MHSCTF 2022 — Avengers Assemble (Reverse Engineering)

Description

The club I’ve been trying to get into has tightened up their security a lot! Can you get the password for me again? Note: the file uses the .asm extension which is not necessarily entirely accurate.

So here we are provided with a file with a .asm extension.

Running file command returns

Reading the file returns the following content

After analyzing the contents of the file and some googling I got to know that this is Python Bytecode.

Bytecode is the low-level representation of the python code which is the platform-independent, but the code is not the binary code and so it cannot run directly on the targeted machine. It is a set of instructions for the virtual machine which is also called as the Python Virtual Machine[PVM].

Through some more research I got to know how we can convert our own python code into bytecode. So I tried to make my own code in python, generate its bytecode and examine it against the code provided.

After a lot of trial and error I got the original code as following

In the above part it declares an input variable inp and prompts user to enter the password. Then it declares an empty string variable named pwd:

In the next part, a for loop is called up to the length of inp variable:

Looking at the next part..

Now this part is the most important as in this part for every character of the inp variable it first calculates the unicode code of the character using ord(). Then it adds (i%7) to the unicode value and then calls chr() on that value and add it to the pwd variable (I got this from a lot of trial and error as I was not familiar with the python bytecode)

Moving on the next part..

Here in this part it is storing some constant integers in a list called comp

From the integer values I assumed that these are the values that our password will be compared against. So I reverse engineered the above logic and provided the comp value as input. The rest of the file content was about the comparison of input value with this comp variable. Following is the solution code to get the flag.

Here instead of adding (i%7) I subtracted this value from the comp integers and then called the chr() on each integer. As a result, I got the flag.

flag{0n_your_13f7}

--

--

--

Red Team and Offensive Security Learner

Love podcasts or audiobooks? Learn on the go with our new app.

Overview Spring MVC-Dispatcher Servlet

Using Python’s Collections Library

Ambient sensor for mere mortal

READ/DOWNLOAD%?

Look mom, no Live encoder: the advantages of VOD2Live

Dealing With Concurrency At The Cluster Level

Testpage

Speedup FFmpeg without compiling from source code

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Saad Akhtar

Saad Akhtar

Red Team and Offensive Security Learner

More from Medium

Hack The Box: Getting User Level Privilege

Reversing ELF TryHackMe

FORGE - HTB walkthrough

Reverse Engineering with GHIDRA.