EncryptedScroll

Personal Rating: Easy

We start with the binary file "challenge". Let us check some basic information.

file challenge

challenge: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2
strings challenge

The scroll detects prying eyes... The magic dissipates.
      ___________________________
    /                             \
    |  **Ancient Elven Scroll**   |
    |-----------------------------|
    |  The knowledge you seek is  |
    |  hidden within the old runes|
    |  of the Elven mages...      |
    |  Speak the words of power.  |
    \_____________________________/
The Dragon's Heart is hidden beneath the Eternal Flame in Eldoria.
The scroll remains unreadable... Try again.
The ancient scroll hums with magical energy. Enter the mage
s spell: 

Loading the program in Ghidra, the only function that looks interestring is "decrypt_message".

void decrypt_message(char *param_1)

{
  int iVar1;
  long in_FS_OFFSET;
  int local_3c;
  undefined8 local_38;
  undefined4 local_30;
  undefined4 uStack_2c;
  undefined4 uStack_28;
  undefined8 local_24;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_38 = 0x716e32747c435549;
  local_30 = 0x6760346d;
  uStack_2c = 0x6068356d;
  uStack_28 = 0x75327335;
  local_24 = 0x7e643275346e69;
  for (local_3c = 0; *(char *)((long)&local_38 + (long)local_3c) != '\0'; local_3c = local_3c + 1) {
    *(char *)((long)&local_38 + (long)local_3c) = *(char *)((long)&local_38 + (long)local_3c) + -1;
  }
  iVar1 = strcmp(param_1,(char *)&local_38);
  if (iVar1 == 0) {
    puts("The Dragon\'s Heart is hidden beneath the Eternal Flame in Eldoria.");
  }
  else {
    puts("The scroll remains unreadable... Try again.");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

Simplified, this function takes each byte from each hex string as ascii character, subtracts 1 for each character and appends the results in reverse. I wrote a Python script to do this for me:

encvars = ["716e32747c435549","6760346d","6068356d","75327335","7e643275346e69"]
result = b''

for a in encvars:
    enc = bytearray.fromhex(a)
    for i in range(len(enc)):
        enc[i] = enc[i] -1
    result += enc[::-1]

print(str(result))

HTB{s1mpl3_fl4g_4r1thm3t1c}

Last updated