cryogenics was a reversing challenge in the DefCamp CTF 2022 qualifiers.

Behavior

Upon execution, cryogenics prompts the user for a password, exiting with Too cold outside! if it’s incorrect:

What's the password?!

Password: 

asd
Too cold outside!

Code

Decompiling cryogenics yields the following main:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rdx
  __int64 v4; // rdx
  const char *v5; // rdi
  __int64 v6; // rdx
  char v8[23]; // [rsp+1h] [rbp-17h] BYREF

  qmemcpy(v8, "000000000000000", 0xFuLL);
  puts("What's the password?!\n\n", "", envp);
  puts("Password: \n\n", "", v3);
  read(0LL, v8, 15LL);
  v5 = "Too cold outside!\n";
  if ( !(unsigned int)strcmp(v8, "F5D7H#5XWXWUC7P") )
  {
    puts("Flag: CTF{sha256(", "F5D7H#5XWXWUC7P", v4);
    puts(v8, "F5D7H#5XWXWUC7P", v6);
    v5 = ")}\n";
  }
  puts(v5, "F5D7H#5XWXWUC7P", v4);
  exit(0LL);
  return write();
}

Of note here is that strcmp is not actually strcmp, but modifies the input strings before comparing them:

// positive sp value has been detected, the output may be wrong!
__int64 __fastcall strcmp(__int64 a1)
{
  __int64 v1; // rax
  __int64 i; // rax
  char v4[15]; // [rsp+2h] [rbp-26h] BYREF
  char v5[23]; // [rsp+11h] [rbp-17h] BYREF

  qmemcpy(v4, "000000000000000", sizeof(v4));
  v1 = 0LL;
  qmemcpy(v5, &unk_400328, 0xFuLL);
  do
  {
    v4[v1] = __ROL1__(*(_BYTE *)(a1 + v1), 3);
    ++v1;
  }
  while ( v1 != 15 );
  for ( i = 0LL; i != 15; ++i )
    v4[i] = __ROR1__(v4[i], 2);
  return ((__int64 (__fastcall *)(char *, char *, __int64))strncmp)(v4, v5, 15LL);
}

Solution

This looked simple enough for angr to handle, so we wrote a script that does just that:

import angr
import claripy
import sys


def main(argv):
  path_to_binary = argv[1]
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state(
    add_options = { angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
                    angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS},
  )

  simulation = project.factory.simgr(initial_state, veritesting=True)

  def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return b"Flag" in stdout_output

  def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return b"Too cold" in stdout_output


  simulation.explore(find=is_successful)

  if simulation.found:
    solution_state = simulation.found[0]
    solution = solution_state.posix.dumps(sys.stdin.fileno()).decode()
    print(solution)
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

The solution was inspired by angr_ctf’s scaffold12.py.