# [Google Capture The Flag 2016] [Reverse 150 – Audio Visual Receiver code] Write Up

## Description

150 points / Solved 96 times
Can you find the code?

## Resolution

As usual on any RE/pwn challenge, we run the usual commands to find out what kind of binary we have to deal with:

laxa:Documents:12:47:35\$ file audio_visual_receiver_code
audio_visual_receiver_code: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x340cfbef71af473b1a8253acf71452cc49a8f85f, not stripped


2 things to note:
– It’s ELF 64 bit
– It’s not stripped, we should have a pretty nice looking decompilation from IDA

Here is what the program does:
It’s an infinite loop, it asks for a single char and then call a function if that char is accepted, we can use the following chars: u,d,l,r,a,b which corresponds to the functions: up, down, left, right, a, b.
Every one of those functions is working on some global variables in the .BSS segment. We can also see that the function “a” has a special condition which call the “output_flag” function.

This function will XOR some data in the binary with a buffer. The buffer is filled from our inputs and the data is 30 bytes long.

What I tried first was to extract the data to try to find a XOR key using xortool, but that didn’t worked at all.
And then I had a hinch, this programs accept only inputs that are used for the Konami Code.
The konami code is 10 characters long so we try doing this:

python -c 'print "u\nu\nd\nd\nl\nr\nl\nr\nb\na\n"' | ./audio_visual_receiver_code


but that wasn’t enough apparently. Since we knew the flag was 30 bytes long, I tried multiplying the konami code 3 times:

Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: Enter char: CTF{the_3rd_time_is_the_charm}


Flag is: CTF{the_3rd_time_is_the_charm}