team-logo
Published on

UTCTF 2025 - Reverse Engineering challenges

Authors

Introduction

We solved all 4 of 4 tasks. More info about this CTF is here. alt text

Table of contents

Ostrich Algorithm

Ostrich Algorithm

Writeup author: zBlxst

The program performs a checks between something it puts in the stack and something in the .rodata (not sure). If the ckecks passes, it prints the flag. I just changed the thing in the .rodata to pass the check. ostrich1 ostrich2

utflag{d686e9b8f13bef2a3078c324ceafd25d}

Retro Cookie Clicker

retro

Writeup author: kerszi

The goal of the game was to overflow the counter (dozens), meaning reaching 7FFF, but who would click that many times... To do this, I used Mesen. I checked which value changed when I started clicking and discovered that it was at address $0B94. So, I simply set it to the highest possible value 07FF (32767), clicked once, and got the flag.

retro1 retro2 retro3

utflag{1337hax0r}

Safe Word

alt text

Writeup author: zBlxst

I takes a while to run, but it works. To speed up, you can stop the program, take a state of "new_found" and put it in "found" (and remove weird things). It took me like 2 hours to run.

from pwn import process, context
context.log_level = "CRITICAL"

with open("safe_word", "rb") as f:
    content = list(f.read())

for i in range(0, 0x21):
    content[0x133D8] = i

    with open(f"safe_word_{i}", "wb") as f:
        f.write(bytes(content))

import string
found = ['']
new_found = []
for j in range(len(found[0]), 33):
    print(f"Program {j}")
    for f in found:
        for i in range(128):
            if chr(i) not in string.printable:
                continue    
            print(i)
            p = process(f"./safe_word_{j}")
            # print(p.recv())
            p.sendline((f+chr(i)).encode())
            p.wait_for_close()
            poll = p.poll()
            if poll == 0:
                print(f + chr(i), poll)
                new_found.append(f + chr(i))
            p.close()
    if len(new_found) == 0:
        print("Not Found")
        exit(0)
    print(new_found)
    found = new_found
    new_found = []

print(list(map(lambda x: x.endswith("}"), new_found)))

utflag{1_w4nna_pl4y_hypix3l_in_c}

Maps

maps

Writeup author: Lazarus

After analyzing the executable, I found that each flag character is encoded as five digits. The given output is the encoded flag, and because each input is converted to a digit string, we can brute-force it to reveal the flag's characters one after one.

import subprocess
import string

target = "4934849349493674935749360493664940249346493534935849348493574936549351493644937449348493464936449365493744935349360493464935449364493574935749374493494935349358493594935449404"
alphabet = string.printable  # letters, numbers, symbols

def get_program_output(input_string):
    process = subprocess.Popen(['./chal'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, text=True)
    output, _ = process.communicate(input=input_string + '\n')
    output = output.strip().replace("Transform! ", "")
    return output

def brute_force_flag():
    flag = ""
    target_pos = 0
    
    while target_pos < len(target):
        for char in alphabet:
            test_flag = flag + char
            output = get_program_output(test_flag)

            if output[:len(test_flag) * 5] == target[:len(test_flag) * 5]:
                flag = test_flag
                target_pos = len(flag) * 5
                print(f"Match: {char} | Current flag: {flag}")
                break
        else:
            print("No match found for current position!")
            break
            
    return flag

print("Starting brute-force attack...")
final_flag = brute_force_flag()
print(f"\nFinal flag: {final_flag}")

Starting brute-force attack...
Match: u | Current flag: u
Match: t | Current flag: ut
Match: f | Current flag: utf
Match: l | Current flag: utfl
Match: a | Current flag: utfla
Match: g | Current flag: utflag
Match: { | Current flag: utflag{
Match: s | Current flag: utflag{s
Match: h | Current flag: utflag{sh
Match: o | Current flag: utflag{sho
Match: u | Current flag: utflag{shou
Match: l | Current flag: utflag{shoul
Match: d | Current flag: utflag{should
Match: v | Current flag: utflag{shouldv
Match: e | Current flag: utflag{shouldve
Match: _ | Current flag: utflag{shouldve_
Match: u | Current flag: utflag{shouldve_u
Match: s | Current flag: utflag{shouldve_us
Match: e | Current flag: utflag{shouldve_use
Match: d | Current flag: utflag{shouldve_used
Match: _ | Current flag: utflag{shouldve_used_
Match: h | Current flag: utflag{shouldve_used_h
Match: a | Current flag: utflag{shouldve_used_ha
Match: s | Current flag: utflag{shouldve_used_has
Match: k | Current flag: utflag{shouldve_used_hask
Match: e | Current flag: utflag{shouldve_used_haske
Match: l | Current flag: utflag{shouldve_used_haskel
Match: l | Current flag: utflag{shouldve_used_haskell
Match: _ | Current flag: utflag{shouldve_used_haskell_
Match: t | Current flag: utflag{shouldve_used_haskell_t
Match: h | Current flag: utflag{shouldve_used_haskell_th
Match: o | Current flag: utflag{shouldve_used_haskell_tho
Match: n | Current flag: utflag{shouldve_used_haskell_thon
Match: k | Current flag: utflag{shouldve_used_haskell_thonk
Match: } | Current flag: utflag{shouldve_used_haskell_thonk}

Final flag: utflag{shouldve_used_haskell_thonk}

utflag{shouldve_used_haskell_thonk}