PicoCTF 2018 - QuackMe WriteUp


This is an easy reverse challenge.
The program just wants a “password”.

Looking with ida we see a “doMagic” function
It reads the password form the user, and store in ebp+PASSWORD

Here this password is used in a for loop.


In particular, editing some names to make it more clear, and zooming in the interesting part:

8048858h is a memory address called “sekrutBuffer” containing a string

1 2 3) Put a char form sekrutBuffer[i] into ecx.

4 5 6 7) Put a char from PASSWORD[i] into eax.

8) a xor is performed between sekretBuffer[i] and PASSWORD[i].

9) The resoult is moved into var_1D

10 11 12 13 14) The resoult is compared with greetingMessage[i].


It is quite simple.
So, if Password[i]^sekrutBuffer[i] has to bee equal to greetingMessage[i]
we can get Password reversing the process.


And that’s it