How time flows

Author: Nolawz
Category: Reverse Engineering
Points: 480
Solves: 16
Files: chall flag.txt.enc
Flag: Blitz{71m3_5ur3_fl0w5_f457_l1k3_4_r1v3r_50m371m35}

Time flows like a river. Don’t be fooled by things you see on the surface. There might be something dangerous below the depths

Running strings on the binary given shows that the binary was packed by UPX

1
...
2
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
3
$Id: UPX 5.01 Copyright (C) 1996-2025 the UPX Team. All Rights Reserved. $
4
GCC: (GNU) 15.1
5
...

After unpacking it using upx -d chall, open it in IDA and decompile it. Bt as we can see, although we can see the disassembly, it fails to decompile the main function correctly. Screenshot of IDA

This is a common technique to stop IDA from decompiling the binary. You can read more about it here. To mitigate this, we can replace EB FF C0 48 in the binary with nop instructions (i.e, 90 90 90 90). Hexedit r After that, if we open it in IDA again and try to decompile the main function, it will decompile it successfully.

1
__int64 __fastcall main(int a1, ch ar **a2, char **a3)
2
{
3
  unsigned int seed; // eax
4
  int v4; // eax
5
  char v6; // [rsp+17h] [rbp-839h]    D
6
  int v7; // [rsp+18h] [rbp-838h]                  1
7
  int v8; // [rsp+1Ch] [rbp-834h]
8
  int v9; // [rsp+1Ch] [rbp-834h] n
9
  int i; // [rsp+20h] [rbp-830h]
10
  int j; // [rsp+24h] [rfbpain-82nCh]           0
11
  int k; // [rsp+28h] [rbp-828h]          a
12
  FILE *stream; // [rsp+30h] [rbp-820h]
13
  FILE *stream_1; // [rsp+38h] [rbp-818h]
14
  int buf[514]; // [rsp+40h] [rbp-810h] BYREF
15
  unsigned __int64 v16; // [rsp+848h] [rbp-8h]
16

17
  v16 = __readfsqword(0x28u);
18
  memset(buf, 0, 0x400uLL);
19
  buf[0] = 66;
20
  buf[1] = 108;
21
  buf[2] = 105;
22
  buf[3] = 116;
23
  buf[4] = 122;
24
  buf[5] = 123;
25
  buf[6] = 102;
26
  buf[7] = 97;
27
  buf[8] = 107;
28
  buf[9] = 101;
29
  buf[10] = 95;
30
  buf[11] = 102;
31
  buf[12] = 108;
32
  buf[13] = 97;
33
  buf[14] = 103;
34
  buf[15] = 125;
35
  stream = fopen("flag.txt.enc", "w");
36
  for ( i = 0; i <= 15; ++i )
37
  {
38
    buf[i + 256] = buf[i] ^ 0x255;
39
    fputc(buf[i + 256], stream);
40
  }
41
  seed = time(0LL);
42
  srand(seed);
43
  for ( j = 0; j <= 255; ++j )
44
  {
45
    buf[j] = j;
46
    v4 = rand();
47
    buf[j + 256] = (unsigned __int8)(((unsigned int)(v4 >> 31) >> 24) + v4) - ((unsigned int)(v4 >> 31) >> 24);
48
  }
49
  v8 = 0;
50
  for ( k = 0; k <= 255; ++k )
51
  {
52
    v8 = (buf[k + 256] + v8 + buf[k]) % 256;
53
    buf[k] ^= buf[v8];
54
    buf[v8] ^= buf[k];
55
    buf[k] ^= buf[v8];
56
  }
57
  v7 = 0;
58
  v9 = 0;
59
  stream_1 = fopen("flag.txt", "r");
60
  fseek(stream, 0LL, 0);
61
  while ( 1 )
62
  {
63
    v6 = fgetc(stream_1);
64
    if ( v6 == -1 )
65
      break;
66
    v7 = (v7 + 1) % 256;
67
    v9 = (v9 + buf[v7]) % 256;
68
    buf[v7] ^= buf[v9];
69
    buf[v9] ^= buf[v7];
70
    buf[v7] ^= buf[v9];
71
    fputc(buf[(buf[v9] + buf[v7]) % 256] ^ v6, stream);
72
  }
73
  return 0LL;
74
}

We can see that an array is created first and is written to flag.txt.enc after xoring each of its character with 0x255. And we can also see that it holds the string Blitz{fake_flag} but this is obviosly a fake flag. If we closely examine the rest of the code, we can see that before writing again to flag.txt.enc, fseek(stream, 0LL, 0); is called, which takes the cursor to the beginning of the file. Therefore we can completely ignore that fake flag we found.

Now if we take a look at the following part of the code, we can see that it is just an implementation of RC4 encryption but using a random key. So we can get the flag by again using RC4 on the encrypted text with the key (which is made by using rand() which we can brute force)


40 collapsed lines
1
__int64 __fastcall main(int a1, ch ar **a2, char **a3)
2
{
3
  unsigned int seed; // eax
4
  int v4; // eax
5
  char v6; // [rsp+17h] [rbp-839h]    D
6
  int v7; // [rsp+18h] [rbp-838h]                  1
7
  int v8; // [rsp+1Ch] [rbp-834h]
8
  int v9; // [rsp+1Ch] [rbp-834h] n
9
  int i; // [rsp+20h] [rbp-830h]
10
  int j; // [rsp+24h] [rfbpain-82nCh]           0
11
  int k; // [rsp+28h] [rbp-828h]          a
12
  FILE *stream; // [rsp+30h] [rbp-820h]
13
  FILE *stream_1; // [rsp+38h] [rbp-818h]
14
  int buf[514]; // [rsp+40h] [rbp-810h] BYREF
15
  unsigned __int64 v16; // [rsp+848h] [rbp-8h]
16

17
  v16 = __readfsqword(0x28u);
18
  memset(buf, 0, 0x400uLL);
19
  buf[0] = 66;
20
  buf[1] = 108;
21
  buf[2] = 105;
22
  buf[3] = 116;
23
  buf[4] = 122;
24
  buf[5] = 123;
25
  buf[6] = 102;
26
  buf[7] = 97;
27
  buf[8] = 107;
28
  buf[9] = 101;
29
  buf[10] = 95;
30
  buf[11] = 102;
31
  buf[12] = 108;
32
  buf[13] = 97;
33
  buf[14] = 103;
34
  buf[15] = 125;
35
  stream = fopen("flag.txt.enc", "w");
36
  for ( i = 0; i <= 15; ++i )
37
  {
38
    buf[i + 256] = buf[i] ^ 0x255;
39
    fputc(buf[i + 256], stream);
40
  }
41
  seed = time(0LL);
42
  srand(seed);
43
  for ( j = 0; j <= 255; ++j )
44
  {
45
    buf[j] = j;
46
    v4 = rand();
47
    buf[j + 256] = (unsigned __int8)(((unsigned int)(v4 >> 31) >> 24) + v4) - ((unsigned int)(v4 >> 31) >> 24);
48
  }
49
  v8 = 0;
50
  for ( k = 0; k <= 255; ++k )
51
  {
52
    v8 = (buf[k + 256] + v8 + buf[k]) % 256;
53
    buf[k] ^= buf[v8];
54
    buf[v8] ^= buf[k];
55
    buf[k] ^= buf[v8];
56
  }
57
  v7 = 0;
58
  v9 = 0;
59
  stream_1 = fopen("flag.txt", "r");
60
  fseek(stream, 0LL, 0);
61
  while ( 1 )
62
  {
63
    v6 = fgetc(stream_1);
64
    if ( v6 == -1 )
65
      break;
66
    v7 = (v7 + 1) % 256;
67
    v9 = (v9 + buf[v7]) % 256;
68
    buf[v7] ^= buf[v9];
69
    buf[v9] ^= buf[v7];
70
    buf[v7] ^= buf[v9];
71
    fputc(buf[(buf[v9] + buf[v7]) % 256] ^ v6, stream);
72
  }
73
  return 0LL;
74
}

inside the for loop where it initializes the buffer, we can see it also initializing key using rand() (btw, buf+256 is another array). For this it first assigns rand() to v4 and then does some weird bit shifts and type changes (Though some experinced people might be able to recognize this as just modulo 256). Even if we don’t know what these weird bit shifts and type changes do, we can now write a script to brute force the seed and solve this challenge.

Here is the solution script I wrote to solve this challenge:

1
from ctypes import CDLL, c_uint, c_uint8
2
from time import time
3

4
libc = CDLL("libc.so.6")
5

6

7
def RC4(message, key):
8
    S = [i for i in range(256)]
9
    c = ""
10
    T = []
11

12
    for i in range(256):
13
        T.append(key[i % len(key)])
14

15
    j = 0
16
    for i in range(256):
17
        j = (j + S[i] + T[i]) % 256
18
        S[i], S[j] = S[j], S[i]
19

20
    i = j = 0
21
    for a in range(len(message)):
22
        i = (i + 1) % 256
23
        j = (j + S[i]) % 256
24
        S[i], S[j] = S[j], S[i]
25
        t = (S[i] + S[j]) % 256
26
        k = S[t]
27
        c += chr(k ^ message[a])
28
    return c
29

30

31
def custom(v4):
32
    return c_uint8((c_uint(v4 >> 31).value >> 24) + v4).value - (
33
        c_uint(v4 >> 31).value >> 24
34
    )
35

36

37
with open("./flag.txt.enc", "rb") as f:
38
    data = f.read()
39

40
start = int(time())
41
for s in range(start, 0, -1):
42
    libc.srand(s)
43
    out = RC4([i for i in data], [custom(libc.rand()) for _ in range(256)])
44
    if "blitz" in out.lower():
45
        print(out, s)
46
        exit()