( https://gist.github.com/bobbo/e1e980262f2ddc8db3b8 for help) So we download the file, and we find that it's pure assembly written in intel syntax, nice. Let's compile it: nasm -f elf64 -o asmr.o asmr.asm ldd -o asmr asmr.o When we run it, we don't get anything back. Odd. Lets see what's in the assembly. I decided to reverse all the assembly so that we can get a good picture of what's happening. Basically, in main, it's creating a socket, setting some options for the socket, binding the connection to port 1337, listening on any address, then accepts the connection. Once we connect, it sends "Enter Password:". The program then reads our input, and checks to see whether it's 17 chars (16 + null byte). If our input isn't 16 chars + null byte, it chucks us to label5, which is basically output "Nope" and then end the connection. So we don't want that. We see that label2 compares our last char to null byte. Whilst our input != a null byte, it xors it with key 0x69 (105 in decimal) (that's what label1 does). Label2 then checks to see if that's the password, and if it's correct, it spits out 56333 chars of hex at us. If we get the hex that it moves to the rax register (0x360c1f0605360c1e) and (0x0c0c10361b041a08), xor it with key 0x69 and reverse, we get "welove_asmr_yee". Input that as the password, and the hex gets spit out. If we restart it all again but save to a file, that's a lot nicer to work with. The flag isn't in the strings, but if we take a look at it in ghex, we see a whole load of things. Removing the "Enter password:" and looking at the file headers, we see that it's a .ogg file. Save the file as that, open it in an audio player, and we get "The flag is tjctf{Bravo Uniform Bravo 6 Lira Echo Whiskey Romeo 4 Pop _ Pop 0 Pop}" That's a very long flag, so probably not. Using the hint they gave us (NATO Phonetic Alphabet), we can swap the words for letters and we get a nice message from the team, as well as tjctf{s0m3_n1c3_s0und5_for_you!!!}
If we take a look at main, we can see that it basically says "starting weight is 211, try and get me down to 180 by day 7" (when we run the program, we're presented with 4 options to reduce weight. Have to do this in 7 days). If we rev main, we basically only care about this bottom bit
So here, we see that if we choose option 2, we subtract 1 from our weight. If our input isn't 2, then we go to the else. If input = 3, subtract 2. If not, then if our input is not 4, then increase the counter. But what we notice is that we always subtract 3 from our weight, if our answer wasn't 2. So now for some simple maths:
Input in: 3 3 3 3 3 3 2 Wait 3 seconds, boom, profit
then i found that it showed 2 results for 31-33 range which looked promising. i xored them 2 at a time as well as parts of the flag to find the difference. i then asked willwam to find a solution but i also checked it with the solutions i generated. i then found 33 == 21 + 18 so the mid of 3 sections xored with flag part would get the other part of flag. this gave me "cap" as my 4th-6th characters. i used the chars i generated and bruteforced it and saw "hata o sagashiteimQCE ka? dozo", "tjctf{sE]Ymasen_flag_kudasaiYM" which was using "isa". i brute forced the last char to get "isacapo" and