Rating:

# dCTF Bell Write Up

## Details:

Jeopardy style CTF

Points: 100

Category: Reverse Engineering

Comments:

Blaise's friends like triangles too!
nc dctf-chall-bell.westeurope.azurecontainer.io 5311

## Write up:

Decompiling the program I got that the main function was:

```c
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int v3;
unsigned int v5;

v3 = time(0LL);
srand(v3);
v5 = rand() % 5 + 8;
printf("%d\n", v5);
process(v5);
return 0;
}
```

I saw that what I needed was inside of process so I decompiled that too:

```c
__int64 __fastcall process(int a1)
{
int v2;
int i;
__int64 v4;
__int64 v5;
unsigned __int64 v6;

v6 = __readfsqword(0x28u);
v2 = 1;
for ( i = 1; i <= a1; ++i )
{
v5 = triangle((unsigned int)a1, (unsigned int)i);
__isoc99_scanf(&unk_AA4, &v4;;
if ( v5 != v4 )
v2 = 0;
}
if ( v2 == 1 )
system("cat flag.txt");
else
puts("Better luck next time.");
return 0LL;
}
```

From the looks of the code I looped through whatever random number of times and then had to enter the number that triangle would spit out. I then decompiled triangle:

```c
__int64 __fastcall triangle(unsigned int a1, int a2)
{
__int64 v3;

if ( a2 > (int)a1 )
return 0LL;
if ( a1 == 1 && a2 == 1 )
return 1LL;
if ( a2 == 1 )
return triangle(a1 - 1, a1 - 1);
v3 = triangle(a1, (unsigned int)(a2 - 1));
return v3 + triangle(a1 - 1, (unsigned int)(a2 - 1));
}
```

This was just a function that did some math so I decided to make a python script to do the same:

```py
# import pwn
from pwn import *

# open remote connection
r = remote("dctf-chall-bell.westeurope.azurecontainer.io", 5311)

# get the first line
num = r.recvline()

# turn the line into a number
num = int(num.decode().replace("\n", ""))

# triangle function
def triangle(a1, a2):
if a2 > a1:
return 0
if a1 == 1 and a2 == 1:
return 1
if a2 == 1:
return triangle(a1-1, a1-1)
v3 = triangle(a1, a2 -1)
return v3 + triangle(a1-1, a2-1)

# loop through X amount of times
for i in range(1, num + 1):

# send the calculated value
r.sendline(str(triangle(num, i)))

# print the flag
print(r.recvline())
```

When run I got:

```
[+] Opening connection to dctf-chall-bell.westeurope.azurecontainer.io on port 5311: Done
b'dctf{f1rst_step_t0wards_b3ll_l4bs}\n'
```

Original writeup (https://github.com/Kasimir123/CTFWriteUps/tree/main/2021-05-dCTF/Bell).