lactf
nine solves
Category: Reverse Engineering
Given a Binary file named nine-solves let's open it using ida.
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 i; // rsi
unsigned int v4; // eax
int v5; // ecx
int v6; // edx
char v8[6]; // [rsp+0h] [rbp-18h] BYREF
char v9; // [rsp+6h] [rbp-12h]
puts("Welcome to the Tianhuo Research Center.");
printf("Please enter your access code: ");
fflush(stdout);
fgets(v8, 16, stdin);
for ( i = 0LL; i != 6; ++i )
{
v4 = v8[i];
if ( (unsigned __int8)(v8[i] - 32) > 0x5Eu )
goto LABEL_14;
v5 = yi[i];
if ( !v5 )
goto LABEL_14;
v6 = 0;
while ( (v4 & 1) == 0 )
{
++v6;
v4 >>= 1;
if ( v5 == v6 )
goto LABEL_9;
LABEL_6:
if ( v4 == 1 )
goto LABEL_14;
}
++v6;
v4 = 3 * v4 + 1;
if ( v5 != v6 )
goto LABEL_6;
LABEL_9:
if ( v4 != 1 )
goto LABEL_14;
}
if ( !v9 || v9 == 10 )
{
eigong(yi);
return 0;
}
LABEL_14:
puts("ACCESS DENIED");
return 1;
}Simply this is a Collatz transformation code just by looking at v4 = 3 * v4 + 1;. So the first step is we need to reverse the method and then we need to find out what the yi value is.
From the binary, the yi is an array of value {0x1B, 0x26, 0x57, 0x5F, 0x76, 0x9} that can be converted to {27, 38, 87, 95, 118, 9}
From that, we can make the script to generate the access code to get the flag
Solve.py
yi = [27, 38, 87, 95, 118, 9]
def collatz_steps(n, steps):
for _ in range(steps):
if n == 1:
return False
if n % 2 == 0:
n = n // 2
else:
n = 3 * n + 1
return n == 1
access_code = []
for steps in yi:
for c in range(32, 127):
if collatz_steps(c, steps):
access_code.append(chr(c))
break
access_code = ''.join(access_code)
print(f"Access Code: {access_code}")Output Access Code: AigyaP
Flag
lactf{REDACTED}
Last updated