MHSCTF 2022 — Avengers Assemble (Reverse Engineering)
Description
The club I’ve been trying to get into has tightened up their security a lot! Can you get the password for me again? Note: the file uses the .asm extension which is not necessarily entirely accurate.
So here we are provided with a file with a .asm extension.
Running file command returns
Reading the file returns the following content
After analyzing the contents of the file and some googling I got to know that this is Python Bytecode.
Bytecode is the low-level representation of the python code which is the platform-independent, but the code is not the binary code and so it cannot run directly on the targeted machine. It is a set of instructions for the virtual machine which is also called as the Python Virtual Machine[PVM].
Through some more research I got to know how we can convert our own python code into bytecode. So I tried to make my own code in python, generate its bytecode and examine it against the code provided.
After a lot of trial and error I got the original code as following
In the above part it declares an input variable inp and prompts user to enter the password. Then it declares an empty string variable named pwd:
In the next part, a for loop is called up to the length of inp variable:
Looking at the next part..
Now this part is the most important as in this part for every character of the inp variable it first calculates the unicode code of the character using ord(). Then it adds (i%7) to the unicode value and then calls chr() on that value and add it to the pwd variable (I got this from a lot of trial and error as I was not familiar with the python bytecode)
Moving on the next part..
Here in this part it is storing some constant integers in a list called comp
From the integer values I assumed that these are the values that our password will be compared against. So I reverse engineered the above logic and provided the comp value as input. The rest of the file content was about the comparison of input value with this comp variable. Following is the solution code to get the flag.
Here instead of adding (i%7) I subtracted this value from the comp integers and then called the chr() on each integer. As a result, I got the flag.
flag{0n_your_13f7}