CTF Classic Crackme 0x100

The code for the binary:

The binary given expects a password as input.

/* WARNING: Unknown calling convention */

int main(void)

{
  uint uVar1;
  int iVar2;
  size_t lenght;
  char input [51];
  char output [51];
  int random2;
  int random1;
  char fix;
  int secret3;
  int secret2;
  int secret1;
  int len;
  int j;
  int i;
  
  output[0] = 'k';
  output[1] = 'g';
  output[2] = 'x';
  output[3] = 'm';
  output[4] = 'w';
  output[5] = 'p';
  output[6] = 'b';
  output[7] = 'p';
  output[8] = 'u';
  output[9] = 'q';
  output[10] = 't';
  output[0xb] = 'o';
  output[0xc] = 'r';
  output[0xd] = 'z';
  output[0xe] = 'a';
  output[0xf] = 'p';
  output[0x10] = 'j';
  output[0x11] = 'h';
  output[0x12] = 'f';
  output[0x13] = 'm';
  output[0x14] = 'e';
  output[0x15] = 'b';
  output[0x16] = 'm';
  output[0x17] = 'c';
  output[0x18] = 'c';
  output[0x19] = 'v';
  output[0x1a] = 'w';
  output[0x1b] = 'y';
  output[0x1c] = 'c';
  output[0x1d] = 'y';
  output[0x1e] = 'v';
  output[0x1f] = 'e';
  output[0x20] = 'w';
  output[0x21] = 'p';
  output[0x22] = 'x';
  output[0x23] = 'i';
  output[0x24] = 'h';
  output[0x25] = 'e';
  output[0x26] = 'i';
  output[0x27] = 'f';
  output[0x28] = 'v';
  output[0x29] = 'n';
  output[0x2a] = 'u';
  output[0x2b] = 'q';
  output[0x2c] = 's';
  output[0x2d] = 'r';
  output[0x2e] = 'g';
  output[0x2f] = 'e';
  output[0x30] = 'x';
  output[0x31] = 'l';
  output[0x32] = '\0';
  setvbuf(stdout,(char *)0x0,2,0);
  printf("Enter the secret password: ");
  __isoc99_scanf(&DAT_00402024,input);
  i = 0;
  lenght = strlen(output);
  for (; i < 3; i = i + 1) {
    for (j = 0; j < (int)lenght; j = j + 1) {
      uVar1 = (j % 0xff >> 1 & 0x55U) + (j % 0xff & 0x55U);
      uVar1 = ((int)uVar1 >> 2 & 0x33U) + (uVar1 & 0x33);
      iVar2 = ((int)uVar1 >> 4) + input[j] + -0x61 + (uVar1 & 0xf);
      input[j] = (char)iVar2 + (char)(iVar2 / 0x1a) * -0x1a + 'a';
    }
  }
  iVar2 = memcmp(input,output,(long)(int)lenght);
  if (iVar2 == 0) {
    printf("SUCCESS! Here is your flag: %s\n","picoCTF{sample_flag}");
  }
  else {
    puts("FAILED!");
  }
  return 0;
}

I modified it such that I will be able to compile and run it myself.

#include "stdio.h"
#include "string.h"

int main(void)

{
  int uVar1;
  int iVar2;
  size_t lenght;
  char input [51];
  char output [51];
  int random2;
  int random1;
  char fix;
  int secret3;
  int secret2;
  int secret1;
  int len;
  int j;
  int i;
  
  output[0] = 'k';
  output[1] = 'g';
  output[2] = 'x';
  output[3] = 'm';
  output[4] = 'w';
  output[5] = 'p';
  output[6] = 'b';
  output[7] = 'p';
  output[8] = 'u';
  output[9] = 'q';
  output[10] = 't';
  output[0xb] = 'o';
  output[0xc] = 'r';
  output[0xd] = 'z';
  output[0xe] = 'a';
  output[0xf] = 'p';
  output[0x10] = 'j';
  output[0x11] = 'h';
  output[0x12] = 'f';
  output[0x13] = 'm';
  output[0x14] = 'e';
  output[0x15] = 'b';
  output[0x16] = 'm';
  output[0x17] = 'c';
  output[0x18] = 'c';
  output[0x19] = 'v';
  output[0x1a] = 'w';
  output[0x1b] = 'y';
  output[0x1c] = 'c';
  output[0x1d] = 'y';
  output[0x1e] = 'v';
  output[0x1f] = 'e';
  output[0x20] = 'w';
  output[0x21] = 'p';
  output[0x22] = 'x';
  output[0x23] = 'i';
  output[0x24] = 'h';
  output[0x25] = 'e';
  output[0x26] = 'i';
  output[0x27] = 'f';
  output[0x28] = 'v';
  output[0x29] = 'n';
  output[0x2a] = 'u';
  output[0x2b] = 'q';
  output[0x2c] = 's';
  output[0x2d] = 'r';
  output[0x2e] = 'g';
  output[0x2f] = 'e';
  output[0x30] = 'x';
  output[0x31] = 'l';
  output[0x32] = '\0';
  setvbuf(stdout,(char *)0x0,2,0);
  printf("Enter the secret password: ");
  strcpy(input,"THEINPUT\0");
  i = 0;
  lenght = strlen(output);
  for (; i < 3; i = i + 1) {
    for (j = 0; j < (int)lenght; j = j + 1) {
      uVar1 = (j % 0xff >> 1 & 0x55U) + (j % 0xff & 0x55U);
      uVar1 = ((int)uVar1 >> 2 & 0x33U) + (uVar1 & 0x33);
      iVar2 = ((int)uVar1 >> 4) + input[j] + -0x61 + (uVar1 & 0xf);
      input[j] = (char)iVar2 + (char)(iVar2 / 0x1a) * -0x1a + 'a';
    }
  }
  printf("Output: %s\n",output);
  printf("Input: %s\n",input);
  iVar2 = memcmp(input,output,(long)(int)lenght);
  if (iVar2 == 0) {
    printf("SUCCESS! Here is your flag: %s\n","picoCTF{sample_flag}");
  }
  else {
    puts("FAILED!");
  }
  return 0;
}

The input should be the same as the output after the above calculations. In order to achieve that I tested each letter to see which will give me the desired value.

The code I used to build the needed string:

#include "stdio.h"
#include "string.h"

int main(void)

{
  int uVar1;
  int iVar2;
  size_t lenght;
  char input [51];
  char output [51];
  int random2;
  int random1;
  char fix;
  int secret3;
  int secret2;
  int secret1;
  int len;
  int j;
  int i;
  
  output[0] = 'k';
  output[1] = 'g';
  output[2] = 'x';
  output[3] = 'm';
  output[4] = 'w';
  output[5] = 'p';
  output[6] = 'b';
  output[7] = 'p';
  output[8] = 'u';
  output[9] = 'q';
  output[10] = 't';
  output[0xb] = 'o';
  output[0xc] = 'r';
  output[0xd] = 'z';
  output[0xe] = 'a';
  output[0xf] = 'p';
  output[0x10] = 'j';
  output[0x11] = 'h';
  output[0x12] = 'f';
  output[0x13] = 'm';
  output[0x14] = 'e';
  output[0x15] = 'b';
  output[0x16] = 'm';
  output[0x17] = 'c';
  output[0x18] = 'c';
  output[0x19] = 'v';
  output[0x1a] = 'w';
  output[0x1b] = 'y';
  output[0x1c] = 'c';
  output[0x1d] = 'y';
  output[0x1e] = 'v';
  output[0x1f] = 'e';
  output[0x20] = 'w';
  output[0x21] = 'p';
  output[0x22] = 'x';
  output[0x23] = 'i';
  output[0x24] = 'h';
  output[0x25] = 'e';
  output[0x26] = 'i';
  output[0x27] = 'f';
  output[0x28] = 'v';
  output[0x29] = 'n';
  output[0x2a] = 'u';
  output[0x2b] = 'q';
  output[0x2c] = 's';
  output[0x2d] = 'r';
  output[0x2e] = 'g';
  output[0x2f] = 'e';
  output[0x30] = 'x';
  output[0x31] = 'l';
  output[0x32] = '\0';
  setvbuf(stdout,(char *)0x0,2,0);
  printf("Enter the secret password: ");
//   strcpy(input,"kgxmwpbpuqtorzapjhfmebmccvwycyvewpxiheifvnuqsrgexl\0");
  strcpy(input,"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\0");
  lenght = strlen(output);
  char result;
    for (j = 0; j < (int)lenght ; j = j + 1) {

      for (int k = (int)('a'); k<=(int)('z'); k++){
        result = (char)(k);
        for (i=0; i < 3; i = i + 1) {
        uVar1 = (j % 0xff >> 1 & 0x55U) + (j % 0xff & 0x55U);
        uVar1 = ((int)uVar1 >> 2 & 0x33U) + (uVar1 & 0x33);
        iVar2 = ((int)uVar1 >> 4) + result + -0x61 + (uVar1 & 0xf);
        result = (char)iVar2 + (char)(iVar2 / 0x1a) * -0x1a + 'a';
        }
        if(result == output[j]){
            // printf("%c %c\n",result, (char)(k));
            input[j] = (char)(k);
            break;
        }
      }

    }
  printf("Result: %s\n",output);
  printf("Output: %s\n",output);
  printf("Input: %s\n",input);
  iVar2 = memcmp(input,output,(long)(int)lenght);
  if (iVar2 == 0) {
    printf("SUCCESS! Here is your flag: %s\n","picoCTF{sample_flag}");
  }
  else {
    puts("FAILED!");
  }
  return 0;
}

The final step:

nc titan.picoctf.net 50064

Enter the secret password: kdugtjvgrknflqrdgbzdysdqwmnmtmjptjrzbvztpelejfuprc

SUCCESS! Here is your flag: picoCTF{s0lv3_angry_symb0ls_45518832}