Hello friends, picoCTF 2022 concluded a month ago and it was a lot of fun, picoCTF is a CTF that mainly targets beginner who are learning about CTFs.
Enough talking let’s get into the challenge
Challenge
- The challenge I’ll be talking about today is in the Reverse Engineering category.
- So we basically we have the python program which is in it’s source code and a flag which is encrypted.
- Let’s open up the python file and look at it
File analysis
- The file is obfuscated in a way that it makes it hard for us to read. It also makes AV unable to detect certain strings from the file.
- We have a long string in variable a which defines some characters for it to use.
- For those who are not familiar with how strings work, you can use array notations to access by character.
- Lets try to print out what function arg133 is doing for the if statement.
- So it’s checking whether the argument we supplied is equal to happychance. Let’s do the same for other functions.
- Let’s try renaming some of the functions so it make sense.
- So first we open the encrypted flag to be read and save it to arg444.
- Next we ask the user to input and save to arg432.
- Now we run the check() function on arg432 which is the user input to see if it matches the string happychance.
- If it doesn’t matches, the system will exit with code 0, if it does then print the welcomeflag() message.
- Finally the decoder() function will decode arg444 which is the encrypted flag and save it to arg423.
- Then the program prints out the flag.
Conclusion
Malware most of the time are obfuscated in a way so that the analyst and AV can’t detect them straight away. De-obfuscating is a great way to understand how a program works if its obfuscated. Don’t panic when having to deal with obfuscated file since there is always a way to de-obfuscate them :)