Category
Points
Author
Reverse engineering
55
qvipin
| 1 |  .awesomeguy. | 12/03 3:08 pm |
| 2 |  boomanten10 | 12/03 3:30 pm |
| 3 |  booklover997 | 12/03 3:39 pm |
| 4 |  _avyra | 12/03 3:49 pm |
| 5 |  benishot. | 12/03 4:01 pm |
| 6 |  krississy | 12/03 4:10 pm |
| 7 |  uvuvue | 12/03 4:35 pm |
| 8 |  eth007 | 12/03 4:39 pm |
| 9 |  wavefire_ | 12/03 4:43 pm |
| 10 |  mr_mph | 12/03 4:47 pm |
| 11 |  foodreaper | 12/03 5:21 pm |
| 12 |  ryuun1corn | 12/03 5:56 pm |
| 13 |  pranavn | 12/03 6:17 pm |
| 14 |  Ricker Wilkes | 12/03 6:43 pm |
| 15 |  dharneesh5555 | 12/03 7:20 pm |
| 16 |  org_bener | 12/03 9:05 pm |
| 17 |  nouxia | 12/03 11:14 pm |
| 18 |  amsour._. | 12/04 12:27 am |
| 19 |  dailybee13. | 12/04 5:26 am |
| 20 |  midnightfam | 12/04 7:48 am |
| 21 |  battersea | 12/04 8:48 am |
| 22 |  peterw18 | 12/04 9:22 am |
| 23 |  __j03 | 12/04 9:24 am |
| 24 |  Shrelic | 12/04 10:40 am |
| 25 |  _vow_ | 12/04 10:55 am |
| 26 |  dawiddym | 12/04 11:34 am |
| 27 |  saturn9 | 12/04 11:53 am |
| 28 |  callmesaviour | 12/04 1:00 pm |
| 29 |  aa2a9c53cbb80416d3b47d85538d9971 | 12/04 1:06 pm |
| 30 |  p.s.y | 12/04 3:22 pm |
| 31 |  unpwnbl | 12/04 3:29 pm |
| 32 |  f.a.u.c.e.t | 12/04 3:36 pm |
| 33 |  _4n3s | 12/04 6:54 pm |
| 34 | monstermanyana_47633 | 12/04 7:21 pm |
| 35 |  theapprocrastinator | 12/04 9:24 pm |
| 36 |  godlyavenger | 12/04 9:59 pm |
| 37 |  minipif | 12/05 5:42 am |
| 38 |  ._e4gl3_. | 12/05 7:04 am |
| 39 | sleuth123 | 12/05 9:54 am |
| 40 |  pligonstein | 12/05 9:54 am |
| 41 | sonicskibidi | 12/05 10:02 am |
| 42 |  tudor | 12/05 10:49 am |
| 43 |  amir213. | 12/05 10:58 am |
| 44 |  raul_26 | 12/05 6:51 pm |
| 45 |  lydxn | 12/05 10:52 pm |
| 46 |  silence_ | 12/06 10:34 am |
| 47 |  theb4tmite | 12/06 11:34 am |
| 48 |  h3ri0s | 12/06 12:36 pm |
| 49 |  kr4z31n | 12/07 6:27 am |
| 50 |  zarnex__ | 12/07 2:10 pm |
| 51 |  zzunaidd023 | 12/08 9:24 pm |
| 52 |  whoful | 12/10 4:34 am |
| 53 |  heartstoller | 12/11 11:12 am |
| 54 | vuxnx_91621 | 12/18 1:52 am |
| 55 |  .hackboredzz | 12/18 2:01 am |
| 56 | kush001607 | 12/18 2:47 am |
| 57 | test123450604 | 12/18 3:41 am |
| 58 | benny_46903_75418 | 12/18 5:08 am |
| 59 |  andreicat | 12/18 6:05 am |
| 60 |  trixai | 12/18 7:26 am |
| 61 |  puwanai.s | 12/18 9:09 am |
| 62 |  m0ns7er | 12/18 9:22 am |
| 63 |  georgechkhaidze | 12/18 9:58 am |
| 64 |  sanskariwolf | 12/18 10:15 am |
| 65 |  damian.28 | 12/18 10:16 am |
| 66 |  __landon | 12/18 12:34 pm |
| 67 |  masquerade8077 | 12/18 3:07 pm |
| 68 |  hash0xc | 12/18 5:50 pm |
| 69 |  andreww4364 | 12/18 6:37 pm |
| 70 |  athaw | 12/18 7:04 pm |
| 71 | fzhshzh_163 | 12/18 7:55 pm |
| 72 | mostyx_56545 | 12/18 10:05 pm |
| 73 | magic_kaito1412 | 12/18 10:05 pm |
| 74 | f00var | 12/19 1:51 am |
| 75 | awdyan_ | 12/19 7:03 am |
| 76 |  mini_ware | 12/19 7:59 am |
| 77 |  elijah5399 | 12/19 8:07 am |
| 78 | saik9415 | 12/19 11:03 am |
| 79 |  infernosalex | 12/19 2:26 pm |
| 80 | rotzkokowski | 12/19 3:51 pm |
| 81 |  akz_loid | 12/20 2:34 am |
| 82 |  yo8836 | 12/20 7:06 am |
| 83 |  mage9298 | 12/20 9:27 am |
| 84 | nnhung37 | 12/20 9:32 am |
| 85 | mtwiss_32447 | 12/20 4:22 pm |
| 86 |  hqky.2kruoi | 12/21 7:01 am |
| 87 |  rex_i_a | 12/21 8:04 am |
| 88 | installman. | 12/21 8:13 am |
| 89 |  mitotototo | 12/21 9:26 am |
| 90 |  kaizowe | 12/21 12:05 pm |
| 91 |  mobyduck | 12/21 1:42 pm |
| 92 |  manu7738 | 12/21 5:36 pm |
| 93 | kar_b | 12/21 6:22 pm |
| 94 |  skizzers13 | 12/21 11:00 pm |
| 95 |  persononline247 | 12/21 11:17 pm |
| 96 |  h45him | 12/22 12:49 am |
| 97 | spectre06872 | 12/22 5:39 am |
| 98 |  .mindsystem | 12/22 11:05 am |
| 99 |  leslato | 12/22 7:31 pm |
| 100 | srik714 | 12/22 9:20 pm |
| 101 |  captainbl | 12/23 2:48 am |
| 102 |  obet | 12/23 6:03 am |
| 103 |  aarondewes | 12/23 11:19 am |
| 104 |  aquarhead | 12/23 11:19 am |
| 105 |  re_tired | 12/23 2:01 pm |
| 106 |  iam_the_tea_guy | 12/23 3:25 pm |
| 107 |  znatii | 12/23 4:40 pm |
| 108 |  astharot15 | 12/23 4:46 pm |
| 109 |  tomatoed | 12/23 7:03 pm |
| 110 |  awwliveyet | 12/24 3:25 pm |
| 111 | concealbear | 12/24 9:44 pm |
| 112 | genseilni9593 | 12/24 9:50 pm |
| 113 |  papa9995 | 12/25 12:25 am |
| 114 |  kineticallyunstable | 12/25 2:09 am |
| 115 |  anyzy. | 12/25 2:56 am |
| 116 | busy_parrot_29341 | 12/25 8:08 am |
| 117 |  mattewastaken | 12/25 8:13 am |
| 118 |  isee9917 | 12/25 8:32 am |
| 119 |  darkity | 12/25 10:27 am |
| 120 |  leyo7 | 12/25 1:01 pm |
| 121 |  6oq. | 12/25 1:59 pm |
| 122 |  hanks2151 | 12/25 2:15 pm |
| 123 |  chappy_jethro | 12/25 2:17 pm |
| 124 |  predatormonarch | 12/25 5:09 pm |
| 125 |  m4422 | 12/25 5:53 pm |
| 126 |  tildenjackson | 12/25 5:59 pm |
| 127 |  yugi200 | 12/25 6:27 pm |
| 128 | wilsonwei_cs | 12/25 11:44 pm |
| 129 |  grwna | 12/26 12:36 am |
| 130 |  sadfr0g. | 12/26 2:13 am |
| 131 | .brothersofdestruction | 12/26 5:05 am |
| 132 |  _vga_ | 12/26 6:35 am |
| 133 |  dudalp | 12/26 9:41 am |
| 134 |  darkimoo. | 12/26 11:28 am |
| 135 | 0x0ffset | 12/26 12:02 pm |
| 136 |  .jstr_ | 12/26 9:25 pm |
| 137 |  tyx2019 | 12/27 1:22 am |
| 138 | fakeaviationist | 12/27 2:55 am |
| 139 | vifsh_01692 | 12/27 5:30 am |
| 140 |  qwerty2119581 | 12/27 6:31 am |
| 141 |  baribal02 | 12/28 6:03 pm |
| 142 |  siddhartha_hdk | 12/29 4:32 am |
| 143 |  fazect | 12/29 6:18 am |
| 144 |  riki_s | 12/29 5:58 pm |
| 145 | jumbotron.__38029 | 12/31 12:01 am |
| 146 | mahendra3279 | 12/31 1:36 am |
| 147 |  daynight253 | 12/31 4:07 am |
Santa’s ElfTV license key checker got leaked! Finally, a break for a broke elf like you, starving for that sweet, sweet elf dopamine. The catch? You’ve got to reverse-engineer Santa’s “state-of-the-art” security to unlock it. Think you’re smarter than the guy who still uses reindeer for transportation? Prove it and claim your ElfTV fix!!!!
Connect using nc ctf.csd.lol 1001
There are no penalties for viewing hints. Hints are released 12 hours and 24 hours after the challenge releases.
zarnex's write-up was selected as the best write-up submitted for this challenge.
View this write-up on GitHubLet's take a look at the source!
use std::fs::File;
use std::io::{self, BufRead, Write};
use std::path::Path;
fn supasecurefibberdachicheckerthing(n: usize) -> Vec<u64> {
let mut fib: Vec<u64> = vec![0, 1];
for i in 2..n {
let next = fib[i - 1].checked_add(fib[i - 2]).unwrap_or(0);
fib.push(next);
}
fib
}
fn validate_license_key(key: &str) -> bool {
if !key.starts_with("XMAS") {
return false;
}
if key.len() != 12 {
return false;
}
let ascii_sum: u32 = key.chars().skip(4).take(5).map(|c| c as u32).sum();
if ascii_sum != 610 {
return false;
}
let fib_482 = supasecurefibberdachicheckerthing(483)[482];
let fib_last_3 = fib_482 % 1000;
let key_last_3: u16 = match key[9..12].parse() {
Ok(num) => num,
Err(_) => return false,
};
if key_last_3 != fib_last_3 as u16 {
return false;
}
true
}
fn win() {
let flag_path = Path::new("flag.txt");
if let Ok(file) = File::open(flag_path) {
let mut buf_reader = io::BufReader::new(file);
let mut flag = String::new();
if buf_reader.read_line(&mut flag).is_ok() {
println!("🎄 Ho Ho Ho!, go watch some ELFTV!: {}", flag.trim());
} else {
println!("smth went wrong contact vip3r with error (flag-file-1)");
}
} else {
println!("smth went wrong contact vip3r with error (flag-file-2)");
}
}
fn main() {
println!("🎄 Welcome to the ElfTV XMAS-license key checker!");
println!("Please enter your license key:");
let stdin = io::stdin();
let mut input = String::new();
let mut stdout = io::stdout();
if stdin.read_line(&mut input).is_ok() {
let key = input.trim();
if validate_license_key(key) {
win();
} else {
writeln!(stdout, "Ho ho ho! Try again.").unwrap();
}
} else {
writeln!(stdout, "Failed to read the input!").unwrap();
}
}
So the goal of this challenge is to piece together a license key to get the flag. Let's start by analyzing each function used to check for the license key.
fn validate_license_key(key: &str) -> bool {
if !key.starts_with("XMAS") {
return false;
}
if key.len() != 12 {
return false;
}
let ascii_sum: u32 = key.chars().skip(4).take(5).map(|c| c as u32).sum();
if ascii_sum != 610 {
return false;
}
let fib_482 = supasecurefibberdachicheckerthing(483)[482];
let fib_last_3 = fib_482 % 1000;
let key_last_3: u16 = match key[9..12].parse() {
Ok(num) => num,
Err(_) => return false,
};
if key_last_3 != fib_last_3 as u16 {
return false;
}
true
}
This function in the source is what checks if the license key is correct or not.
if !key.starts_with("XMAS") {
return false;
}
This first check is pretty straight forward, it checks if the string starts with XMAS
if key.len() != 12 {
return false;
}
The next check above is looking at if the key is 12 characters, so now we have general idea on how the license key should look like. XMAS********
let ascii_sum: u32 = key.chars().skip(4).take(5).map(|c| c as u32).sum();
if ascii_sum != 610 {
return
Now it is starting to get tricky to understand, lets go over it!
key.chars(): Turns the string into a iterator of is characters.skip(4): Skips the first 4 chars.take(5): Takes the next 5 characters after skipping the first 4..map(|c| c as u32): Maps each character in this slice to its ASCII value (as a u32 integer)..sum(): Takes the sum of these ASCII values.let ascii_sum: u32 = ...;: Saves the sum in a variable ascii_sum.if ascii_sum != 610 {: Checks if the sum of these ASCII values is not equal to 610.So at this point we need to find 5 characters that add up to 610 which is nice since it is even. So I wrote a Python one liner print(chr(int(610 / 5)) * 5) which outputs zzzzz. So our license key should look like XMASzzzzz*** so far.
let fib_482 = supasecurefibberdachicheckerthing(483)[482];
let fib_last_3 = fib_482 % 1000;
let key_last_3: u16 = match key[9..12].parse() {
Ok(num) => num,
Err(_) => return false,
};
if key_last_3 != fib_last_3 as u16 {
return false;
}
Now the final check had me confused, I was looking very surface level and thought the key was just the last 3 digits of the Fibonacci sequence for the 482 number (which is 041) but it didn't work. As I look in deeper, it seems as the codes implementation of the Fibonacci check is faulty because of this
u64 integersu64 can hold up to 2^64−1≈1.84×10^19So to get the correct number, I modified the code to just print out the last 3 digits.
fn main() {
fn supasecurefibberdachicheckerthing(n: usize) -> Vec<u64> {
let mut fib: Vec<u64> = vec![0, 1];
for i in 2..n {
let next = fib[i - 1].checked_add(fib[i - 2]).unwrap_or(0);
fib.push(next);
}
fib
}
let fib_482 = supasecurefibberdachicheckerthing(483)[482];
let fib_last_3 = fib_482 % 1000;
println!("last 3 digits: {}", fib_last_3);
}
And running it...
$ rustc test.rs $ ./test last 3 digits: 738
So now we have our full license key: XMASzzzzz738. Lets try it!
$ nc ctf.csd.lol 1001
🎄 Welcome to the ElfTV XMAS-license key checker!
Please enter your license key:
XMASzzzzz738
🎄 Ho Ho Ho!, go watch some ELFTV!: csd{Ru57y_L1c3N53_k3Y_CH3Ck3r}
Flag: csd{Ru57y_L1c3N53_k3Y_CH3Ck3r}