# OUTPUT FROM GHIDRA WITH WASM EXTENSION: # # byte export::check_flag(void) # { # int strcmp_result; # int j; # int i; # undefined1 c; # # for (i = 0; (&ram_result_buf)[i] != '\0'; i = i + 1) { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 0x14; # if (0 < i) { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (&DA T_ram_0000042f)[i]; # } # if (2 < i) { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (&DA T_ram_0000042d)[i]; # } # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ (byte) (i % 10); # if (i % 2 == 0) { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 9; # } # else { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 8; # } # if (i % 3 == 0) { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 7; # } # else if (i % 3 == 1) { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 6; # } # else { # (&ram_result_buf)[i] = (&ram_result_buf)[i] ^ 5; # } # } # for (j = 0; j < i; j = j + 1) { # if ((j % 2 == 0) && (j + 1 < i)) { # c = (&ram_result_buf)[j]; # (&ram_result_buf)[j] = (&ram_result_buf_plus1)[j]; # (&ram_result_buf_plus1)[j] = c; # } # } # strcmp_result = strcmp((char *)0x400,&ram_result _buf); # return (strcmp_result != 0 ^ 0xffU) & 1; # } INPUT_0400 = b"\x18j|a\x118i7\x1fYyY>\x1cVc\x0dB\x1d~l9\x1cZ!]c\x11\x00b\x05IK~a4\x1cW(\x0fR" def check_flag(flag: bytes) -> bool: ram_result_buf = bytearray(flag) i = 0 while i < len(ram_result_buf) and ram_result_buf[i] != 0: ram_result_buf[i] ^= 0x14 if i > 0: ram_result_buf[i] ^= ram_result_buf[i - 1] if i > 2: ram_result_buf[i] ^= ram_result_buf[i - 3] ram_result_buf[i] ^= (i % 10) if i % 2 == 0: ram_result_buf[i] ^= 9 else: ram_result_buf[i] ^= 8 if i % 3 == 0: ram_result_buf[i] ^= 7 elif i % 3 == 1: ram_result_buf[i] ^= 6 else: ram_result_buf[i] ^= 5 i += 1 for j in range(len(ram_result_buf)): if (j % 2 == 0) and (j + 1 < i): ram_result_buf[j], ram_result_buf[j + 1] = ram_result_buf[j + 1], ram_result_buf[j] return bytes(ram_result_buf) == INPUT_0400 def recover_flag() -> bytes: recovered_flag = bytearray(INPUT_0400) for j in range(0, len(recovered_flag)): if (j % 2 == 0) and (j + 1 < len(recovered_flag)): recovered_flag[j], recovered_flag[j + 1] = recovered_flag[j + 1], recovered_flag[j] for i in reversed(range(len(recovered_flag))): if i % 3 == 0: recovered_flag[i] ^= 7 elif i % 3 == 1: recovered_flag[i] ^= 6 else: recovered_flag[i] ^= 5 if i % 2 == 0: recovered_flag[i] ^= 9 else: recovered_flag[i] ^= 8 recovered_flag[i] ^= (i % 10) if i > 2: recovered_flag[i] ^= recovered_flag[i - 3] if i > 0: recovered_flag[i] ^= recovered_flag[i - 1] recovered_flag[i] ^= 0x14 return bytes(recovered_flag) def main(): flag = recover_flag() print(f"Recovered flag: {flag.decode()}") if __name__ == "__main__": main()