Some Assembly Required 2

Problem

http://mercury.picoctf.net:53929/index.html

Solution

  1. The website is identical to "Some Assembly Required 1", except a slightly different bas64 wasm string is downloaded: AGFzbQEAAAABEwRgAABgAn9/AX9gAAF/YAJ/fwADBQQAAQIDBAUBcAEBAQUDAQACBjEIfwFBsIoEC38AQbAIC38AQYAIC38AQbAKC38AQYAIC38AQbCKBAt/AEEAC38AQQELB6EBDAZtZW1vcnkCABFfX3dhc21fY2FsbF9jdG9ycwAABnN0cmNtcAABCmNoZWNrX2ZsYWcAAgVpbnB1dAMBCWNvcHlfY2hhcgADDF9fZHNvX2hhbmRsZQMCCl9fZGF0YV9lbmQDAw1fX2dsb2JhbF9iYXNlAwQLX19oZWFwX2Jhc2UDBQ1fX21lbW9yeV9iYXNlAwYMX190YWJsZV9iYXNlAwcKogQEAgAL5wIBKn8jgICAgAAhAkEgIQMgAiADayEEIAQgADYCGCAEIAE2AhQgBCgCGCEFIAQgBTYCECAEKAIUIQYgBCAGNgIMAkADQCAEKAIQIQdBASEIIAcgCGohCSAEIAk2AhAgBy0AACEKIAQgCjoACyAEKAIMIQtBASEMIAsgDGohDSAEIA02AgwgCy0AACEOIAQgDjoACiAELQALIQ9B/wEhECAPIBBxIRECQCARDQAgBC0ACyESQf8BIRMgEiATcSEUIAQtAAohFUH/ASEWIBUgFnEhFyAUIBdrIRggBCAYNgIcDAILIAQtAAshGUH/ASEaIBkgGnEhGyAELQAKIRxB/wEhHSAcIB1xIR4gGyEfIB4hICAfICBGISFBASEiICEgInEhIyAjDQALIAQtAAshJEH/ASElICQgJXEhJiAELQAKISdB/wEhKCAnIChxISkgJiApayEqIAQgKjYCHAsgBCgCHCErICsPC0wBC39BACEAQbCIgIAAIQFBgIiAgAAhAiACIAEQgYCAgAAhAyADIQQgACEFIAQgBUchBkF/IQcgBiAHcyEIQQEhCSAIIAlxIQogCg8LZwEJfyOAgICAACECQRAhAyACIANrIQQgBCAANgIMIAQgATYCCCAEKAIMIQUCQCAFRQ0AIAQoAgwhBkEIIQcgBiAHcyEIIAQgCDYCDAsgBCgCDCEJIAQoAgghCiAKIAk6ALCIgIAADwsLMgEAQYAICyt4YWtnS1xOcz5uO2psOTA7OTptam45bTwwbjk6OjA6Ojg4MTwwMD8+dQAA

  2. Using write_wasm.py I converted this string to an actual wasm file. I then decompiled it using wasm-decompile from WebAssembly/wabt. The output can be found in wasm-decompile-output.c (note that this is not c code, it is c-like). When compared with the decompiled wasm code for the previous challenge, only these lines are new/changed:

    At the end of the copy function:

    if (eqz(f)) goto B_a;
var g:int = e[3];
var h:int = 8;
var i:int = g ^ h;
e[3] = i;
label B_a:
var j:int = e[3];
var k:byte_ptr = e[2];
k[1072] = j;

    At the beginning of the file where the flag is defined:

    data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) = 
"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";

    Thus, I assume that the functionality is much the same and the majority of the script must be used to simply return that variable.

  3. I copied the variable content xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u (which can be seen from the decoded base64 text) into CyberChef. I used the magic block to search for picoCTF and sure enough it found the flag. Apparently, the decoding is an xor with 8.

Flag

picoCTF{6f3bd18312ebf1e48f12282200948876}

PreviousSome Assembly Required 1NextSome Assembly Required 3

Last updated