csictf 2020

CTF Writeup - https://ctftime.org/event/1081

Home csictf 2020 Writeups Home
22 July 2020

RicknMorty

by AnandSaminathan

Rick has been captured by the council of ricks and in this dimmention morty has to save him, the chamber holding rick needs a key . Can you help him find the key ?

Files

Solution

On decompiling using Ghidra:

ulong function1(uint param_1,uint param_2) {
  uint local_10;
  uint local_c;
  
  local_c = 0;
  local_10 = 1;
  while ((local_10 <= param_1 || (local_10 <= param_2))) {
    if ((param_1 % local_10 == 0) && (param_2 % local_10 == 0)) {
      local_c = local_10;
    }
    local_10 = local_10 + 1;
  }
  return (ulong)local_c;
}

long function2(uint param_1) {
  long lVar1;
  
  if (param_1 == 0) {
    lVar1 = 1;
  }
  else {
    lVar1 = function2(param_1 - 1);
    lVar1 = lVar1 * (ulong)param_1;
  }
  return lVar1;
}

undefined8 main(void) {
  int iVar1;
  time_t tVar2;
  ulong uVar3;
  long lVar4;
  int local_4c;
  time_t local_48;
  time_t local_40;
  time_t local_38;
  uint local_30;
  uint local_2c;
  char *local_28;
  int local_20;
  int local_1c;
  
  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  tVar2 = time(&local_38);
  srand((uint)tVar2);
  time(&local_40);
  local_1c = 1;
  local_20 = 0;
  while( true ) {
    iVar1 = rand();
    if (iVar1 % 400 + 100 <= local_20) break;
    iVar1 = rand();
    local_2c = iVar1 % 10 + 6;
    iVar1 = rand();
    local_30 = iVar1 % 10 + 6;
    printf("%d %d",(ulong)local_2c,(ulong)local_30);
    __isoc99_scanf();
    uVar3 = function1(local_2c,local_30);
    lVar4 = function2((int)uVar3 + 3);
    if ((long)local_4c != lVar4) {
      local_1c = 0;
    }
    local_20 = local_20 + 1;
  }
  time(&local_48);
  local_28 = (char *)(double)(local_48 - local_40);
  printf(local_28,"fun() took %f seconds to execute \n");
  if ((local_1c == 1) && ((double)local_28 <= 5.00000000)) {
    system("cat flag.txt");
  }
  return 0;
}

In summary, the main function has a while loop which on each iteration prints two random numbers (a and b), then it accepts an input x and checks if function2(function1(a, b) + 3). On closer inspection, it is clear that function1 is gcd and function2 is factorial. So we have to keep reading inputs and provide the right answers to print the flag. This cannot be done manually because there’s a time check, so had to use pwntools:

from pwn import *
from math import gcd, factorial

io = remote('chall.csivit.com', 30827)

while io.can_recv(1) == True:
    inp = io.recvline()
    inp = inp.decode()
    if inp.split(' ')[0] == 'fun()':
        break
    a, b = inp.split(' ')
    a = int(a)
    b = int(b)
    io.sendline(str(factorial(gcd(a,b) + 3)))
print(io.recvall())

Flag

csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}
tags: Reversing