Facebook CTF 2013 - NcN 2013
There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.
Whatever input 'key' is given you get a alert saying 'Invalid password!'.
Analysing the source code we get -
<form action="login.php" method="POST" onsubmit="return encrypt(this);">
alert('Correct password :)');
That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.
Time to analyse the code and start reversing it.
- Before if we have XOR. so res should be equal to 4153 to make res=0
- res * 4 [ 4153*4 = 16612]
- >>> right shift so we have 16612 = X>>>6.
16612 - 100000011100100
we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.
100000011100100+000000 - 1063168 But it can vary with +0 to +63.
- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.
- now a weird function numerical_value
observe one more function ascii_one
But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.
start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!
so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.
After submiting the key -
-> And a rough screenshot of manual brute force. So you can get a rough idea -
Please download OR open the image for clear view :D :D
-> Any one solved it in a much simpler way please comment your way for solving problem.
-> Suggestions/Comments are most welcomed !!! :)
Thanks for reading through
Happy hacking! Happy coding!!