For this challenge, we are provided with a short Verilog program, and a C++ wrapper for it using the Verilator library. Verilog is a language that is used to describe hardware and abstract it into a program. check.sv
This was my first time using Verilog, so most of the challenge involved learning the syntax. The C++ wrapper program essentially reads in one character at a time, up to 100, then runs the open_safe routine and checks its result. I realized it was likely a password checker, with our input being transformed in some way to result (if correct) in a 56 bit decimal (3008192072309708
). If it reached this, we are sent the flag. Here's my understanding of the verilog.
I initially attempted to manually step back from the final expected bits, but my unfamiliarity with Verilog syntax and conventions led to a different result every time. At this point, I decided to invest time into installing Verilator, allowing me to build the binary for myself; which would be needed to check my flag. The largest advantage though was the ability to add debugging statements in.
Using this, I could see how my data was transformed. I sent test pieces of data, starting at 0b0000001
, and doing a binary shift left each iteration; this was to give me recognisable patterns to work from.
We were able to get the states of the memory, magic and kittens arrays after entering each character.
From here, we can just manually work out where all the bits are after getting a test case:
dddfffffffgggggggccccccceeeeeeehhhhhhhddddaaaaaaabbbbbbb
Then, we can use this on our compare string to get the binary we want:
00110111 01001100 01101111 01011000 00100101 00101010 01011111 1111000 (converted to 8-bit)
And then simply decode this to get the password 7LoX%*_x
, which we enter on the remote to get the flag!
CTF{W4sTh4tASan1tyCh3ck?}