Blaise
by AnandSaminathan
I recovered a binary from my teacher’s computer. I tried to reverse it but I couldn’t.
Files
Solution
On decompiling the binary using Ghidra:
ulong process(uint param_1)
{
int iVar1;
ulong uVar2;
undefined4 extraout_var;
long in_FS_OFFSET;
int local_1c;
int local_18;
uint local_14;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_18 = 1;
local_14 = 0;
while (uVar2 = (ulong)local_14, (int)local_14 <= (int)param_1) {
__isoc99_scanf(&DAT_00102008,&local_1c);
iVar1 = C((ulong)param_1,(ulong)local_14,(ulong)local_14);
if (iVar1 != local_1c) {
local_18 = 0;
}
local_14 = local_14 + 1;
}
if (local_18 == 1) {
iVar1 = system("cat flag.txt");
uVar2 = CONCAT44(extraout_var,iVar1);
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return uVar2;
}
undefined8 main(void)
{
uint uVar1;
time_t tVar2;
setbuf(stdout,(char *)0x0);
setbuf(stdin,(char *)0x0);
setbuf(stderr,(char *)0x0);
tVar2 = time((time_t *)0x0);
srand((uint)tVar2);
uVar1 = display_number(0xf,0x14,0x14);
process((ulong)uVar1);
return 0;
}
In summary, the main
function calls a function called process
with a random number as input. The process
function prints the random number generated and has a while loop, in each iteration i
an integer x
is read and C(input, i) == x
is checked, C
is nothing but nCr
. So if we give the correct nCr
values for the given random number, the flag will be printed. We copy pasted the input manually using a simple function:
def C(n, r):
return fact(n) / (fact(r) * fact(n - r))
Flag
csictf{y0u_d1sc0v3r3d_th3_p4sc4l's_tr14ngl3}