# Overview
- Recklinghausen là bài thứ 4 trong series Beginner Reversing Challenges.
- Đây là 1 thử thác 20 points và nó khác so với các thử thách 10 điểm trước.
## Solution
### Take length of flag and analyze msg5
- After a long time, I found th checkmsg() function.
- You can see the disassembly next to decompile.
- It is clear that the instruction: `MOVZX EDX, byte ptr [msg5]`
=> EDX stores the first character of msg5 string.
- Each characters of msg5 can be seen by tap on it.
=> 0x21, 0x7E, 0x3D, 0x2A, 0x38, 0x12, 0x1B, 0x1F, 0x0C, 0x10, 0x0A, 0x0D, 0x0E, 0x17, 0x1B, 0x12, 0x1B, 0x21, 0x28, 0x1B, 0x0D, 0x0A, 0x17, 0x08, 0x1F, 0x12, 0x03.
=> each characters is displayed under hexdecimal.
=> We have to use chr() to take the flag while EDX stores **0x21**, being equal to **33** in decimal.
**--> uVar3 = 33**.
### Analyzing Loop and using Python to handle with
- Assembly:
- Decompile:
- Here is the C code that has been analysed by cutter for alphabet check.
- Here msg5 contain our FLAG.
- uVar3 get the first Hex-Code from msg5 or we can say **uVar3 = msg5[0]**.
- Here the loop runs until **uVar2<33** where uVar2 is assigned 0 at the begining or we can say that here i in for loop is considered as uVar2.
=> **Look at the condition**:
--> Translate: `if (msg5[i+2] = param_1[i] ^ msg5[1])`
- To find param_1:
=> XOR 2 equation with msg5[1].
=> **`msg5[i+2] ^ msg5[1] = param_1[i]`**
#### Code Python
```python=
msg5 = [0x21, 0x7E, 0x3D, 0x2A, 0x38, 0x12, 0x1B, 0x1F, 0x0C, 0x10, 0x05, 0x2C, 0x0B, 0x16, 0x0C, 0x18, 0x1B, 0x0D, 0x0A, 0x0D, 0x0E, 0x17, 0x1B, 0x12, 0x1B, 0x21, 0x38, 0x1B, 0x0D, 0x0A, 0x17, 0x08, 0x1F, 0x12, 0x03]
param_1 = ''
for i in range(msg5[0]):
param_1 += chr(msg5[i+2] ^ msg5[1])
print(param_1)
```
**=> Flag: CTFlearn{Ruhrfestspiele_Festival}**
Sign in with Wallet
Connect another wallet