Challenge Info
Challenge_name ==> WarmerevChallenge Diff ==> EasyChallenge Score ==> 45Challenge Disc ==> The WarmeRev easy reverse challenge provides a beginner-friendly experience, focusing on basic reverse engineering skills to analyze simple binaries.Challenge Category ==> Warmup, ReverseChallenge flag format ==> ASIS{...sOmeTHings...}Ok, At first we download challenge file Zip and extract it.
So, we have a file with name warmerev.
next step, we need to check the file format with file
$ file ./warmerev
./warmerev: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=069312234f6f43f852bcab00eb1947037c120f51, for GNU/Linux 3.2.0, strippedNow I know this file is Elf format.
An
ELF (Executable and Linkable Format)file is a common standard file format used for executables, object code, shared libraries, and core dumps. It is primarily used on Unix-based systems like Linux, and it is designed to be flexible and extensible.
ok, i test it and execute file on linux.
Now i check all strings using strings.
Ok, I see text:
Congratulation, you found the flag!
I think password is that flag.
Ok i need to decompile this file in Ghidra and see functions. Next step i see
Ghidrais a free, open-source tool developed by the NSA for analyzing computer programs. It helps reverse engineers understand how software works by converting machine code (which computers understand) into human-readable code, like assembly or even higher-level languages like C. You can use it to find security vulnerabilities, analyze malware, or just understand how a program operates. It supports many types of programs and works on different operating systems.
This scope of code:
if ((int)sVar2 == 0x18) { iVar1 = FUN_001011a9(local_d8); if (iVar1 == 0) { puts("Password is incorrect!"); } else { puts("Congratulation, you found the flag!"); } uVar3 = 0;}else { puts("Incorrect password length."); uVar3 = 0xffffffff;}Is logic for pass the validate password and give answer.
So, I see a function and call a function with name FUN_001011a9 and with a param.
ok i check this function:
Thats it!
in scope of code:
if (((((param_1[1] * 0x86 + *param_1 * 0x99 == 0x524b) && (param_1[3] * 0x96 + param_1[2] * 0x79 == 0x5323)) && (param_1[5] * 0xc3 + param_1[4] * 0x8b == 0x850e)) && ((((param_1[7] * 0x83 + param_1[6] * 0xb5 == 0x6401 && (param_1[9] * 0x2a + param_1[8] * 0xa3 == 0x300f)) && ((param_1[0xb] * 0x2e + param_1[10] * 0xa9 == 0x615d && ((param_1[0xd] * 0x82 + param_1[0xc] * 0x71 == 0x4457 && (param_1[0xf] * 0xb1 + param_1[0xe] * 0x7d == 0x77e2)))))) && (param_1[0x11] * 0x79 + param_1[0x10] * 0xc0 == 0x6d9b)))) && (((param_1[0x13] * 0x8d + param_1[0x12] * 0x76 == 0x5692 && (param_1[0x15] * 0xa3 + param_1[0x14] * 0x89 == 0x5b85)) && (param_1[0x17] * 0x52 + param_1[0x16] * 0x91 == 0x5a73)))) { local_10 = 1;}Whene password validate and we find flag, this logic assocation is true and this logic assocation whene i calculate it, i found flag goal. Actully, i think, this logic assocation, is our flag.
ok lets go calculate it.
I make a script using Python for calculate and decrypt.
eqs = [ (0x86, 0x99, 0x524b, 1, 0), (0x96, 0x79, 0x5323, 3, 2), (0xc3, 0x8b, 0x850e, 5, 4), (0x83, 0xb5, 0x6401, 7, 6), (0x2a, 0xa3, 0x300f, 9, 8), (0x2e, 0xa9, 0x615d, 11, 10), (0x82, 0x71, 0x4457, 13, 12), (0xb1, 0x7d, 0x77e2, 15, 14), (0x79, 0xc0, 0x6d9b, 17, 16), (0x8d, 0x76, 0x5692, 19, 18), (0xa3, 0x89, 0x5b85, 21, 20), (0x52, 0x91, 0x5a73, 23, 22),]
p = [None]*24
for a,b,c,i,j in eqs: solved = False for xi in range(256): rem = c - a*xi if rem % b != 0: continue xj = rem // b if 0 <= xj < 256: p[i] = xi p[j] = xj solved = True break if not solved: raise Exception(f"no solution for indices {i},{j}")
s = "".join(chr(x) for x in p)print(s) # result: ASIS{W@k3_up_4o_r3aL!tY}After all, I found flag.
Flag
ASIS{W@k3_up_4o_r3aL!tY}