CTFtime.org

Reverse Fever

by xrust / PKTeam

Tags: reverse 

Rating:

# Reverse Fever
##### Juniors CTF 2016 (http://ctf.org.ru)
```
nc reverse.ctf.org.ru 8269
```

The server asks for a name and then provides a base64-encoded binary. The name is used to track progress. The user with the same name must solve the task 1000 times to get the flag.
```
root@pwnie:~# nc reverse.ctf.org.ru 8269
What's you name? asdf
Hello asdf! Only 1000 challenges remain
For solve it you need a decode base64 data and reverse engineer crackme
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAkAVAAAAAAABAAAAAAAAAAIgRAAAAAAAAAAAAAEAAOAAJAEAAHQAcAAYAAAAFAAAAQAAAAAAAAABAAEAAAAAAAEAAQAAAAAAA+AEAAAAAAAD4AQAAAAAAAAgAAAAAAAAAAwAAAAQAAAA4AgAAAAAAADgCQAAAAAAAOAJAAAAAAAAcAAAAAAAAABwAAAAAAAAAAQAAAAAAAAABAAAABQAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAGwMAAAAAAAAbAwAAAAAAAAAACAAAAAAAAEAAAAGAAAAEA4AAAAAAAAQDmAAAAAAABAOYAAAAAAASAIAAAAAAABQAgAAAAAAAAAAIAAAAAAAAgAAAAYAAAAoDgAAAAAAACgOYAAAAAAAKA5gAAAAAADQAQAAAAAAANABAAAAAAAACAAAAAAAAAAEAAAABAAAAFQCAAAAAAAAVAJAAAAAAABUAkAAAAAAAEQAAAAAAAAARAAAAAAAAAAEAAAAAAAAAFDldGQEAAAACAsAAAAAAAAIC0AAAAAAAAgLQAAAAAAAPAAAAAAAAAA8AAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAABAOAAAAAAAAEA5gAAAAAAAQDmAAAAAAAPABAAAAAAAA8AEAAAAAAAABAAAAAAAAAC9saWI2NC9sZC1saW51eC14ODYtNjQuc28uMgAEAAAAEAAAAAEAAABHTlUAAAAAAAIAAAAGAAAAIAAAAAQAAAAUAAAAAwAAAEdOVQANIIbSKwxe+nltVYLvADdg7pJpNwEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGgAAABIAAAAAAAAAAAAAAAAAAAAAAAAAHwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAMAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAPgAAABIAAAAAAAAAAAAAAAAAAAAAAAAANwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAUAAAACAAAAAAAAAAAAAAAAAAAAAAAAAACwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAGxpYmMuc28uNgBfX2lzb2M5OV9zY2FuZgBwdXRzAF9fc3RhY2tfY2hrX2ZhaWwAcHJpbnRmAG1lbWNtcABfX2xpYmNfc3RhcnRfbWFpbgBfX2dtb25fc3RhcnRfXwBHTElCQ18yLjcAR0xJQkNfMi40AEdMSUJDXzIuMi41AAAAAAIAAwACAAIAAgAAAAQAAQADAAEAAAAQAAAAAAAAABdpaQ0AAAQAXwAAABAAAAAUaWkNAAADAGkAAAAQAAAAdRppCQAAAgBzAAAAAAAAAPgPYAAAAAAABgAAAAYAAAAAAAAAAAAAABgQYAAAAAAABwAAAAEAAAAAAAAAAAAAACAQYAAAAAAABwAAAAIAAAAAAAAAAAAAACgQYAAAAAAABwAAAAMAAAAAAAAAAAAAADAQYAAAAAAABwAAAAQAAAAAAAAAAAAAADgQYAAAAAAABwAAAAUAAAAAAAAAAAAAAEAQYAAAAAAABwAAAAcAAAAAAAAAAAAAAEiD7AhIiwX9CiAASIXAdAXoewAAAEiDxAjDAAAAAAAA/zXyCiAA/yX0CiAADx9AAP8l8gogAGgAAAAA6eD/////JeoKIABoAQAAAOnQ/////yXiCiAAaAIAAADpwP////8l2gogAGgDAAAA6bD/////JdIKIABoBAAAAOmg/////yXKCiAAaAUAAADpkP////8lcgogAGaQAAAAAAAAAAAx7UmJ0V5IieJIg+TwUFRJx8BwCkAASMfBAApAAEjHx4YGQADol/////RmDx9EAAC4XxBgAFVILVgQYABIg/gOSInldhu4AAAAAEiFwHQRXb9YEGAA/+BmDx+EAAAAAABdww8fQABmLg8fhAAAAAAAvlgQYABVSIHuWBBgAEjB/gNIieVIifBIweg/SAHGSNH+dBW4AAAAAEiFwHQLXb9YEGAA/+APHwBdw2YPH0QAAIA9EQogAAB1EVVIieXobv///13GBf4JIAAB88MPH0AAvyAOYABIgz8AdQXrkw8fALgAAAAASIXAdPFVSInl/9Bd6Xr///9VSInlQVdBVkFVQVRTSIPsSGRIiwQlKAAAAEiJRcgxwEiJ4EiJRajHRbQQAAAAi0W0SJhIg+gBSIlFuItFtEiYSInGvwAAAACLRbRImEiJwrkAAAAAi0W0SJi6EAAAAEiD6gFIAdC5EAAAALoAAAAASPfxSGvAEEgpxEiJ4EiDwABIiUXAv6AKQAC4AAAAAOgm/v//SItFwEiNSA9Ii0XASI14DkiLRcBMjXgNSItFwEyNcAxIi0XATI1oC0iLRcBMjWAKSItFwEiNWAlIi0XATI1YCEiLRcBMjVAHSItFwEyNSAZIi0XATI1ABUiLRcBIg8AESIlFoEiLRcBIjXADSIl1mEiLRcBIjXACSItFwEiNUAFIi0XASIPsCFFXQVdBVkFVQVRTQVNBUkFRQVBMi02gTItFmEiJ8UiJxr+wCkAAuAAAAADonv3//0iDxGBIi0XAi1W0idZIicfoWgAAAEiLRcCLVbRIica/kApAAOhl/f//hcB1DL/xCkAA6Bf9///rCr//CkAA6Av9//+4AAAAAEiLZahIi13IZEgzHCUoAAAAdAXo/vz//0iNZdhbQVxBXUFeQV9dw1VIieVIiX3oiXXkx0X8AAAAAOsmi0X8SGPQSItF6EgB0ItV/EhjykiLVehIAcoPthKD8l+IEINF/AGLRfw7ReR80kiLRegPtgCD8EyJwkiLReiIEEiLRehIg8ABSItV6EiDwgEPthKD8mCIEEiLRehIg8ACSItV6EiDwgIPthKD8imIEEiLRehIg8ADSItV6EiDwgMPthKD8jOIEEiLRehIg8AESItV6EiDwgQPthKD8l6IEEiLRehIg8AFSItV6EiDwgUPthKD8iqIEEiLRehIg8AGSItV6EiDwgYPthKD8vSIEEiLRehIg8AHSItV6EiDwgcPthKD8omIEEiLRehIg8AISItV6EiDwggPthKD8jWIEEiLRehIg8AJSItV6EiDwgkPthKD8vCIEEiLRehIg8AKSItV6EiDwgoPthKD8puIEEiLRehIg8ALSItV6EiDwgsPthKD8piIEEiLRehIg8AMSItV6EiDwgwPthKD8jKIEEiLRehIg8ANSItV6EiDwg0PthKD8juIEEiLRehIg8AOSItV6EiDwg4PthKD8r2IEEiLRehIg8APSItV6EiDwg8PthKD8jOIEJBdw0FXQVZBif9BVUFUTI0l/gMgAFVIjS3+AyAAU0mJ9kmJ1Uwp5UiD7AhIwf0D6L/6//9Ihe10IDHbDx+EAAAAAABMiepMifZEif9B/xTcSIPDAUg563XqSIPECFtdQVxBXUFeQV/DkGYuDx+EAAAAAADzwwAASIPsCEiDxAjDAAAAAQACAAAAAAAAAAAAAAAAAB1SKHcd5DtABF6D6iFf6O5DaGFsbGVuZ2U6IAAAAAAAJTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeCUwMnglMDJ4JTAyeABTZW5kIGl0IGJhY2shAFdyb25nIDpDAAEbAzs8AAAABgAAAAj6//+IAAAAiPr//1gAAAB++///sAAAADn9///gAAAA+P7//wABAABo////SAEAAAAAAAAUAAAAAAAAAAF6UgABeBABGwwHCJABBxAUAAAAHAAAACj6//8qAAAAAAAAAAAAAAAUAAAAAAAAAAF6UgABeBABGwwHCJABAAAkAAAAHAAAAHj5//9wAAAAAA4QRg4YSg8LdwiAAD8aOyozJCIAAAAALAAAAEQAAADG+v//uwEAAABBDhCGAkMNBk2PA44EjQWMBoMHA6kBDAcIAAAAAAAAHAAAAHQAAABR/P//vwEAAABBDhCGAkMNBgO6AQwHCABEAAAAlAAAAPD9//9lAAAAAEIOEI8CQg4YjgNFDiCNBEIOKIwFSA4whgZIDjiDB00OQHIOOEEOMEEOKEIOIEIOGEIOEEIOCAAUAAAA3AAAABj+//8CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAZAAAAAAABABkAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAwAAAAAAAAA8ARAAAAAAAANAAAAAAAAAHQKQAAAAAAAGQAAAAAAAAAQDmAAAAAAABsAAAAAAAAACAAAAAAAAAAaAAAAAAAAABgOYAAAAAAAHAAAAAAAAAAIAAAAAAAAAPX+/28AAAAAmAJAAAAAAAAFAAAAAAAAAHgDQAAAAAAABgAAAAAAAAC4AkAAAAAAAAoAAAAAAAAAfwAAAAAAAAALAAAAAAAAABgAAAAAAAAAFQAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAABBgAAAAAAACAAAAAAAAAJAAAAAAAAAAFAAAAAAAAAAHAAAAAAAAABcAAAAAAAAAYARAAAAAAAAHAAAAAAAAAEgEQAAAAAAACAAAAAAAAAAYAAAAAAAAAAkAAAAAAAAAGAAAAAAAAAD+//9vAAAAAAgEQAAAAAAA////bwAAAAABAAAAAAAAAPD//28AAAAA+ANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgOYAAAAAAAAAAAAAAAAAAAAAAAAAAAACYFQAAAAAAANgVAAAAAAABGBUAAAAAAAFYFQAAAAAAAZgVAAAAAAAB2BUAAAAAAAAAAAAAAAAAAAAAAAAAAAABHQ0M6IChVYnVudHUgNS40LjAtNnVidW50dTF+MTYuMDQuNCkgNS40LjAgMjAxNjA2MDkAAC5zaHN0cnRhYgAuaW50ZXJwAC5ub3RlLkFCSS10YWcALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuamNyAC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsAAAABAAAAAgAAAAAAAAA4AkAAAAAAADgCAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAATAAAABwAAAAIAAAAAAAAAVAJAAAAAAABUAgAAAAAAACAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAIQAAAAcAAAACAAAAAAAAAHQCQAAAAAAAdAIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAADQAAAD2//9vAgAAAAAAAACYAkAAAAAAAJgCAAAAAAAAHAAAAAAAAAAFAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA+AAAACwAAAAIAAAAAAAAAuAJAAAAAAAC4AgAAAAAAAMAAAAAAAAAABgAAAAEAAAAIAAAAAAAAABgAAAAAAAAARgAAAAMAAAACAAAAAAAAAHgDQAAAAAAAeAMAAAAAAAB/AAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAE4AAAD///9vAgAAAAAAAAD4A0AAAAAAAPgDAAAAAAAAEAAAAAAAAAAFAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABbAAAA/v//bwIAAAAAAAAACARAAAAAAAAIBAAAAAAAAEAAAAAAAAAABgAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAagAAAAQAAAACAAAAAAAAAEgEQAAAAAAASAQAAAAAAAAYAAAAAAAAAAUAAAAAAAAACAAAAAAAAAAYAAAAAAAAAHQAAAAEAAAAQgAAAAAAAABgBEAAAAAAAGAEAAAAAAAAkAAAAAAAAAAFAAAAGAAAAAgAAAAAAAAAGAAAAAAAAAB+AAAAAQAAAAYAAAAAAAAA8ARAAAAAAADwBAAAAAAAABoAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAeQAAAAEAAAAGAAAAAAAAABAFQAAAAAAAEAUAAAAAAABwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAIQAAAABAAAABgAAAAAAAACABUAAAAAAAIAFAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACNAAAAAQAAAAYAAAAAAAAAkAVAAAAAAACQBQAAAAAAAOIEAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAkwAAAAEAAAAGAAAAAAAAAHQKQAAAAAAAdAoAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJkAAAABAAAAAgAAAAAAAACACkAAAAAAAIAKAAAAAAAAiAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAChAAAAAQAAAAIAAAAAAAAACAtAAAAAAAAICwAAAAAAADwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAArwAAAAEAAAACAAAAAAAAAEgLQAAAAAAASAsAAAAAAAAkAQAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAALkAAAAOAAAAAwAAAAAAAAAQDmAAAAAAABAOAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADFAAAADwAAAAMAAAAAAAAAGA5gAAAAAAAYDgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAA0QAAAAEAAAADAAAAAAAAACAOYAAAAAAAIA4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAANYAAAAGAAAAAwAAAAAAAAAoDmAAAAAAACgOAAAAAAAA0AEAAAAAAAAGAAAAAAAAAAgAAAAAAAAAEAAAAAAAAACIAAAAAQAAAAMAAAAAAAAA+A9gAAAAAAD4DwAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA3wAAAAEAAAADAAAAAAAAAAAQYAAAAAAAABAAAAAAAABIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAOgAAAABAAAAAwAAAAAAAABIEGAAAAAAAEgQAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADuAAAACAAAAAMAAAAAAAAAWBBgAAAAAABYEAAAAAAAAAgAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA8wAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAWBAAAAAAAAA0AAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAIwQAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=
Flag:
```

All binaries are identical for the exception of the randomly changing key, which we have to find the correct challenge for.

Running the binary prompts for the challenge, encodes it, and then compares it with the random key.
```
root@pwnie:~# base64 -d f0VMRgIBAQAAAAAAAAAAAAIA... > fever.bin

root@pwnie:~# file fever.bin
fever.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked,
interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32,
BuildID[sha1]=6eb24d371ab6524ea03ae5e1cff24f286d2ff985, stripped

root@pwnie:~# ./fever.bin
Challenge: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Wrong :C
```

Essentially, the binary boils down to the following code:
```asm
.text:00000000004007CD call ___isoc99_scanf
.text:00000000004007D2 add rsp, 60h
.text:00000000004007D6 mov rax, [rbp+s2]
.text:00000000004007DA mov edx, dword ptr [rbp+n]
.text:00000000004007DD mov esi, edx
.text:00000000004007DF mov rdi, rax
.text:00000000004007E2 call sub_400841
.text:00000000004007E7 mov rax, [rbp+s2]
.text:00000000004007EB mov edx, dword ptr [rbp+n] ; n
.text:00000000004007EE mov rsi, rax ; s2
.text:00000000004007F1 mov edi, offset unk_400A90 ; s1
.text:00000000004007F6 call _memcmp
.text:00000000004007FB test eax, eax
.text:00000000004007FD jnz short loc_40080B
.text:00000000004007FF mov edi, offset s ; "Send it back!"
.text:0000000000400804 call _puts
.text:0000000000400809 jmp short loc_400815
```

* `call ___isoc99_scanf` to get the challenge
* `call sub_400841` to encode the challenge
* `call _memcmp` to check if the encoded challenge is the same as the random key

If we examine `sub_400841` (encoder), we will observe that the encoder relies on XORs, which are easily reversed by applying the same XORs. So to get the correct challenge, all we need to do is encode the provided random key.

The key is always hardcoded at `.rodata+0x10`:
```asm
.rodata:0000000000400A90 unk_400A90 db 0B4h ; ¦
.rodata:0000000000400A91 db 0EEh ; e
.rodata:0000000000400A92 db 96h ; û
.rodata:0000000000400A93 db 0DBh ; ¦
.rodata:0000000000400A94 db 16h
.rodata:0000000000400A95 db 31h ; 1
.rodata:0000000000400A96 db 0E5h ; s
.rodata:0000000000400A97 db 7Eh ; ~
.rodata:0000000000400A98 db 88h ; ê
.rodata:0000000000400A99 db 18h
.rodata:0000000000400A9A db 21h ; !
.rodata:0000000000400A9B db 6Ah ; j
.rodata:0000000000400A9C db 5
.rodata:0000000000400A9D db 0CAh ; -
.rodata:0000000000400A9E db 9Fh ; ƒ
.rodata:0000000000400A9F db 0B9h ; ¦
```

I used `angr` (http://angr.io/) to solve this task by patching the binaries and reusing their own code to reverse the key.

```python
import angr, os
from pwn import *

_key = 0x0
_challenge = 0x0

##### offsets for hooking
_scanf = 0x4007CD
_encoder = 0x4007E2
_get_challenge = 0x4007EB

##### skip reading stdin
def scanf_patch(state):
pass

##### get the key and manually set it as the input instead of stdin
def encoder_patch(state):
key = state.memory.load(_key, 16, endness='Iend_LE')
state.memory.store(state.regs.rax, key, endness='Iend_LE')

##### get the resulting challenge after encoding
def get_challenge_patch(state):
global _challenge
_challenge = state.memory.load(state.regs.rax, 16, endness='Iend_BE')

##### solve the binary by running it
def solve(binary):
global _key
p = angr.Project(binary)

for section in p.loader.main_bin.sections:
if section.name == '.rodata':
_key = section.min_addr + 0x10
break

init = p.factory.entry_state()
p.hook(_scanf, func=scanf_patch, length=5)
p.hook(_encoder, func=encoder_patch)
p.hook(_get_challenge, func=get_challenge_patch)
path = p.factory.path_group(init)
explore = path.explore()

key = 0x0
for o in _challenge.to_literal()['objects']:
key = _challenge.to_literal()['objects'][o]['object'][1][0]
key = '%s' % hex(key)
key = key[2:]

if len(key) != 32:
key = '0%s' % key

return key

##### run the solver 1000 times
for _ in range(1001):
p = remote('reverse.ctf.org.ru', 8269)
p.recv()
p.sendline('XRUST')
print p.recvlines(2)
binary = p.recvline()
filename = '/tmp/fever.bin'
with open(filename, 'wb') as f:
f.write(binary.decode('base64'))
os.system('chmod +x %s' % filename)
p.recv()
p.sendline(solve(filename))
print p.recvall()
p.close()

# flag is DEAL_WITH_IT
```

Original writeup (https://github.com/adeptex/CTF/blob/master/reverse-fever.md).

Comments