Skip to main content

#LabyREnth CTF - Windows track no. 2 - BabbySay.exe

This task is really very simple one. We are provided with .NET application named: "BabbySay.exe", wchich is a simple app that spawns a piano window for us. We can play some tunes by clicking black and white keys. I've started by its decompilation with "ILSpy", which is nice tool to do that . After quick examination in ILSpy we can clearly see the function responsible for printing the flag for us, without any doubt has to be:  key_click(object, EventArgs):

// BabbySay.Form1
public void key_click(object sender, EventArgs args)
{
 KeyButton keyButton = sender as KeyButton;
 keyButton.player.Play();
 if (keyButton.number == 16 && keyButton.is_black && this.dat_state == 0)
 {
  this.dat_state = 1;
  this.thangs[3] = " _|| || | |_   ___ `.  | || |      _       | || |    \\_ `.    " + this.thangs[3];
  this.thangs[10] = this.thangs[10] + " '----------------'  '----------------'  '----------------'  '";
  this.thangs[5] = "|  | || |   | |    | | | || |     | |      | || |       > >   " + this.thangs[5];
  this.thangs[7] = "   | || | |________.'  | || |     |_|      | || |    /__.'    " + this.thangs[7];
  this.thangs[9] = "---' || '--------------' || '--------------' || '-------------" + this.thangs[9];
  this.thangs[0] = this.thangs[0] + " .----------------.  .----------------.  .-----------------. .";
  this.thangs[2] = this.thangs[2] + "| |   ______     | || |      __      | || | ____  _____  | || ";
  this.thangs[1] = "---. || .--------------. || .--------------. || .-------------" + this.thangs[1];
  this.thangs[8] = this.thangs[8] + "| |              | || |              | || |              | || ";
  this.thangs[4] = this.thangs[4] + "| |    | |__) |  | || |    / /\\ \\    | || |  |   \\ | |   | || ";
  this.thangs[6] = this.thangs[6] + "| |   _| |_      | || | _/ /    \\ \\_ | || | _| |_\\   |_  | || ";
  return;
 }
 if (keyButton.number == 24 && !keyButton.is_black && this.dat_state == 1)
 {
  this.thangs[6] = this.thangs[6] + "|     | |_     | || |   _| |__) |  | || |      _| |_   | || | ";
  this.thangs[10] = this.thangs[10] + "----------------'  '----------------'  '----------------'  '--";
  this.thangs[1] = "-----. || .--------------. || .--------------. || .-----------" + this.thangs[1];
  this.thangs[4] = this.thangs[4] + "|     | |      | || |    | |_) |   | || |  | |__| |_   | || | ";
  this.thangs[9] = "-----' || '--------------' || '--------------' || '-----------" + this.thangs[9];
  this.thangs[7] = "_    | || |  |________|  | || |   `.____.'   | || |    `.__.' " + this.thangs[7];
  this.thangs[3] = "     | || |  |_   _|     | || |   .'    `.   | || ||_   _||_  " + this.thangs[3];
  this.thangs[0] = this.thangs[0] + "----------------.  .----------------.  .----------------.  .--";
  this.thangs[5] = "     | || |    | |   _   | || |  | |    | |  | || |  | '    ' " + this.thangs[5];
  this.thangs[2] = this.thangs[2] + "|       __     | || |   ______     | || |   _    _     | || | ";
  this.thangs[8] = this.thangs[8] + "|              | || |              | || |              | || | ";
  this.dat_state = 2;
  return;
 }
 if (keyButton.number == 25 && !keyButton.is_black && this.dat_state == 2)
 {
  this.thangs[4] = this.thangs[4] + "   | |_) |   | || |    | |_) |   | || |   \\ \\  / /   | || |   ";
  this.thangs[2] = this.thangs[2] + "  ______     | || |   ______     | || |  ____  ____  | || |   ";
  this.thangs[3] = "       | || |  |  _____|   | || |   .'    '.   | || |         " + this.thangs[3];
  this.thangs[9] = "-------' || '--------------' || '--------------' || '---------" + this.thangs[9];
  this.thangs[8] = this.thangs[8] + "             | || |              | || |              | || |  |";
  this.thangs[0] = this.thangs[0] + "--------------.  .----------------.  .----------------.  .----";
  this.thangs[1] = "-------. || .--------------. || .--------------. || .---------" + this.thangs[1];
  this.thangs[6] = this.thangs[6] + "  _| |__) |  | || |   _| |__) |  | || |    _|  |_    | || |   ";
  this.thangs[7] = "___    | || |   \\______.'  | || |   '.____.'   | || |   ______" + this.thangs[7];
  this.thangs[10] = this.thangs[10] + "--------------'  '----------------'  '----------------'  '----";
  this.thangs[5] = "       | || |  '_.____''.  | || |  | |    | |  | || |         " + this.thangs[5];
  this.dat_state = 3;
  return;
 }
 if (keyButton.number == 21 && !keyButton.is_black && this.dat_state == 3)
 {
  this.thangs[2] = this.thangs[2] + "           | || |  ____  ____  | || |    ______    | || |   __";
  this.thangs[9] = "---------' || '--------------' || '--------------' || '-------" + this.thangs[9];
  this.thangs[3] = "  _|     | || |  |_   _|     | || |  |  _____|   | || |       " + this.thangs[3];
  this.thangs[8] = this.thangs[8] + "_______|   | || |              | || |              | || |     ";
  this.thangs[10] = this.thangs[10] + "------------'  '----------------'  '----------------'  '------";
  this.thangs[7] = "______|  | || |  |________|  | || |   \\______.'  | || |   ____" + this.thangs[7];
  this.thangs[0] = this.thangs[0] + "------------.  .----------------.  .----------------.  .------";
  this.thangs[5] = " |   _   | || |    | |   _   | || |  '_.____''.  | || |       " + this.thangs[5];
  this.thangs[4] = this.thangs[4] + "           | || |   \\ \\  / /   | || |   `'  __) |  | || |    |";
  this.thangs[1] = "---------. || .--------------. || .--------------. || .-------" + this.thangs[1];
  this.thangs[6] = this.thangs[6] + "           | || |    _|  |_    | || |  | \\____) |  | || |   _|";
  this.dat_state = 4;
  return;
 }
 if (keyButton.number == 16 && keyButton.is_black && this.dat_state == 4)
 {
  this.thangs[7] = "_______    | || |   |______|   | || |   \\______.'  | || |  |__" + this.thangs[7];
  this.thangs[5] = "           | || |    \\ \\/ /    | || |   _  |__ '.  | || |    |" + this.thangs[5];
  this.thangs[6] = this.thangs[6] + " |__/ |  | || |   _| |__/ |  | || |  | \\____) |  | || |       ";
  this.thangs[4] = this.thangs[4] + " |       | || |    | |       | || |  | |____     | || |       ";
  this.thangs[2] = this.thangs[2] + "___      | || |   _____      | || |   _______    | || |       ";
  this.thangs[10] = this.thangs[10] + "----------'  '----------------'  '----------------'  '--------";
  this.thangs[8] = this.thangs[8] + "         | || |              | || |              | || |  |____";
  this.thangs[3] = "           | || | |_  _||_  _| | || |   / ____ `.  | || |  |_ " + this.thangs[3];
  this.thangs[1] = "-----------. || .--------------. || .--------------. || .-----" + this.thangs[1];
  this.thangs[9] = "-----------' || '--------------' || '--------------' || '-----" + this.thangs[9];
  this.thangs[0] = this.thangs[0] + "----------.  .----------------.  .----------------.  .--------";
  this.dat_state = 5;
  return;
 }
 if (keyButton.number == 24 && !keyButton.is_black && this.dat_state == 5)
 {
  this.thangs[1] = "-------------. || .--------------. || .--------------. || .---" + this.thangs[1];
  this.thangs[8] = this.thangs[8] + "___|   | || |              | || |              | || |  |______";
  this.thangs[7] = " |_______/   | || |  |_______/   | || |   |______|   | || |   " + this.thangs[7];
  this.thangs[9] = "-------------' || '--------------' || '--------------' || '---" + this.thangs[9];
  this.thangs[3] = " |_   _ \\    | || |  |_   _ \\    | || | |_  _||_  _| | || |   " + this.thangs[3];
  this.thangs[10] = this.thangs[10] + "--------'  '----------------'  '----------------'  '----------";
  this.thangs[2] = this.thangs[2] + "       | || |   _______    | || |     ____     | || |         ";
  this.thangs[5] = "   |  __'.   | || |    |  __'.   | || |    \\ \\/ /    | || |   " + this.thangs[5];
  this.thangs[6] = this.thangs[6] + "       | || |  | \\____) |  | || |  |  `--'  |  | || |         ";
  this.thangs[4] = this.thangs[4] + "       | || |  | |____     | || |  |  .--.  |  | || |         ";
  this.thangs[0] = this.thangs[0] + "--------.  .----------------.  .----------------.  .----------";
  this.dat_state = 6;
  return;
 }
 if (keyButton.number == 25 && !keyButton.is_black && this.dat_state == 6)
 {
  this.thangs[6] = this.thangs[6] + "     | || |   _| |__/ |  | || |  \\  `--'  /  | || |   \\ `--' /";
  this.thangs[3] = "|     .' _/    | || |  |_   _ \\    | || |  | |  | |    | || | " + this.thangs[3];
  this.thangs[2] = this.thangs[2] + "     | || |   _____      | || |     ____     | || | _____  ___";
  this.thangs[5] = "|    < <       | || |    |  __'.   | || |  |____   _|  | || | " + this.thangs[5];
  this.thangs[10] = this.thangs[10] + "------'  '----------------'  '----------------'  '------------";
  this.thangs[8] = this.thangs[8] + "_|   | || |              | || |              | || |           ";
  this.thangs[1] = ".--------------. || .--------------. || .--------------. || .-" + this.thangs[1];
  this.thangs[9] = "'--------------' || '--------------' || '--------------' || '-" + this.thangs[9];
  this.thangs[4] = this.thangs[4] + "     | || |    | |       | || |  /  .--.  \\  | || |  | |    | ";
  this.thangs[7] = "|     `.__\\    | || |  |_______/   | || |     |_____|  | || | " + this.thangs[7];
  this.thangs[0] = this.thangs[0] + "------.  .----------------.  .----------------.  .------------";
  this.dat_state = 7;
  return;
 }
 if (keyButton.number == 21 && !keyButton.is_black && this.dat_state == 7)
 {
  this.thangs[10] = this.thangs[10] + "----'  '----------------'  '----------------'  '--------------";
  this.thangs[4] = this.thangs[4] + "|  | || |   | |   `. \\ | || |     | |      | || |      | |    ";
  this.thangs[3] = "| |  |_   __ \\   | || |     /  \\     | || ||_   \\|_   _| | || " + this.thangs[3];
  this.thangs[2] = this.thangs[2] + "__ | || |  ________    | || |              | || |     __      ";
  this.thangs[0] = this.thangs[0] + "----.  .----------------.  .----------------.  .--------------";
  this.thangs[6] = this.thangs[6] + "   | || |  _| |___.' / | || |     | |      | || |     _| |    ";
  this.thangs[9] = "| '--------------' || '--------------' || '--------------' || " + this.thangs[9];
  this.thangs[5] = "| |    |  ___/   | || |   / ____ \\   | || |  | |\\ \\| |   | || " + this.thangs[5];
  this.thangs[8] = this.thangs[8] + "   | || |              | || |     (_)      | || |             ";
  this.thangs[7] = "| |  |_____|     | || ||____|  |____|| || ||_____|\\____| | || " + this.thangs[7];
  this.thangs[1] = "| .--------------. || .--------------. || .--------------. || " + this.thangs[1];
  this.do_a_thing();
  this.dat_state = 0;
  return;
 }
 this.dat_state = 0;
 for (int i = 0; i < 11; i++)
 {
  this.thangs[i] = "";
 }
}
It's clearly visible that it'll be kind of ASCII art or something. I've just copy-pasted this code to my editor, cleaned it a little bit and compiled this using g++:

#include <"stdio.h">
#include <string>
#include <iostream>

using namespace std;

struct a_thing
{
public:
 string thangs[11];
};

int main(void)
{
  a_thing kb2000;
  for (int i = 0; i < 10; i++) kb2000.thangs[i] = "";

  kb2000.thangs[3] = " _|| || | |_   ___ `.  | || |      _       | || |    \\_ `.    " + kb2000.thangs[3];
  kb2000.thangs[10] = kb2000.thangs[10] + " '----------------'  '----------------'  '----------------'  '";
  kb2000.thangs[5] = "|  | || |   | |    | | | || |     | |      | || |       > >   " + kb2000.thangs[5];
  kb2000.thangs[7] = "   | || | |________.'  | || |     |_|      | || |    /__.'    " + kb2000.thangs[7];
  kb2000.thangs[9] = "---' || '--------------' || '--------------' || '-------------" + kb2000.thangs[9];
  kb2000.thangs[0] = kb2000.thangs[0] + " .----------------.  .----------------.  .-----------------. .";
  kb2000.thangs[2] = kb2000.thangs[2] + "| |   ______     | || |      __      | || | ____  _____  | || ";
  kb2000.thangs[1] = "---. || .--------------. || .--------------. || .-------------" + kb2000.thangs[1];
  kb2000.thangs[8] = kb2000.thangs[8] + "| |              | || |              | || |              | || ";
  kb2000.thangs[4] = kb2000.thangs[4] + "| |    | |__) |  | || |    / /\\ \\    | || |  |   \\ | |   | || ";
  kb2000.thangs[6] = kb2000.thangs[6] + "| |   _| |_      | || | _/ /    \\ \\_ | || | _| |_\\   |_  | || ";

  kb2000.thangs[6] = kb2000.thangs[6] + "|     | |_     | || |   _| |__) |  | || |      _| |_   | || | ";
  kb2000.thangs[10] = kb2000.thangs[10] + "----------------'  '----------------'  '----------------'  '--";
  kb2000.thangs[1] = "-----. || .--------------. || .--------------. || .-----------" + kb2000.thangs[1];
  kb2000.thangs[4] = kb2000.thangs[4] + "|     | |      | || |    | |_) |   | || |  | |__| |_   | || | ";
  kb2000.thangs[9] = "-----' || '--------------' || '--------------' || '-----------" + kb2000.thangs[9];
  kb2000.thangs[7] = "_    | || |  |________|  | || |   `.____.'   | || |    `.__.' " + kb2000.thangs[7];
  kb2000.thangs[3] = "     | || |  |_   _|     | || |   .'    `.   | || ||_   _||_  " + kb2000.thangs[3];
  kb2000.thangs[0] = kb2000.thangs[0] + "----------------.  .----------------.  .----------------.  .--";
  kb2000.thangs[5] = "     | || |    | |   _   | || |  | |    | |  | || |  | '    ' " + kb2000.thangs[5];
  kb2000.thangs[2] = kb2000.thangs[2] + "|       __     | || |   ______     | || |   _    _     | || | ";
  kb2000.thangs[8] = kb2000.thangs[8] + "|              | || |              | || |              | || | ";

  kb2000.thangs[4] = kb2000.thangs[4] + "   | |_) |   | || |    | |_) |   | || |   \\ \\  / /   | || |   ";
  kb2000.thangs[2] = kb2000.thangs[2] + "  ______     | || |   ______     | || |  ____  ____  | || |   ";
  kb2000.thangs[3] = "       | || |  |  _____|   | || |   .'    '.   | || |         " + kb2000.thangs[3];
  kb2000.thangs[9] = "-------' || '--------------' || '--------------' || '---------" + kb2000.thangs[9];
  kb2000.thangs[8] = kb2000.thangs[8] + "             | || |              | || |              | || |  |";
  kb2000.thangs[0] = kb2000.thangs[0] + "--------------.  .----------------.  .----------------.  .----";
  kb2000.thangs[1] = "-------. || .--------------. || .--------------. || .---------" + kb2000.thangs[1];
  kb2000.thangs[6] = kb2000.thangs[6] + "  _| |__) |  | || |   _| |__) |  | || |    _|  |_    | || |   ";
  kb2000.thangs[7] = "___    | || |   \\______.'  | || |   '.____.'   | || |   ______" + kb2000.thangs[7];
  kb2000.thangs[10] = kb2000.thangs[10] + "--------------'  '----------------'  '----------------'  '----";
  kb2000.thangs[5] = "       | || |  '_.____''.  | || |  | |    | |  | || |         " + kb2000.thangs[5]; 
  
  kb2000.thangs[2] = kb2000.thangs[2] + "           | || |  ____  ____  | || |    ______    | || |   __";
  kb2000.thangs[9] = "---------' || '--------------' || '--------------' || '-------" + kb2000.thangs[9];
  kb2000.thangs[3] = "  _|     | || |  |_   _|     | || |  |  _____|   | || |       " + kb2000.thangs[3];
  kb2000.thangs[8] = kb2000.thangs[8] + "_______|   | || |              | || |              | || |     ";
  kb2000.thangs[10] = kb2000.thangs[10] + "------------'  '----------------'  '----------------'  '------";
  kb2000.thangs[7] = "______|  | || |  |________|  | || |   \\______.'  | || |   ____" + kb2000.thangs[7];
  kb2000.thangs[0] = kb2000.thangs[0] + "------------.  .----------------.  .----------------.  .------";
  kb2000.thangs[5] = " |   _   | || |    | |   _   | || |  '_.____''.  | || |       " + kb2000.thangs[5];
  kb2000.thangs[4] = kb2000.thangs[4] + "           | || |   \\ \\  / /   | || |   `'  __) |  | || |    |";
  kb2000.thangs[1] = "---------. || .--------------. || .--------------. || .-------" + kb2000.thangs[1];
  kb2000.thangs[6] = kb2000.thangs[6] + "           | || |    _|  |_    | || |  | \\____) |  | || |   _|";

  kb2000.thangs[7] = "_______    | || |   |______|   | || |   \\______.'  | || |  |__" + kb2000.thangs[7];
  kb2000.thangs[5] = "           | || |    \\ \\/ /    | || |   _  |__ '.  | || |    |" + kb2000.thangs[5];
  kb2000.thangs[6] = kb2000.thangs[6] + " |__/ |  | || |   _| |__/ |  | || |  | \\____) |  | || |       ";
  kb2000.thangs[4] = kb2000.thangs[4] + " |       | || |    | |       | || |  | |____     | || |       ";
  kb2000.thangs[2] = kb2000.thangs[2] + "___      | || |   _____      | || |   _______    | || |       ";
  kb2000.thangs[10] = kb2000.thangs[10] + "----------'  '----------------'  '----------------'  '--------";
  kb2000.thangs[8] = kb2000.thangs[8] + "         | || |              | || |              | || |  |____";
  kb2000.thangs[3] = "           | || | |_  _||_  _| | || |   / ____ `.  | || |  |_ " + kb2000.thangs[3];
  kb2000.thangs[1] = "-----------. || .--------------. || .--------------. || .-----" + kb2000.thangs[1];
  kb2000.thangs[9] = "-----------' || '--------------' || '--------------' || '-----" + kb2000.thangs[9];
  kb2000.thangs[0] = kb2000.thangs[0] + "----------.  .----------------.  .----------------.  .--------";

  kb2000.thangs[1] = "-------------. || .--------------. || .--------------. || .---" + kb2000.thangs[1];
  kb2000.thangs[8] = kb2000.thangs[8] + "___|   | || |              | || |              | || |  |______";
  kb2000.thangs[7] = " |_______/   | || |  |_______/   | || |   |______|   | || |   " + kb2000.thangs[7];
  kb2000.thangs[9] = "-------------' || '--------------' || '--------------' || '---" + kb2000.thangs[9];
  kb2000.thangs[3] = " |_   _ \\    | || |  |_   _ \\    | || | |_  _||_  _| | || |   " + kb2000.thangs[3];
  kb2000.thangs[10] = kb2000.thangs[10] + "--------'  '----------------'  '----------------'  '----------";
  kb2000.thangs[2] = kb2000.thangs[2] + "       | || |   _______    | || |     ____     | || |         ";
  kb2000.thangs[5] = "   |  __'.   | || |    |  __'.   | || |    \\ \\/ /    | || |   " + kb2000.thangs[5];
  kb2000.thangs[6] = kb2000.thangs[6] + "       | || |  | \\____) |  | || |  |  `--'  |  | || |         ";
  kb2000.thangs[4] = kb2000.thangs[4] + "       | || |  | |____     | || |  |  .--.  |  | || |         ";
  kb2000.thangs[0] = kb2000.thangs[0] + "--------.  .----------------.  .----------------.  .----------";

  kb2000.thangs[6] = kb2000.thangs[6] + "     | || |   _| |__/ |  | || |  \\  `--'  /  | || |   \\ `--' /";
  kb2000.thangs[3] = "|     .' _/    | || |  |_   _ \\    | || |  | |  | |    | || | " + kb2000.thangs[3];
  kb2000.thangs[2] = kb2000.thangs[2] + "     | || |   _____      | || |     ____     | || | _____  ___";
  kb2000.thangs[5] = "|    < <       | || |    |  __'.   | || |  |____   _|  | || | " + kb2000.thangs[5];
  kb2000.thangs[10] = kb2000.thangs[10] + "------'  '----------------'  '----------------'  '------------";
  kb2000.thangs[8] = kb2000.thangs[8] + "_|   | || |              | || |              | || |           ";
  kb2000.thangs[1] = ".--------------. || .--------------. || .--------------. || .-" + kb2000.thangs[1];
  kb2000.thangs[9] = "'--------------' || '--------------' || '--------------' || '-" + kb2000.thangs[9];
  kb2000.thangs[4] = kb2000.thangs[4] + "     | || |    | |       | || |  /  .--.  \\  | || |  | |    | ";
  kb2000.thangs[7] = "|     `.__\\    | || |  |_______/   | || |     |_____|  | || | " + kb2000.thangs[7];
  kb2000.thangs[0] = kb2000.thangs[0] + "------.  .----------------.  .----------------.  .------------";

  kb2000.thangs[10] = kb2000.thangs[10] + "----'  '----------------'  '----------------'  '--------------";
  kb2000.thangs[4] = kb2000.thangs[4] + "|  | || |   | |   `. \\ | || |     | |      | || |      | |    ";
  kb2000.thangs[3] = "| |  |_   __ \\   | || |     /  \\     | || ||_   \\|_   _| | || " + kb2000.thangs[3];
  kb2000.thangs[2] = kb2000.thangs[2] + "__ | || |  ________    | || |              | || |     __      ";
  kb2000.thangs[0] = kb2000.thangs[0] + "----.  .----------------.  .----------------.  .--------------";
  kb2000.thangs[6] = kb2000.thangs[6] + "   | || |  _| |___.' / | || |     | |      | || |     _| |    ";
  kb2000.thangs[9] = "| '--------------' || '--------------' || '--------------' || " + kb2000.thangs[9];
  kb2000.thangs[5] = "| |    |  ___/   | || |   / ____ \\   | || |  | |\\ \\| |   | || " + kb2000.thangs[5];
  kb2000.thangs[8] = kb2000.thangs[8] + "   | || |              | || |     (_)      | || |             ";
  kb2000.thangs[7] = "| |  |_____|     | || ||____|  |____|| || ||_____|\\____| | || " + kb2000.thangs[7];
  kb2000.thangs[1] = "| .--------------. || .--------------. || .--------------. || " + kb2000.thangs[1];       

  for (int i = 0; i < 10; i++)
  {
   cout << kb2000.thangs[i] << endl;
  }


 return 0;
}
This program will simply print out the flag for us in ASCII art. I needed to change font size in my console to 4 to see it. 
As You can figure out from the code, there's also another way of obtaining that flag. Just simply click appropiate sequence of keys on the keyboard - it's (17th B, 25th W, 26th W and 22nd W)x2, where B means black, and W means white key on the keyboard.  If You obtain flag in such way, you'll be also rewarded with nice video (Bowie inlcuded).

Link to BabbySay: BabbySay.7z

Comments

Popular posts from this blog

#LabyREnth CTF - Windows track no. 1 - AntiD.exe

In this task we have to reverse file called 'AntiD.exe'. After first examination of this, it looks to be simple PE32 executable, packed with UPX. Unfortunately we can't decompress it using UPX tool, so I started to unpack it manually. First thing to notice is that in PE Optional Header - DllCharasteristics is set to 8140, which means that DLLs in this executable can move around a bit (I'm usually using programs like 'CFF Explorer' or something similar to check this things out). I've changed this header to 8100, what actually terminated this behaviour ;)


To decompress this .exe I personally used x64dbg and Scylla, but the tool doesn't matter at all - it could be any runtime debugger and ImpRec I suppose. What we need to do is stop program execution at Entry Point of AntiD.exe, and run exactly one instruction : pushal - in my case, as you can see on image below (but You can also see this as PUSHAD in OllyDbg, or any other debugger).



After executing PUSHAD,…

#IceCTF - Thor's a hacker now

I've spend over half an hour on solving this task, beside of that wasn't a hard one. But thanks to this exercise I had to learn using regular expressions in my text editor :) Text file connected to this task looked exactly like that (but was much larger): 00000000: 4c5a 4950 01b3 007f b61b edf0 8440 58e3 LZIP.........@X. 00000010: 91de 1027 5861 8a67 4282 46a4 92f9 4cad ...'Xa.gB.F...L. 00000020: 2d5d 14eb 3099 2c31 01c2 d13a 74d2 c620 -]..0.,1...:t.. 00000030: de27 3a8f fa92 0644 5468 2d02 01fa 24bb .':....DTh-...$. 00000040: 719f a0fd a191 1678 8bff a2c4 2627 9871 q......x....&'.q 00000050: 83bf cff2 f8af 99fa c465 2b7c 6bdf ee3c .........e+|k..< 00000060: b71b f61b 0b5e 0ce7 d14f f6a8 0466 6470 .....^...O...fdp 00000070: de67 02da 7be1 1abd e9f0 ac87 131a bcc0 .g..{........... 00000080: 0b0b 9f31 9400 48e3 616a 8f3f 4804 79ad ...1..H.aj.?H.y. 00000090: a6bb 863a f641 01da b1ee c4fe b338 9289 ...:.A.......8.. 000000a0: 2a90 8302 4170 773c 88d3 26…

#IceCTF - Strong Feeling

You can download ELF here: ------------------------> link
To get a flag in this one, easiest way I think is to bruteforce it! After quick look of executable in decompiler we can see that program outputs different strings every time we input a proper flag character to it. The best way to check that (knowing that flags in that CTF looks like "IceCTF{xxx}") is to  input 'I' first, then "Ic", then "Ice", etc. The strings in ELF aren't obfuscated, so we can just count it to figure out number of characters in the flag. The only thing that has to be done now is bruteforcer itself. I wrote something like that:
#include &ltstdio.h&gt #include &ltstdlib.h&gt #include &ltcstring&gt using namespace std; int main(void) { char *flag = new char[32]; char *path = new char[128]; char *buffer = new char[128]; char *buf2 = new char[128]; FILE *plik; for (int i = 0; i < 32; i++) for (char j = 0x21; j < 0x7f; j++) { …