# Some Assembly Required 2

## Problem

> <http://mercury.picoctf.net:53929/index.html>

## Solution

1. The website is identical to "Some Assembly Required 1", except a slightly different bas64 wasm string is downloaded: `AGFzbQEAAAABEwRgAABgAn9/AX9gAAF/YAJ/fwADBQQAAQIDBAUBcAEBAQUDAQACBjEIfwFBsIoEC38AQbAIC38AQYAIC38AQbAKC38AQYAIC38AQbCKBAt/AEEAC38AQQELB6EBDAZtZW1vcnkCABFfX3dhc21fY2FsbF9jdG9ycwAABnN0cmNtcAABCmNoZWNrX2ZsYWcAAgVpbnB1dAMBCWNvcHlfY2hhcgADDF9fZHNvX2hhbmRsZQMCCl9fZGF0YV9lbmQDAw1fX2dsb2JhbF9iYXNlAwQLX19oZWFwX2Jhc2UDBQ1fX21lbW9yeV9iYXNlAwYMX190YWJsZV9iYXNlAwcKogQEAgAL5wIBKn8jgICAgAAhAkEgIQMgAiADayEEIAQgADYCGCAEIAE2AhQgBCgCGCEFIAQgBTYCECAEKAIUIQYgBCAGNgIMAkADQCAEKAIQIQdBASEIIAcgCGohCSAEIAk2AhAgBy0AACEKIAQgCjoACyAEKAIMIQtBASEMIAsgDGohDSAEIA02AgwgCy0AACEOIAQgDjoACiAELQALIQ9B/wEhECAPIBBxIRECQCARDQAgBC0ACyESQf8BIRMgEiATcSEUIAQtAAohFUH/ASEWIBUgFnEhFyAUIBdrIRggBCAYNgIcDAILIAQtAAshGUH/ASEaIBkgGnEhGyAELQAKIRxB/wEhHSAcIB1xIR4gGyEfIB4hICAfICBGISFBASEiICEgInEhIyAjDQALIAQtAAshJEH/ASElICQgJXEhJiAELQAKISdB/wEhKCAnIChxISkgJiApayEqIAQgKjYCHAsgBCgCHCErICsPC0wBC39BACEAQbCIgIAAIQFBgIiAgAAhAiACIAEQgYCAgAAhAyADIQQgACEFIAQgBUchBkF/IQcgBiAHcyEIQQEhCSAIIAlxIQogCg8LZwEJfyOAgICAACECQRAhAyACIANrIQQgBCAANgIMIAQgATYCCCAEKAIMIQUCQCAFRQ0AIAQoAgwhBkEIIQcgBiAHcyEIIAQgCDYCDAsgBCgCDCEJIAQoAgghCiAKIAk6ALCIgIAADwsLMgEAQYAICyt4YWtnS1xOcz5uO2psOTA7OTptam45bTwwbjk6OjA6Ojg4MTwwMD8+dQAA`
2. Using [write\_wasm.py](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Some%20Assembly%20Required%202/write_wasm.py) I converted this string to an actual wasm file. I then decompiled it using `wasm-decompile` from [WebAssembly/wabt](https://github.com/WebAssembly/wabt). The output can be found in [wasm-decompile-output.c](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Some%20Assembly%20Required%202/wasm-decompile-output.c) (note that this is not c code, it is c-like). When compared with the decompiled wasm code for the previous challenge, only these lines are new/changed:

   At the end of the `copy` function:

   ```
   if (eqz(f)) goto B_a;
   var g:int = e[3];
   var h:int = 8;
   var i:int = g ^ h;
   e[3] = i;
   label B_a:
   var j:int = e[3];
   var k:byte_ptr = e[2];
   k[1072] = j;
   ```

   At the beginning of the file where the flag is defined:

   ```
   data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) = 
   "xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";
   ```

   Thus, I assume that the functionality is much the same and the majority of the script must be used to simply return that variable.
3. I copied the variable content `xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u` (which can be seen from the decoded base64 text) into [CyberChef](https://gchq.github.io/CyberChef/#recipe=Magic\(3,true,false,'picoCTF'\)\&input=eGFrZ0tcTnM%2BbjtqbDkwOzk6bWpuOW08MG45OjowOjo4ODE8MDA/PnU). I used the magic block to search for `picoCTF` and sure enough it found the flag. Apparently, the decoding is an xor with `8`.

### Flag

`picoCTF{6f3bd18312ebf1e48f12282200948876}`