Some Assembly Required 2

PreviousSome Assembly Required 1 NextSome Assembly Required 3

Last updated 2 years ago

Was this helpful?

Solution

The website is identical to "Some Assembly Required 1", except a slightly different bas64 wasm string is downloaded: AGFzbQEAAAABEwRgAABgAn9/AX9gAAF/YAJ/fwADBQQAAQIDBAUBcAEBAQUDAQACBjEIfwFBsIoEC38AQbAIC38AQYAIC38AQbAKC38AQYAIC38AQbCKBAt/AEEAC38AQQELB6EBDAZtZW1vcnkCABFfX3dhc21fY2FsbF9jdG9ycwAABnN0cmNtcAABCmNoZWNrX2ZsYWcAAgVpbnB1dAMBCWNvcHlfY2hhcgADDF9fZHNvX2hhbmRsZQMCCl9fZGF0YV9lbmQDAw1fX2dsb2JhbF9iYXNlAwQLX19oZWFwX2Jhc2UDBQ1fX21lbW9yeV9iYXNlAwYMX190YWJsZV9iYXNlAwcKogQEAgAL5wIBKn8jgICAgAAhAkEgIQMgAiADayEEIAQgADYCGCAEIAE2AhQgBCgCGCEFIAQgBTYCECAEKAIUIQYgBCAGNgIMAkADQCAEKAIQIQdBASEIIAcgCGohCSAEIAk2AhAgBy0AACEKIAQgCjoACyAEKAIMIQtBASEMIAsgDGohDSAEIA02AgwgCy0AACEOIAQgDjoACiAELQALIQ9B/wEhECAPIBBxIRECQCARDQAgBC0ACyESQf8BIRMgEiATcSEUIAQtAAohFUH/ASEWIBUgFnEhFyAUIBdrIRggBCAYNgIcDAILIAQtAAshGUH/ASEaIBkgGnEhGyAELQAKIRxB/wEhHSAcIB1xIR4gGyEfIB4hICAfICBGISFBASEiICEgInEhIyAjDQALIAQtAAshJEH/ASElICQgJXEhJiAELQAKISdB/wEhKCAnIChxISkgJiApayEqIAQgKjYCHAsgBCgCHCErICsPC0wBC39BACEAQbCIgIAAIQFBgIiAgAAhAiACIAEQgYCAgAAhAyADIQQgACEFIAQgBUchBkF/IQcgBiAHcyEIQQEhCSAIIAlxIQogCg8LZwEJfyOAgICAACECQRAhAyACIANrIQQgBCAANgIMIAQgATYCCCAEKAIMIQUCQCAFRQ0AIAQoAgwhBkEIIQcgBiAHcyEIIAQgCDYCDAsgBCgCDCEJIAQoAgghCiAKIAk6ALCIgIAADwsLMgEAQYAICyt4YWtnS1xOcz5uO2psOTA7OTptam45bTwwbjk6OjA6Ojg4MTwwMD8+dQAA

Using I converted this string to an actual wasm file. I then decompiled it using wasm-decompile from . The output can be found in (note that this is not c code, it is c-like). When compared with the decompiled wasm code for the previous challenge, only these lines are new/changed:

At the end of the copy function:

if (eqz(f)) goto B_a;
var g:int = e[3];
var h:int = 8;
var i:int = g ^ h;
e[3] = i;
label B_a:
var j:int = e[3];
var k:byte_ptr = e[2];
k[1072] = j;

At the beginning of the file where the flag is defined:

data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) = 
"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";

Thus, I assume that the functionality is much the same and the majority of the script must be used to simply return that variable.

I copied the variable content xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u (which can be seen from the decoded base64 text) into . I used the magic block to search for picoCTF and sure enough it found the flag. Apparently, the decoding is an xor with 8.

Flag

picoCTF{6f3bd18312ebf1e48f12282200948876}

Solution

At the end of the copy function:

if (eqz(f)) goto B_a;
var g:int = e[3];
var h:int = 8;
var i:int = g ^ h;
e[3] = i;
label B_a:
var j:int = e[3];
var k:byte_ptr = e[2];
k[1072] = j;

At the beginning of the file where the flag is defined:

data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) = 
"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";

Thus, I assume that the functionality is much the same and the majority of the script must be used to simply return that variable.

Flag

picoCTF{6f3bd18312ebf1e48f12282200948876}

Some Assembly Required 2

Some Assembly Required 2

Problem

Solution

Flag

Problem

Solution

Flag