search

get-password

Item
Value

Category

Reverse Engineering

Difficulty

Easy

hashtag
Challenge Overview

The check_pw function copies an array of 20 pointers to constant strings into a local buffer and validates the input password over 96 iterations.

For each index i:

  • The string is selected using i % 20

  • The character index inside the string is 2 * (i / 10)

  • The validation condition is:

table_char - input[i] == 1

This means the expected input character is always one less than the corresponding character stored in the table.

hashtag
Exploitation (Reverse Script)

By inverting the comparison, the password can be reconstructed directly without brute force:

input[i] = strings[i % 20][2 * (i / 10)] - 1

Only even-indexed characters from each string are used, advancing every 10 input bytes. The following solvers reproduces the exact memory access pattern of the original binary:

hashtag
C++

#include <iostream>

int main() {
    const char *strings[20] = {
        "SfBsOxPvNMDyNAhRSgsG",
        "VjYOkGDgkkXgULZUkCeh",
        "OYgUClVWJQAvOtMfBSPg",
        "UgGADoBNyIpiGNyfyuet",
        "RoSgSYiwNwAcSgnPOsMB",
        "4sGvkBZfEqfHEgvkUeUL",
        "ullIdbFSSDZrKCSAJIUz",
        "FPVZxzrNHXShDeRb1GXd",
        "RNpVNeyZRVHTOwZuNdQq",
        "VALsFVveUNPuUoDWlpXu",
        "VyNbOyZjyGBwQUiUxeSe",
        "xO2rYv2pXL3UWoDvBTDQ",
        "qCOaRDOZicRnhDSacIgc",
        "bGUTstlyoElXoIVVghRO",
        "MmNRiDVggENtBjNHvw>g",
        "MC2BCa1DjAyglyzgwQ>v",
        "LeNdcAOGPROrjrOUSiWC",
        "YQEvXfUjbEERJDEjLZcS",
        "baCAeWZGrnROqkJKchEi",
        "oLDKgG6TxDzrQu6amIlZ"
    };

    for (int i = 0; i < 96; i++) {
        std::cout << char(strings[i % 20][2 * (i / 10)] - 1);
    }

    return 0;

hashtag
Python

Then just decode the Base64 string using CyberChefarrow-up-right.

made by k0d

PreviousReverse EngineeringNextzebra-lib

Last updated