ångstromCTF Califrobnication writeup

Category: REV

Description: It’s the edge of the world and all of western civilization. The sun may rise in the East at least it’s settled in a final location. It’s understood that Hollywood sells Califrobnication.

You get source for this one. Find the flag at /problems/200/califrobnication on the shell server.

Author: kmh11

Solution:

In this task we have source code, compiled binary and unreadable flag. After reading the source code we gain knowledge that flag is scrambled using strfry and memfrob. Strfry just makes the anagram of the word, using pseudo-random that depends on timestamp and pid, while memfrob is just XORing every symbol with 0x2a byte. To solve this task we need timestamp and pid of running binary. Let’s get it with

date +%s && ./califrobnication &

In return we can gain some info:

Timestamp: 1584481924

Pid: 4352

Encrypted flag: ^o\x02BS^\x04QBDV\\oY_SSVSoYY\x01\x05VTQQRQTVDM\x05\x06_U]\tQ\x01T\x08_\x04K\x00

After running memfrob we get an anagram: n_2rcn4artfl_ioccfc_ii15fdaabadft}56oem9a1d8o4{0

Now we need to revert strfry. Despite the fact it is random, we have all information to replicate it. We can get strfry source code here. After fixing some code we create strfry that works backwards. Here is the source code:

#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
char* my_strfry (char* string)
{
    static int init;
    static struct random_data rdata;
    if (1){
        static char state[32];
        rdata.state = NULL;
        initstate_r (1584481924 ^ 4352, state, sizeof (state),                   &rdata);
        init = 1;
    }
    size_t len = strlen (string); 
    int randval[len+1];
    for (int i = 0; i < len; i++){
        int j;
        random_r (&rdata, &j);
        j = j % (len — i) + i;
        randval[i] = j;
    }
    if (len > 0)
        for (int i = len-1; i >= 0; i — ){
            int j = randval[i];
            char c = string[i];
            string[i] = string[j];
            string[j] = c;
        }
    return string;
}
int main(){
    char s[] = “n_2rcn4artfl_ioccfc_ii15fdaabadft}56oem9a1d8o4{0”;
    my_strfry(s);
    printf(“%s\n”, s);
} 

This program just yields the flag: actf{dream_of_califrobnication_1f6d458091cad254}