Vampires Checker (Reverse)

Vampires Checker solution (medium).

We have a single ELF file, and when we run it we get:

./vampiresChecker 

Oh Hello there :)
I am a vampire who loves flag checker so i made one, impress me:

It is basically a flag checker, we need to enter the flag to get the correct message, let's start disassembling.

Seeing main function, it takes our input, then pass it to a function called "func" then checks if it's equal to an array called "arr" which is the encrypted flag.

Let's check the "func" function:

We see some sort of encryption happening, with an array key (local_38), let's start organizing the code and renaming variables using 'L' button.

We will first go to "arr" array and get all the hex values from there, then in CyberChef we will use two options to convert them to decimal so we use them in our solver script:

NOTE: be careful extracting the flag, because one of the values is 00. After renaming the variables to have a better understanding, here is what we have:

So the function first XOR's with one of the key elements, and then multiply by 8, then an OR operation is done with 5 bits shifted to the right.

Now we can trace that and just rewrite the code in python to solve it, or we can use chatGPT, when i tried that it gave me wrong answers and wasn't able to solve it, so let's do it manually, we will first write some code to set the flag, and then make an empty list that we will modify to have the final flag.

key = [4, 8, 16, 32, 64, 128]

encrypted = [131,235,67,27,160,54,251,42,9,114,33,254,233,193,170,154,248,197,42,90,218,251,0,118,3,186,179,123,144,189,99,171]

flag = [0 for x in range(len(encrypted))]

Next we will loop over the encrypted flag, and start doing the encryption operation backwards:

flag[i] = ((encrypted[i] % 8) << 5) | (encrypted[i] >> 3)
flag[i] = flag[i] ^ key[i % 6]

What we are doing here basically is:

Masking the number (so it doesn't exceed 8 bits, can be done using '% 8' or '& 0x7').
Reverse the 5 bits right shift, by a left shift.
OR operation with 3 bits right shift to reverse the 8, since dividing by 8 wont give good results (due to floats and integers).
Finally XOR-ing with the key.

Let's now assemble the whole code and print the characters of the result numbers, here is the final code:

key = [4, 8, 16, 32, 64, 128]

encrypted = [131,235,67,27,160,54,251,42,9,114,33,254,233,193,170,154,248,197,42,90,218,251,0,118,3,186,179,123,144,189,99,171]

flag = [0 for x in range(len(encrypted))]
for i in range(len(encrypted)):    
    flag[i] = ((encrypted[i] % 8) << 5) | (encrypted[i] >> 3)
    flag[i] = flag[i] ^ key[i % 6]

print("".join(chr(x) for x in flag))

Running it results in:

python3 solve.py 

tuxCTF{M1nd_90Es_8ACK_@Nd_fOR7h}

And done!

PreviousTuxCTFv2 NextwannaGOwithme (Reverse)

Last updated 5 months ago

key = [4, 8, 16, 32, 64, 128] encrypted = [131,235,67,27,160,54,251,42,9,114,33,254,233,193,170,154,248,197,42,90,218,251,0,118,3,186,179,123,144,189,99,171] flag = [0 for x in range(len(encrypted))] for i in range(len(encrypted)): flag[i] = ((encrypted[i] % 8) << 5) | (encrypted[i] >> 3) flag[i] = flag[i] ^ key[i % 6] print("".join(chr(x) for x in flag))