Skip to content

HSCTF License

   

Challenge: License [ 298(DYN) RE ]

Challenge Description:

Written by: ItzSomebody

Description:

Keith made a cool license-checking program but he forgot the flag he used to create the key! To make matters worse, he lost the source code and stripped the binary for his license-generator program. Can you help Keith recover his flag? All he knows is:

  • The license key is 4-EZF2M-7O5F4-V9P7O-EVFDP-E4VDO-O
  • He put his name (in the form of ‘k3ith’) as the first part of the flag
  • There are 3 underscores
  • The flag is in the format hsctf{}
  • The flag doesn’t have random character sequences (you should be able to read the
  • entire flag easily).
  • The flag only contains lowercase English letters and numbers.
  • The generator might produce the same keys for different inputs because Keith was too lazy to write the algorithm properly.

Binary : license

before opening the binary in any disassembler or any debugger, i thought lets take a look at what it does.

runing the binary will make your work a little easier in this case.

 1$ ./license 
 2gimme dat string: A
 3generating key for: a
 4X
 5$ ./license
 6gimme dat string: B
 7generating key for: b
 8Y
 9$ ./license
10gimme dat string: C
11generating key for: c
12Z

you can clearly see the pattern. each letter is simply substituted by some other letter.

so what we can do in this case is that we can get a python dictionary which will store which charecter is substituted by which letter. once we have that dictionary we resubstitute the charecters in the key given to us.

i made a script for that

 1from pwn import *
 2import string
 3context.log_level = "critical"
 4
 5flag_license = "4-EZF2M-7O5F4-V9P7O-EVFDP-E4VDO-O".replace("-","")
 6
 7chars = {}
 8
 9for i in range(0x21,0x7f):
10    p = process("./license")
11    p.recvuntil("gimme dat string: ")
12    p.sendline(chr(i))
13    corchar = p.recv(23)[22:]
14    
15    chars[corchar] = chr(i)
16    p.close
17
18flag = ""
19
20for ch in flag_license:
21    flag += chars[ch]
22
23print(flag)

running this script gives us partial flag

1╭─pulkit@pulkit-ER28-0652 ~/Capture_The_Flag/hsctf 
2╰─$ python find_keys.py 
3hsctf{k}ith_m~k}s_tr~sh_r}}

we can see that “}” is also 3 and “~” is 4 in the end flag comes out to be

1hsctf{k3ith_m4k3s_tr4sh_r3}

Thanks for reading that.