Editorial for DMOJ Capture The Flag '20 R2 - EZ Assembly
Submitting an official solution before solving the problem yourself is a bannable offence.
Author:
There are two routes we can take for this problem. The first one is to decompile the code using something like radare2 or Ghidra. Then, you will need to reverse the encryption function to retrieve the flag.
The second route is to notice one key detail about the encryption function. For any byte that we input, we get one different byte back, independent of what the other bytes are. Thus, we can create a mapping with all the valid flag characters. Then, we can run the encrypted string through the mapping. Notice that the returned string is most of the flag but reversed, so we can reverse it. This would have been enough to get most of the flag. There are a few characters that seem to not have a corresponding mapping. Using some trial and error (or decompiling the code), we can see that it is actually one character (_
) that is modified depending on the position in the string.
For example,
$ ./main _____________________________________
'&%$#"!*)('&%$#"!*)('&%$#"!*)('&%$#"!
These are exactly the characters that did not have a mapping. Thus, we can insert them manually whenever there is no mapping. This is enough to retrieve the flag.
Comments