Start

Like the first one, the program also need us to input the correct passphrase to get the flag.

1
2
3
4
❯ ./rhinegold
What is the passphrase of the vault?
> hello world
Wrong passphrase!

Code Content

Load it into IDA, we could quickly get of this, which almost as the first one in main function:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
  printf("What is the passphrase of the vault?\n> ");
  fgets(s, 47, stdin);
  s[46] = 0;
  if ( (unsigned __int8)check(s) )
  {
    stream = fopen("rhinegold.txt", "r");
    if ( !stream )
      return -1;
    fseek(stream, 0LL, 2);
    nmemb = ftell(stream);
    fseek(stream, 0LL, 0);
    ptr = calloc(nmemb, 1uLL);
    if ( !ptr )
      return -1;
    fread(ptr, 1uLL, nmemb, stream);
    fclose(stream);
    printf((const char *)ptr);
    v4 = strlen(s);
    MD5(s, v4, v9);
    printf("flag{");
    for ( i = 0; i <= 15; ++i )
      printf("%02x", (unsigned __int8)v9[i]);
    puts("}");
  }
  else
  {
    puts("Wrong passphrase!");
  }
  return 0;

So let’s check the check() function.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
  strcpy(nptr, "TIME");
  seed = strtol(nptr, 0LL, 10);
  srand(seed);
  for ( i = 45LL; i; --i )
  {
    v1 = rand();
    v5 = *(_BYTE *)(a1 + i);
    *(_BYTE *)(a1 + i) = *(_BYTE *)(a1 + v1 % 46);
    *(_BYTE *)(a1 + v1 % 46) = v5;
  }
  strcpy(v8, "cioerosgaenessT   ns k urelh oLdTie heri nfdfR");
  for ( j = 0; j <= 46; ++j )
  {
    if ( *(_BYTE *)(j + a1) != v8[j] )
      return 0LL;
  }
  return 1LL;

In here, the logic also very clear, according to man 3 strtol, we could get that the seed variable is 0. so we could make the function logic more clear like follow:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
  srand(0);
  for (int i = 45; i ; --i) {
    int rand_idx = rand() % 46;
    char tmp = a1[i];
    a1[i] = a1[rand_idx];
    a1[rand_idx] = a1[i];
  }
  strcpy(target, "cioerosgaenessT   ns k urelh oLdTie heri nfdfR");
  for (int j = 0; j <= 46; ++j) {
    if (a1[j] != target[j])
      return 0;
  }
  return 1;

Solution

This logic is clearer than the first level. The only thing to pay attention to is we need reverse the swap order.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
  #include <stdio.h>
  static char target[47] = "cioerosgaenessT   ns k urelh oLdTie heri nfdfR";
  int main() {
    // cause we need reverse order, so get the rand_idx first.
    int idx[45] = {28, 33, 43, 17, 27, 10, 23, 32, 45, 5, 17, 22, 28, 44,45,
      27, 39, 27,30, 16,24, 3, 25,34, 39,12, 8, 10,38, 40, 9, 17,
      6, 39, 40, 1, 11, 24, 14, 23, 29, 25, 29, 0, 11};
    for (int i = 1; i < 46; i++) {
      char tmp = target[i];
      target[i] = target[idx[i - 1]];
      target[idx[i - 1]] = tmp;
    }
    printf("%s\n", target);
    return 0;
  }

use the correct passphrase to get the flag:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
❯ ./rhinegold
What is the passphrase of the vault?
> This sounds like a Lord of The Rings reference
________________________________________░░░░____________░░░░______________________________________
________________________________░░______________________________░░░░______________________________
____________________________░░______________________________________░░░░__________________________
________________________________________________________________________░░________________________
______________________░░__________________________________________________░░░░____________________
______________________________________________________________________________░░__________________
______________________________________░░░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▒▒░░░░__________________░░________________
__________________________________░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒░░________________░░______________
______________________________░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒________________░░____________
__________________________░░▒▒▒▒▓▓▓▓▓▓▓▓▓▓░░______________▓▓▓▓▓▓▓▓▒▒░░░░____________░░░░__________
__________░░____________░░▒▒▓▓▓▓▓▓▓▓____________________________▓▓▓▓▓▓▒▒░░____________░░░░________
______________________░░▒▒▓▓▓▓▓▓____________________________________▓▓▒▒▒▒░░__________░░░░________
______________________▒▒▓▓▓▓▓▓________________________________________▓▓▓▓▒▒░░__________░░░░______
______░░____________▒▒▓▓▓▓▓▓____________________________________________▓▓▒▒░░░░________░░░░▒▒____
__________________░░▒▒▓▓▓▓░░____________________________________________░░▒▒▒▒░░░░______░░░░▒▒____
__________________░░▓▓▓▓▓▓________________________________________________▓▓▒▒░░░░______░░░░▒▒____
____░░____________▒▒▓▓▓▓____________________________________________________▒▒░░░░________░░▒▒▒▒__
____░░__________░░▓▓▓▓▓▓____________________________________________________▒▒▒▒░░░░______░░▒▒▒▒__
____░░__________▒▒▓▓▓▓________________________________________________________▒▒░░░░______░░▒▒▒▒__
________________▒▒▓▓▓▓________________________________________________________▒▒░░░░░░____░░▒▒▒▒__
__░░__________░░▓▓▓▓▒▒________________________________________________________▒▒░░░░░░____░░▒▒▒▒▓▓
__░░__________▒▒▓▓▓▓____________________________________________________________░░░░░░░░__░░▒▒▒▒▓▓
__░░__________▒▒▓▓▓▓____________________________________________________________░░░░░░░░__░░▒▒▒▒▓▓
__░░__________▒▒▓▓▓▓____________________________________________________________░░░░░░░░__░░▒▒▒▒▓▓
__░░░░________▒▒▓▓▓▓____________________________________________________________░░░░__░░░░░░▒▒▒▒▓▓
__░░░░________▒▒▓▓▓▓____________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓
__▒▒░░________▒▒▓▓▓▓____________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓
__▒▒░░░░______▒▒▓▓▓▓____________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓
__▓▓░░░░______░░▓▓▓▓▒▒________________________________________________________░░______░░░░▒▒▒▒▓▓▓▓
____▒▒░░________▒▒▓▓▓▓________________________________________________________░░____░░░░▒▒▒▒▒▒▓▓__
____▒▒░░░░______░░▓▓▓▓________________________________________________________░░____░░░░▒▒▒▒▓▓▓▓__
____▓▓▒▒░░______░░▒▒▓▓▓▓____________________________________________________░░______░░▒▒▒▒▒▒▓▓▓▓__
____▓▓▒▒░░░░______▒▒▒▒▓▓__________________________________________________________░░░░▒▒▒▒▒▒▓▓▓▓__
______▒▒▒▒░░░░____▒▒▒▒▒▒▒▒________________________________________________________░░▒▒▒▒▒▒▒▒▓▓____
______▓▓▒▒░░░░____░░░░▒▒▒▒▓▓____________________________________________░░______░░░░▒▒▒▒▒▒▓▓▓▓____
________▒▒▒▒░░░░____░░▒▒▒▒▒▒▒▒________________________________________░░______░░░░▒▒▒▒▒▒▒▒▓▓______
__________▓▓▒▒░░░░__░░░░░░░░▒▒▓▓____________________________________░░______░░░░▒▒▒▒▒▒▓▓▓▓________
__________▓▓▓▓▒▒░░░░░░░░░░░░░░▒▒▒▒▓▓____________________________░░________░░░░▒▒▒▒▒▒▓▓▓▓▓▓________
____________▓▓▓▓▒▒░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒________________░░░░__________░░░░▒▒▒▒▒▒▓▓▓▓▓▓__________
______________▓▓▓▓▒▒░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░________________░░░░▒▒▒▒▒▒▓▓▓▓▓▓____________
________________▓▓▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░________________________░░░░▒▒▒▒▒▒▒▒▒▒▓▓▓▓______________
__________________▓▓▓▓▓▓▒▒▒▒░░░░░░░░░░░░░░░░______________░░░░░░░░▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓________________
____________________▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓__________________
______________________██▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓██____________________
__________________________██▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓██________________________
____________________________████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓████__________________________
________________________________████████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓████████______________________________
________________________________░░░░░░░░▓▓██████████████████░░░░░░░░______________________________

flag{a59b300dcc0253601d3faea254c58fdd}

NahamCTF 2024 writeups for Ring Cycle 2

文章目录

Start

Code Content

Solution