Thanks AlexCTF for challenges!

This is my solution for catalyst system.

Category: Reverse Engineering
Points: 150

There are two similar routines which generate two loops, the goal is generating delay as it can be seen below: The first routine is just after password and username input, the second routine is after routines checking for username and password.

For bypassing these routines, it’s only necessary to change the¬†conditional¬† statement¬†loop i <=29 for i>29.

Later we’ll find username and password checking functions.

The first function check_chars() check which username characters are greater than 0x31 (1 in ASCII). The second function check_user() performs arithmetic operations with username and check which results are corrects. The third function, checks username characters are between ‘a’ to ‘z’ and character ‘_’. The fourth function use an username checksum to seed srand() function , later a rand() function is called and the returned value is used for checking passwords by arithmetic operations. The last function prints the flag if the whole previous checks were right.

Reversing in the second function we can get the username. I used angr for that purpose, first it is necessary to identify the initial state where we want begin our search. I chose the check_user() prologue address at 0x00400CDD, once we have identified the initial state then we have to identify the desired final state, this would be 0x0400D90 which is the function epilogue address.

Later, the username is used for creating a checksum in  the check_passwd() function,  as can be seen:

The checksum is : 0x454d3e2e, and it’s used for seeding¬†srand() so when calling rand() function the return value is substracted with password characteres, and those resulting characters (password minus random value) are compared with hardcoded values, for example:

Finally, I got the inverse operation as you can see below:

The full scripts can be found here.

So, writting the username and password in catalyst system binary, we get the flag.

The flag is : ALEXCTF{1_t41d_y0u_y0u_ar3__gr34t__reverser__s33}