Too-Slow

I’ve made this flag decryptor! It’s super secure, but it runs a little slow.

Files:

• a.out

Solution

On decompiling the functions getKey and main using ghidra, we get:

uint32_t getKey(void)
{
    int64_t var_8h;
    
    var_8h._0_4_ = 0;
    while ((uint32_t)var_8h < 0x265d1d23) {
        var_8h._4_4_ = (uint32_t)var_8h;
        while (var_8h._4_4_ != 1) {
            if ((var_8h._4_4_ & 1) == 0) {
                var_8h._4_4_ = (int32_t)var_8h._4_4_ / 2;
            } else {
                var_8h._4_4_ = var_8h._4_4_ * 3 + 1;
            }
        }
        var_8h._0_4_ = (uint32_t)var_8h + 1;
    }
    return (uint32_t)var_8h;
}

undefined8 main(undefined8 argc, char **argv)
{
    uint32_t uVar1;
    int64_t var_10h;
    int64_t var_4h;
    
    puts("Flag Decryptor v1.0");
    puts();
    uVar1 = sym.getKey();
    win((uint64_t)uVar1);
    return 0;
}

It can be seen that the function win (sounds like the target function for the flag) is called with a parameter which is returned by getKey. getKey is too slow but, the return value (var_8h) is constant (0x265d1d23 or 643636515). Instead of trying to reverse win, we can call it from gdb directly with 643636515 as the parameter.

Flag

rgbCTF{pr3d1ct4bl3_k3y_n33d5_no_w41t_cab79d}