My little journey solving Little Reversing

# My little journey solving Little Reversing This is a writeup for the Little Reversing challenge from the Zh3r0CTF. You might not learn what exactly to do, but I assure you, you'll gain tremondous insight on what not to do ;) The challenge comes in this form: > ## Little reversing > Hey, this is just a CPP reversing !! > Author: tourpran Accompanied with a `main` file, an ELF 64-bit executable. chmod +x ./main ./main ![running the file](https://i.imgur.com/m5L9HUk.png) Hmm. It does not require input, and gives us the flag in some encoded format. Time to fire up Ghidra to find out what's happening behind the hood. Jumping over to ghidra my eyes immediately saw: ![](https://i.imgur.com/neg8U5l.png) What if this was the flag? Quick hex decode and: `zh3r0{L0l_d0nt_SuBmiT_This}` Ahh well, can't expect it to be so easy, eh? So looking further down: ![](https://i.imgur.com/GTAMUph.png) ![](https://i.imgur.com/QxHQgMR.png) Okay, `2a` is hex for `*`. Counting the number of asterisks, there seem to be 40--the same length of the flag. Maybe what we need to do is watch what happens to the asterisks at the end of all these operations. Firing up gdb, we can set appropriate breakpoints b *main b *main+184 Looking at the stack, we can see the asterisks in memory: ![](https://i.imgur.com/g1vB6kn.png) Looks good. Breaking after all those operations: ![](https://i.imgur.com/BsIPugp.png) Looks like `"*" * 40` becomes `"*+,-./012343210/.-,+*3210/.-,+*3210/.-,+"`-- maybe we're supposed to apply this to the encoded flag somehow? Unfortunately, after some trials of xor and subtraction, it became evident that this was not the way. Then my mind: What if we're supposed to replace the asterisks with the encoded flag, and it automatically decodes it for us? In gdb: set {char [40]} 0x00007fffffffdaa0 = "mv5h4{Mb<}jeBbmz8l5p3<i;e5eWdB3*)}rqpon" set {char} 0x00007fffffffdac7 = 0x60 And all the asterisks have now been replaced in memory: ![](https://i.imgur.com/S2QNzDy.png) Unfortunately, this did not lead to anything either. Out of ideas, I contacted the admin and told him of my predicament. ![](https://i.imgur.com/5dVL07Q.png) Oh. I see. lol. It had already become midnight, and I didn't have enough brain cells functioning to reverse the encoder. I quickly copied the encoder logic into a c file. ```cpp #include<stdio.h> #include<string.h> int main(int argc, char * argv[]) { char * enc = argv[1]; int len = strlen(argv[1]); int i = 0, j = 0; while(i < len) { if(enc[i] != '_') { enc[j] = enc[i]; j++; } i++; } while(j < len) { enc[j] = '_'; j++; } i = 0; while(i < len) { if(enc[i] != '{' && enc[i] != '}') { char ch = i; if(ch < 11) enc[i] += ch; else if(0x14 < ch) if(ch < 0x15 || 0x1e < ch) enc[i] += '(' - ch; else enc[i] += '\x1e' - ch; else enc[i] += '\x14' - ch; } i++; } printf("%s", enc); return 0; } ``` .. and then a bit of python to brute-force the flag ;) ```python from subprocess import Popen, PIPE import string encodedFlag = b'zi5u4{Zo<}wrOozm8y5c3<v;r5rJqO3*)}edcba`' flag = "zh3" while True: for c in string.printable: print(f"\r{flag}{c}", end="", flush=False) process = Popen(["./rev", f"{flag}{c}"], stdout=PIPE) (output, err) = process.communicate() exit_code = process.wait() if output in encodedFlag: flag += c break else: break print() ``` ![](https://i.imgur.com/zgLg0zv.gif) Fixing the underscores to be in the right place, we get the flag! Finally!