the file text.txt contains a string of 21 unicode characters:
幾湂潌蕔䩘桢豝詧䭡䝵敯䡨剱挧䍩硷穏罣㈡䨥贇
a decompiled function from ghidra, FUN_00101070, performs an encoding routine that recursively processes pairs of ascii characters into these wide unicode code points. our goal is to reverse this process and extract the original flag, which we know follows the format BtSCTF{...}.
the function reads two bytes at a time from input
it calculates a sum (uVar3) that includes the high nibbles (upper 4 bits) of the two bytes and a recursive sum of future bytes
it builds a 16-bit unicode character using >
hi = ((uVar3 >> 4) + s[i]) & 0xf | (s[i] & 0xf0);
lo = (uVar3 + s[i+1]) & 0xf | (s[i+1] & 0xf0);
W = ((hi << 8) | lo) + 0x1000;
the result is printed via putwc, and the function calls itself recursively with a 2-byte step
what the encoding does ->
it adds 0x1000 to the result, so we start by subtracting it >
X = W - 0x1000
extract the upper and lower bytes >
A = (X >> 8) & 0xff
B = X & 0xff
from there >
hi_i, loA = A >> 4, A & 0xf
hi_j, loB = B >> 4, B & 0xf
derive original low nibbles >
lo_i = (loA - ((uVar3 >> 4) & 0xf)) & 0xf
lo_j = (loB - (uVar3 & 0xf)) & 0xf
recover original ascii bytes >
b_i = (hi_i << 4) | lo_i
b_j = (hi_j << 4) | lo_j
conjoining all of the individual steps, the flag is retrieved
BtSCTF{W0W_it_re4l1y_m3aNs_$0methIng!!:)}
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
rakuz4n |
