# Some Assembly Required 2

## Problem

> <http://mercury.picoctf.net:53929/index.html>

## Solution

1. The website is identical to "Some Assembly Required 1", except a slightly different bas64 wasm string is downloaded: `AGFzbQEAAAABEwRgAABgAn9/AX9gAAF/YAJ/fwADBQQAAQIDBAUBcAEBAQUDAQACBjEIfwFBsIoEC38AQbAIC38AQYAIC38AQbAKC38AQYAIC38AQbCKBAt/AEEAC38AQQELB6EBDAZtZW1vcnkCABFfX3dhc21fY2FsbF9jdG9ycwAABnN0cmNtcAABCmNoZWNrX2ZsYWcAAgVpbnB1dAMBCWNvcHlfY2hhcgADDF9fZHNvX2hhbmRsZQMCCl9fZGF0YV9lbmQDAw1fX2dsb2JhbF9iYXNlAwQLX19oZWFwX2Jhc2UDBQ1fX21lbW9yeV9iYXNlAwYMX190YWJsZV9iYXNlAwcKogQEAgAL5wIBKn8jgICAgAAhAkEgIQMgAiADayEEIAQgADYCGCAEIAE2AhQgBCgCGCEFIAQgBTYCECAEKAIUIQYgBCAGNgIMAkADQCAEKAIQIQdBASEIIAcgCGohCSAEIAk2AhAgBy0AACEKIAQgCjoACyAEKAIMIQtBASEMIAsgDGohDSAEIA02AgwgCy0AACEOIAQgDjoACiAELQALIQ9B/wEhECAPIBBxIRECQCARDQAgBC0ACyESQf8BIRMgEiATcSEUIAQtAAohFUH/ASEWIBUgFnEhFyAUIBdrIRggBCAYNgIcDAILIAQtAAshGUH/ASEaIBkgGnEhGyAELQAKIRxB/wEhHSAcIB1xIR4gGyEfIB4hICAfICBGISFBASEiICEgInEhIyAjDQALIAQtAAshJEH/ASElICQgJXEhJiAELQAKISdB/wEhKCAnIChxISkgJiApayEqIAQgKjYCHAsgBCgCHCErICsPC0wBC39BACEAQbCIgIAAIQFBgIiAgAAhAiACIAEQgYCAgAAhAyADIQQgACEFIAQgBUchBkF/IQcgBiAHcyEIQQEhCSAIIAlxIQogCg8LZwEJfyOAgICAACECQRAhAyACIANrIQQgBCAANgIMIAQgATYCCCAEKAIMIQUCQCAFRQ0AIAQoAgwhBkEIIQcgBiAHcyEIIAQgCDYCDAsgBCgCDCEJIAQoAgghCiAKIAk6ALCIgIAADwsLMgEAQYAICyt4YWtnS1xOcz5uO2psOTA7OTptam45bTwwbjk6OjA6Ojg4MTwwMD8+dQAA`
2. Using [write\_wasm.py](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Some%20Assembly%20Required%202/write_wasm.py) I converted this string to an actual wasm file. I then decompiled it using `wasm-decompile` from [WebAssembly/wabt](https://github.com/WebAssembly/wabt). The output can be found in [wasm-decompile-output.c](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Some%20Assembly%20Required%202/wasm-decompile-output.c) (note that this is not c code, it is c-like). When compared with the decompiled wasm code for the previous challenge, only these lines are new/changed:

   At the end of the `copy` function:

   ```
   if (eqz(f)) goto B_a;
   var g:int = e[3];
   var h:int = 8;
   var i:int = g ^ h;
   e[3] = i;
   label B_a:
   var j:int = e[3];
   var k:byte_ptr = e[2];
   k[1072] = j;
   ```

   At the beginning of the file where the flag is defined:

   ```
   data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) = 
   "xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";
   ```

   Thus, I assume that the functionality is much the same and the majority of the script must be used to simply return that variable.
3. I copied the variable content `xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u` (which can be seen from the decoded base64 text) into [CyberChef](https://gchq.github.io/CyberChef/#recipe=Magic\(3,true,false,'picoCTF'\)\&input=eGFrZ0tcTnM%2BbjtqbDkwOzk6bWpuOW08MG45OjowOjo4ODE8MDA/PnU). I used the magic block to search for `picoCTF` and sure enough it found the flag. Apparently, the decoding is an xor with `8`.

### Flag

`picoCTF{6f3bd18312ebf1e48f12282200948876}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://picoctf2021.haydenhousen.com/web-exploitation/some-assembly-required-2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.