## Write up for 0xL4ugh CTF(2024) > At the end of 2024, i spent a couple of days with my friends taking part in 0xL4ugh ctf which was lasted for 1 day. Thanks for this contest i have found out some weak fields of mine on reversing skills... And maybe that the reason why i'm writting this for something like "revenging" for everything i missed in the contest! ### 1. Chessato - Well this is the very first challenge i downloaded and spent most of the time on it. - This is a game challenge (chess like the given name challenge). The description partly hints for participants that we have to win the game with only 1 move and moreover we have to follow its own rule!  - Well the rule is not too easy to realize that: we are playing with AI, when we move something forward it will become the opponent's piece and there is a special thing that whenever we move our piece but the pawn we will lose! - Ok playing enough let's turn on Dnspy.  - I saw this and ofc like a human being i change the black king position in front of my pawn so that with only one move i can win right? But the reality is so harsh!  - I have to reverse more yeh ofc, with more time looking at all the necessary things. I realize that it uses AES-CBC mode to decrypt the flag with IV and key created base on the position of black and white piece except all the pawns  FW method is how it decrypts using aes algorithm - Well from there i feel a little bit like unlogic right? As the description said that "Can you will in 1 move". And i did it. 1 more thing about this is the key and IV created base on the pieces position so it makes this chall much more ambigious in my opinion. - Only later i realize that i have to take the black king by my white on, the problem was solved  - Yeah after the contest i have heard,read and realized that there is one more solutions for this challenge. Anyway big thanks for those who created this, i have learnt a lot of things from this challenge! ### 2. Sentir - This one this a exe file, it requires input something and finally output with "Wrong answer.". - Feel like the logic of this challenge is highly the same with classical reversing challenge.  - At once i put it into ida, i realize that this is a file which is related to .NET (AOT). i promise it will be much much easier if you can create sig file for this chall but with me. i make it harder =)) - after debugging and testing and can 90% confidently believe that: those 3 functions:  - Take my input strings and after that xor it with 16 bytes constants (if your input length is more than 16 bytes it will start again from the first position of that constant array). - We can see that there are so many address from managed section:  - When i debug i realize some of them are meaningful sentences, except this one:  - So i try to reach that place by inputting a string which is created by simple reversing and finally this is what i get:  - script ```python from base64 import * v = "53 00 63 00 6A 00 6F 00 57 00 39 00 72 00 44 00 74 00 31 00 4B 00 2B 00 74 00 6F 00 6E 00 68 00 68 00 7A 00 43 00 37 00 69 00 6A 00 37 00 33 00 73 00 6C 00 4B 00 74 00 77 00 63 00 52 00 71 00 36 00 77 00 3D 00 3D" v = bytes.fromhex(v) v = b64decode(v) key = [10,186,220,13,235,173,240,13,202,254,186,190,192,0,255,238] for i in range(len(v)): print(chr(v[i] ^ key[i % 16]),end='') ``` ### 3.ILLOwl - Yeh run the elf file and it is really straightforward :))  - The owl looks so good and so does this challenge :)) - when i tried to debug this challenge on ida i always got SIGILL... Actually i don't really want to dig into the reason why but anyway i have time so ... why not :)) - The key moment is when you finish a function and it jumps to a piece of code like this:  - wow ud2. What does it do?  - Well it is not hard to realize that it's just for debugging purpose. - The previous function which "retn" to the above piece of code is like this:  - It seems to set up registers for specific purpose... i have asked my biggest idol Mochizou and he shares his experiences like this: it offten sets up like this so that whenever it enters an exception, it will immediately jump to an exception handling... - Anyway when i continue to debug i find the encryption section.  - Well what do we think very firstly about a function which is used to encrypt our data? Yes it is args. It will keep necessary information about encryption. - 32 bytes key  - 16 bytes IV  - And last step!