Rating:
> rev200
>
> Description: You haxor, come on you little sciddie... debug me, eh? You fucking little lamer... You fuckin' come on, come debug me! I'll get your ass, you jerk! Oh, you IDA monkey! Fuck all you and your tools! Come on, you scum haxor, you try to reverse me? Come on, you asshole!!
>
> Webpage: [rev200.zip](https://0xd13a.github.io/ctfs/hackit2017/rev200/rev200.zip)
The attachment is a Windows DLL. Let's open it in IDA and look for interesting artifacts.
```efi_main``` function asks for a flag and then runs function ```algo``` on it:
```
...
.text:00000000709412AD lea rcx, aEnterTheFlag ; "Enter the flag: "
.text:00000000709412B4 call Input
...
.text:00000000709412F5 lea rax, [rbp+var_A0]
.text:00000000709412FC mov rcx, rax
.text:00000000709412FF call algo
...
```
Function ```algo``` performs a bunch of permutations on flag's characters and then compares it to ```correct``` constant (which is ```40``` 32-bit integers long, one per each flag's character):
```
...
.text:00000000709411FF lea rdx, correct
.text:0000000070941206 mov rcx, rax
.text:0000000070941209 call memcmp
.text:000000007094120E test eax, eax
.text:0000000070941210 jnz short loc_70941220
.text:0000000070941212 lea rcx, Format ; "\nCorrect\n"
.text:0000000070941219 call Print
.text:000000007094121E jmp short loc_7094122C
.text:0000000070941220 ; ---------------------------------------------------------------------------
.text:0000000070941220
.text:0000000070941220 loc_70941220: ; CODE XREF: algo+19F
.text:0000000070941220 lea rcx, aWrong ; "\nWrong\n"
.text:0000000070941227 call Print
...
```
Skipping the encoding algorithm details, here is the summary:
* For each of the 20 characters in the first half the flag: XOR with 0xC, add 6, XOR with 0xD, add 7, XOR with 0xE, add 8
* For each of the 20 characters in the second half the flag: XOR with 0xF, add 9, XOR with 0x10, add 10, XOR with 0x11, add 11
A small script will help automate the decoding:
```python
data = bytearray(open("rev200.efi","rb").read())
enc1 = lambda c : (((((c ^ 0xC) + 6) ^ 0xD) + 7) ^ 0xE) + 8
enc2 = lambda c : (((((c ^ 0xF) + 9) ^ 0x10) + 10) ^ 0x11) + 11
out = ""
for x in range(20):
for z in range(0x7F):
if (data[0x5400 + x*4] == enc1(z)):
out += chr(z)
for x in range(20):
for z in range(0x7F):
if (data[0x5400 + 80 + x*4] == enc2(z)):
out += chr(z)
print out
```
Running the script gets us the flag ```h4ck1t{ff77af3cf8d4e1e67c4300aeb5ba6344}```:
```sh
$ python solve.py
h4ck1t{ff77af3cf8d4e1e67c4300aeb5ba6344}
```
