Some Assembly Required 2

Problem
​http://mercury.picoctf.net:53929/index.html​
Solution
1.The website is identical to "Some Assembly Required 1", except a slightly different bas64 wasm string is downloaded: AGFzbQEAAAABEwRgAABgAn9/AX9gAAF/YAJ/fwADBQQAAQIDBAUBcAEBAQUDAQACBjEIfwFBsIoEC38AQbAIC38AQYAIC38AQbAKC38AQYAIC38AQbCKBAt/AEEAC38AQQELB6EBDAZtZW1vcnkCABFfX3dhc21fY2FsbF9jdG9ycwAABnN0cmNtcAABCmNoZWNrX2ZsYWcAAgVpbnB1dAMBCWNvcHlfY2hhcgADDF9fZHNvX2hhbmRsZQMCCl9fZGF0YV9lbmQDAw1fX2dsb2JhbF9iYXNlAwQLX19oZWFwX2Jhc2UDBQ1fX21lbW9yeV9iYXNlAwYMX190YWJsZV9iYXNlAwcKogQEAgAL5wIBKn8jgICAgAAhAkEgIQMgAiADayEEIAQgADYCGCAEIAE2AhQgBCgCGCEFIAQgBTYCECAEKAIUIQYgBCAGNgIMAkADQCAEKAIQIQdBASEIIAcgCGohCSAEIAk2AhAgBy0AACEKIAQgCjoACyAEKAIMIQtBASEMIAsgDGohDSAEIA02AgwgCy0AACEOIAQgDjoACiAELQALIQ9B/wEhECAPIBBxIRECQCARDQAgBC0ACyESQf8BIRMgEiATcSEUIAQtAAohFUH/ASEWIBUgFnEhFyAUIBdrIRggBCAYNgIcDAILIAQtAAshGUH/ASEaIBkgGnEhGyAELQAKIRxB/wEhHSAcIB1xIR4gGyEfIB4hICAfICBGISFBASEiICEgInEhIyAjDQALIAQtAAshJEH/ASElICQgJXEhJiAELQAKISdB/wEhKCAnIChxISkgJiApayEqIAQgKjYCHAsgBCgCHCErICsPC0wBC39BACEAQbCIgIAAIQFBgIiAgAAhAiACIAEQgYCAgAAhAyADIQQgACEFIAQgBUchBkF/IQcgBiAHcyEIQQEhCSAIIAlxIQogCg8LZwEJfyOAgICAACECQRAhAyACIANrIQQgBCAANgIMIAQgATYCCCAEKAIMIQUCQCAFRQ0AIAQoAgwhBkEIIQcgBiAHcyEIIAQgCDYCDAsgBCgCDCEJIAQoAgghCiAKIAk6ALCIgIAADwsLMgEAQYAICyt4YWtnS1xOcz5uO2psOTA7OTptam45bTwwbjk6OjA6Ojg4MTwwMD8+dQAA
2.Using write_wasm.py I converted this string to an actual wasm file. I then decompiled it using wasm-decompile from WebAssembly/wabt. The output can be found in wasm-decompile-output.c (note that this is not c code, it is c-like). When compared with the decompiled wasm code for the previous challenge, only these lines are new/changed:
At the end of the copy function:
if (eqz(f)) goto B_a;
var g:int = e[3];
var h:int = 8;
var i:int = g ^ h;
e[3] = i;
label B_a:
var j:int = e[3];
var k:byte_ptr = e[2];
k[1072] = j;
At the beginning of the file where the flag is defined:
data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) = 
"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";
Thus, I assume that the functionality is much the same and the majority of the script must be used to simply return that variable.
3.I copied the variable content xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u (which can be seen from the decoded base64 text) into CyberChef. I used the magic block to search for picoCTF and sure enough it found the flag. Apparently, the decoding is an xor with 8.
Flag
picoCTF{6f3bd18312ebf1e48f12282200948876}
Last modified 9mo ago