Some Assembly Required 2

Problem

Solution

  1. 1.
    The website is identical to "Some Assembly Required 1", except a slightly different bas64 wasm string is downloaded: AGFzbQEAAAABEwRgAABgAn9/AX9gAAF/YAJ/fwADBQQAAQIDBAUBcAEBAQUDAQACBjEIfwFBsIoEC38AQbAIC38AQYAIC38AQbAKC38AQYAIC38AQbCKBAt/AEEAC38AQQELB6EBDAZtZW1vcnkCABFfX3dhc21fY2FsbF9jdG9ycwAABnN0cmNtcAABCmNoZWNrX2ZsYWcAAgVpbnB1dAMBCWNvcHlfY2hhcgADDF9fZHNvX2hhbmRsZQMCCl9fZGF0YV9lbmQDAw1fX2dsb2JhbF9iYXNlAwQLX19oZWFwX2Jhc2UDBQ1fX21lbW9yeV9iYXNlAwYMX190YWJsZV9iYXNlAwcKogQEAgAL5wIBKn8jgICAgAAhAkEgIQMgAiADayEEIAQgADYCGCAEIAE2AhQgBCgCGCEFIAQgBTYCECAEKAIUIQYgBCAGNgIMAkADQCAEKAIQIQdBASEIIAcgCGohCSAEIAk2AhAgBy0AACEKIAQgCjoACyAEKAIMIQtBASEMIAsgDGohDSAEIA02AgwgCy0AACEOIAQgDjoACiAELQALIQ9B/wEhECAPIBBxIRECQCARDQAgBC0ACyESQf8BIRMgEiATcSEUIAQtAAohFUH/ASEWIBUgFnEhFyAUIBdrIRggBCAYNgIcDAILIAQtAAshGUH/ASEaIBkgGnEhGyAELQAKIRxB/wEhHSAcIB1xIR4gGyEfIB4hICAfICBGISFBASEiICEgInEhIyAjDQALIAQtAAshJEH/ASElICQgJXEhJiAELQAKISdB/wEhKCAnIChxISkgJiApayEqIAQgKjYCHAsgBCgCHCErICsPC0wBC39BACEAQbCIgIAAIQFBgIiAgAAhAiACIAEQgYCAgAAhAyADIQQgACEFIAQgBUchBkF/IQcgBiAHcyEIQQEhCSAIIAlxIQogCg8LZwEJfyOAgICAACECQRAhAyACIANrIQQgBCAANgIMIAQgATYCCCAEKAIMIQUCQCAFRQ0AIAQoAgwhBkEIIQcgBiAHcyEIIAQgCDYCDAsgBCgCDCEJIAQoAgghCiAKIAk6ALCIgIAADwsLMgEAQYAICyt4YWtnS1xOcz5uO2psOTA7OTptam45bTwwbjk6OjA6Ojg4MTwwMD8+dQAA
  2. 2.
    Using write_wasm.py I converted this string to an actual wasm file. I then decompiled it using wasm-decompile from WebAssembly/wabt. The output can be found in wasm-decompile-output.c (note that this is not c code, it is c-like). When compared with the decompiled wasm code for the previous challenge, only these lines are new/changed:
    At the end of the copy function:
    if (eqz(f)) goto B_a;
    var g:int = e[3];
    var h:int = 8;
    var i:int = g ^ h;
    e[3] = i;
    label B_a:
    var j:int = e[3];
    var k:byte_ptr = e[2];
    k[1072] = j;
    At the beginning of the file where the flag is defined:
    data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) =
    "xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";
    Thus, I assume that the functionality is much the same and the majority of the script must be used to simply return that variable.
  3. 3.
    I copied the variable content xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u (which can be seen from the decoded base64 text) into CyberChef. I used the magic block to search for picoCTF and sure enough it found the flag. Apparently, the decoding is an xor with 8.

Flag

picoCTF{6f3bd18312ebf1e48f12282200948876}