# [zer0pts CTF 2020] QR Puzzle ###### tags: `zer0pts CTF 2020` ## overview We're given 64bit ELF `chall` and `encrypted.qr`, `key`. Obviously, `chall` used `key` to encrypt QR ## analysis `chall` is straitforwarded, being easy to reversing. 1. read QR code 2. read key 3. encryption 4. save We focus to `read key` and `encryption`. ### read key There may be a struct like `struct key {int B; int C; int A; struct key* prev; };`. Reading `key` and constructing linked list. ### encryption My decompile ```clike= int encrypt(int *qr_ptr, Key *key) { while (key != 0) { int B = key->B, C = key->C; int rax, rcx, rdx, r8; switch (key->A) { case 0: rdx = B-1; r8 = C; break; case 1: rdx = B+1; r8 = C; break; case 2: rdx = B; r8 = C-1; break; case 3: rdx = B; r8 = C+1; break; default: break; } qr_ptr[rcx + rax] += qr_ptr[r8 + rdx]; qr_ptr[r8 + rax] = qr_ptr[rcx + rax - (r8 + rax)]; qr_ptr[rax + rcx] -= qr_ptr[r8 + rdx]; key = key->prev; } } ``` `0123` is corresponding up / down / move left / move right. this function swap the QR bit following `0123`. ## solution To decrypt, just swap from bottom to top. To create reverse key like `tac key > rev_key`. Then just get the flag.