random and counter) to what is needed of the program, we'll port these functions to python, like so:

Using these, and pwntools, we can write our final script, like so:

Flag: csictf{y0u_d1sc0v3r3d_th3_p4sc4l's_tr14ngl3}