DEV Community

VaiTon for Ulisse

Posted on • Originally published at ctf.ulis.se

chicago

Challenge description

Keygenme...sort of

Author: akhbaar

The keygen

As usual, we start by trying to run the executable.

./chicago
Enter fullscreen mode Exit fullscreen mode

but unfortunately, we get

... Bad lenght! ...
Enter fullscreen mode Exit fullscreen mode

Opening the file with ghidra, we see that the file is a rust compiled executable, with A TON of functions (I suppose from the rust standard library). After some time we find the main, with an interesting portion of code:

if (local_1a8 < 10) {
    FUN_00107480("Bad length ...
Enter fullscreen mode Exit fullscreen mode

So the length of the input must be at least 10.
Also, after some analysis and variable renaming, we find that

actual_num = input[i] - 0x30; // 0x30 is the ascii code for '0'
Enter fullscreen mode Exit fullscreen mode

So every character of the input must be a digit.

if (((i & 1) != 0) && (actual_num = actual_num * 2, L'4' < (uint)input[i])) {
    actual_num = (uint)(byte)((char)(actual_num & 0xff) + (char)((actual_num & 0xff) / 10) * -9);
}
Enter fullscreen mode Exit fullscreen mode

So if the index of the character is odd, we multiply it by 2.
Also, if the original number is greater than 4, we replace it with $x + x / 10 * -9$, where $x$ is the original number.

Then, at least that's what I thought, it gets compared to the first character of the input, and if it's equal we get the flag.

The real keygen

After spending much more time than I should have, and after writing a python script to bruteforce the flag, I was so surprised when the first number it tried checked all the conditions.

As you could have guessed, the first and most obvious string that my script tried was 0000000000, and it worked 😭.

To get the flag, I then just had to run the program with ./chicago 0000000000.

Top comments (0)