Would you like to test your luck?
Let’s see if you can guess the correct string.
nc chal.noxale.com 22234

GuessTheString

Let’s check the file format first.

It is a 64-bit ELF shared object which is dynamically linked and not stripped.

Let’s try to run it first.

It looks we need to find the correct string.

Let’s decompile its main function to see what it actually does.

It calls the function check, and if it returns true, then it prints the flag from the working directory.

Let’s decompile the check function.

We have 11 different checks here that must be satisfied.

Let’s start with decompiling check1.

It checks the length of the string and it must be equal to 11.

Let’s continue with the decompilation of check2.

It simply fails if there is any character whose ascii value is less than or equal to 32 in the string. Otherwise, it returns true.

Let’s look at the decompilation of check3.

This function tells us that first character shouldn’t be ‘B’ and the multiplication of first and second characters must result in 3478.

Let’s move on to the check4 function.

This functions tells us that if we xor the first three characters of the string, the result must be 49.

Let’s continue with check5 function.

This function says that the 4th character must have a greater ascii value than the 3rd character and when we calculate square of the 3rd character and square of the 4th character, the lowest byte of the results must be equal.

Let’s look at the check6 function.

This function tells us that the 5th and the 6th chars must have prime ascii number and if we xor them, the result must be equal to 126.

Let’s continue with the decompilation of check7 function.

This function tells us that half of the 7th character’s ascii value must be a prime number and the ascii value of the 7th character must be equal to 2 * ((ascii value of 6th character) – 42).

Let’s move on to the check8 function.

This function tells that the 8th character must be a digit and its ascii value must be divisible by 4.

Let’s look at the check9 function.

The lahf instruction loads the status flags into AH register. Then, the function checks whether the 9th character is equal to (AH xor (8th character)).

Let’s continue with check10 function.

This function simply tells us that the 10th character’s ascii value must be equal to twice of the 9th character’s ascii value.

Finally, let’s decompile the check11 function.

This functions says that the 11th character’s ascii value must be equal to (10th character’s ascii value) * (10th character’s ascii value + 1) / 2.

It seems the conditions are not strict which means there may be multiple strings that can pass these checks.

Let’s try to find one.

We know that multiplication of the first two characters must be equal to 3478 and the first character must be different than ‘B’.

3478 = 2 * 37 * 47 = 74 * 47 = ‘J’ * ‘/’

Let the first character be ‘J’ and second character be ‘/’.

Since the xor of the first three characters must be equal to 49, the third character must be ‘T’.

Now, we need to choose a 4th character that has a higher ascii value than ‘T’ and square of it should result in the same lowest byte as the square of ‘T’. Let’s write a python code for this.

When we execute it, it prints ‘l’ and ‘t’. Let’s choose ‘t’ as the 4th character and continue.

Now, we need to choose the 5th and 6th characters as prime numbers and the 7th character must satisfy the conditions from the check6 function.

Here is a python script to find all possible printable combinations of these 3 characters.

The script prints only one line of output which is ‘C’, ‘=’, ‘&’. Let them be the 5th, 6th, and 7th characters respectively.

The 8th character must be a digit whose ascii value is divisible by 4. Our options are ‘0’, ‘4’, and ‘8’. Let’s choose ‘8’ as the 8th character and go on.

In order to find the 9th character, we need to know the value of AH register after it gets loaded with the status flags. Let’s debug the program using J/TtC=&8??? as input string and set a breakpoint on the line that xors 8th character with AH.

The value of AH is 0x12. Therefore, our 9th character must be ‘*’.

We know that 10th character’s ascii value must be twice of the 9th character’s ascii value. Thus, the 10th character must be ‘T’.

Let’s create a python script again to find the last character of our string.

The script outpus only one character which is ‘J’. Now, we have built a string that satisfies all the conditions which is J/TtC=&8*TJ.

Let’s connect to the server and send our string to get our flag.

Here we got the flag noxCTF{A5semb1y_Is_Grea7}.