DownUnderCTF 2022 - source-provided

source-provided is a rev challenge that was part of the 2022 DownUnder CTF. We had to find the flag in the provided source code and decrypt it.

Files

chall

chall:  ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
        dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
        BuildID[sha1]=319d114ae6db6ad7a813bf837353aa77a8c446fa,
        for GNU/Linux 4.4.0, stripped

chall.S

SECTION .data
c db 0xc4, 0xda, 0xc5, 0xdb, 0xce, 0x80, 0xf8, 0x3e, 0x82, 0xe8, 0xf7, 0x82, 0xef, 0xc0, 0xf3, 0x86, 0x89, 0xf0, 0xc7, 0xf9, 0xf7, 0x92, 0xca, 0x8c, 0xfb, 0xfc, 0xff, 0x89, 0xff, 0x93, 0xd1, 0xd7, 0x84, 0x80, 0x87, 0x9a, 0x9b, 0xd8, 0x97, 0x89, 0x94, 0xa6, 0x89, 0x9d, 0xdd, 0x94, 0x9a, 0xa7, 0xf3, 0xb2

SECTION .text

global main

main:
    xor rax, rax
    xor rdi, rdi
    mov rdx, 0x32
    sub rsp, 0x32
    mov rsp, rsi
    syscall

    mov r10, 0
l:
    movzx r11, byte [rsp + r10]
    movzx r12, byte [c + r10]
    add r11, r10
    add r11, 0x42
    xor r11, 0x42
    and r11, 0xff
    cmp r11, r12
    jne b

    add r10, 1
    cmp r10, 0x32
    jne l

    mov rax, 0x3c
    mov rdi, 0
    syscall

b:
    mov rax, 0x3c
    mov rdi, 1
    syscall

Hack

If you can read assembly, you can see that the program is doing a syscall to read 50 bytes from stdin and then it compares them with the bytes in the “c” array. If the bytes are equal, the program exits with code 0, otherwise it exits with code 1.

I used Binary Ninja to decompile the executable and view the pseudocode. The comparison is done with the following code:

if ( ((input[i] + i) + 0x42) ^ 0x42 == data[i] ) {
    exit(0);
}
else {
    exit(1);
}

Rearranging the equation, we get:

flag[i] = ((data[i] ^ 0x42) - i) - 0x42

Execution of the Exploit

solve.py

#!/usr/bin/env python

data = bytes.fromhex("c4dac5dbce80f83e82e8f782efc0f38689f0c7f9f792ca8cfbfcff89ff93d1d78480879a9bd8978994a6899ddd949aa7f3b2")

flag = b""

for i in range(len(data)):
    flag += bytes([(((data[i]) ^ 0x42) - i) - 0x42])

print(flag)

Command:

./solve.py

Output:

b'DUCTF{r3v_is_3asy_1f_y0u_can_r34d_ass3mbly_r1ght?}'

Flag

The flag is “DUCTF{r3v_is_3asy_1f_y0u_can_r34d_ass3mbly_r1ght?}”.