REbase
Binary RE, 400 points

Description

You receive an ELF binary which you must unlock with a key. Find the key and it will contain your flag.

Solution

So I read writeups about solving the challenge the "correct" way and I wanted to share my own solution which does not require any reverse engineering.
We are given a 64-bit ELF rebase. Let's see what's up with it:
1
╭─[email protected] ~/stemctf
2
╰─$ ./rebase
3
Usage: ./REbase flag
4
╭─[email protected] ~/stemctf
5
╰─$ ./rebase zzzzzz
6
6
7
tfh5tfh5
8
ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8=
9
Try Again :(
10
╭─[email protected] ~/stemctf
11
╰─$ ./rebase MCA{test}
12
9
13
ZXFWt2Kse2K8
14
ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8=
15
Try Again :(
Copied!
So the binary asks for a flag in argument, and outputs
    the length of the flag we provided
    some kind of encrypted version of the flag we provided
    something that is probably the encrypted version of the actual flag.
We can also notice starting our input with MCA{ makes the first characters of the two ciphers match up. Also, it looks like base64 but
With some groping around, we can find the password without actually reverse engineering the binary. It is just a bit long to do it manually (but still totally doable). I wrote a script to automatize the process (rebase.py).
I am not entirely sure about my script because the farthest it goes only yields this portion of the flag: MCA{[email protected]_L3m0n_SqU33z. We can easily deduce the true flag from there, though.
1
╭─[email protected] ~/stemctf
2
╰─$ ./rebase MCA{[email protected]_L3m0n_SqU33zy}
3
38
4
ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8=
5
ZXFWtmKgDZCyrmC5B+CiVfsyXUCQVfsyZRFzDU4yX2YCD/F5Ih8=
6
Congratulations!
Copied!
Enjoy!
Last modified 2yr ago
Copy link