| Objective: Going in Reverse | Difficulty Level: 2 |
|---|---|
| Kevin in the Retro Store needs help rewinding tech and going in reverse. Extract the flag and enter it here. | Location: Retro Store |
Solution Overview
Kevin was digging through old equipment when he discovered a Commodore 64 disk with a mystery BASIC program on it. He tells us that BASIC programmers of that era were clever, often hiding things in plain sight. He tells us that in these cases, reading the code can often be more valuable than observing how it executes. "Take your time with this one. Those old-school programmers had to be creative within such tight constraints. You'll know the flag by the Christmas phrase that pays."The key here is the name of the challenge. A bitwise XOR is used to encode user-provided strings in order to match these strings against a hard-coded encrypted password. Since XOR is a symmetrical operation, we can go in reverse of the original operation to decrypt these hard-coded credentials. A quick python script allows us to decrypt these values for a password of
C64RULES and a flag of CTF{frost-plan:compressors,coolant,oil}.
| Activity | Primary Tactic | MITRE ATT&CK Technique ID | MITRE ATT&CK Technique Name |
|---|---|---|---|
| Decode XOR Strings | Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Extract Hardcoded Password | Credential Access | T1552.001 | Unsecured Credentials: Credentials in Files |
| Execute Python Solver | Execution | T1059.006 | Command and Scripting Interpreter: Python |
Detailed Solution
Click to expand
We are given a text.bas file with a few lines of code:
10 REM COMMODORE 64 SECURITY SYSTEM
20 ENC_PASS$ = "D13URKBT"
30 ENC_FLAG$ = DSA|auhtswkfi=dhjwubtthut+dhhkfis+hnkz" ' old "DSA|qnisf`bX_huXariz"
40 INPUT "ENTER PASSWORD: "; PASS$
50 IF LEN(PASS$) <> LEN(ENC_PASS$) THEN GOTO 90
60 FOR I = 1 TO LEN(PASS$)
70 IF CHR$(ASC(MID$(PASS$,I,1)) XOR 7) <> MID$(ENC_PASS$,I,1) THEN GOTO 90
80 NEXT I
85 FLAG$ = "" : FOR I = 1 TO LEN(ENC_FLAG$) : FLAG$ = FLAG$ + CHR$(ASC(MID$(ENC_FLAG$,I,1)) XOR 7) : NEXT I : PRINT FLAG$
90 PRINT "ACCESS DENIED"
100 END
This
login.bas program is designed to accept an attempt at a login password, which is matched against a string that's obfuscated via function calls that perform a bitwise XOR 7 operation on the ASCII value of each character before converting the ASCII value back to C64-usable characters via CHR(). The bitwise XOR is a symmetrical operation; to find the original value of each character we can perform the same set of operations on the encrypted characters. The below python code below demonstrates this.
enc_pass = "D13URKBT"
enc_flag = "DSA|auhtswkfi=dhjwubtthut+dhhkfis+hnkz"
def decrypt(text):
return "".join([chr(ord(c) ^ 7) for c in text])
print("Password:", decrypt(enc_pass))
print("Flag:", decrypt(enc_flag))
This code starts with an empty string, then iterates through each character in the given string to:
- Convert the character value to its ASCII integer value
- Bitwise XOR that ASCII value by 7
- Convert the resulting value back into its ASCII character value (more likely UTF-8 but it's indistinguishable for the purposes of this exercise)
Note lines
20 and 30 containing ENC_PASS and ENC_FLAG respectively.
Using this code, we retrieved a password of C64RULES and a flag of CTF{frost-plan:compressors,coolant,oil}.
Tools Reference
| Tools Used | Tool Version |
|---|---|
| Python | 3.15 |
Hints Reference
| Provided By | Hint |
|---|---|
| Santa | Holy cow! Another retro floppy disk, what are the odds? Well it looks like this one is intact. |
| Santa | Maybe it is encrypted OR encoded? |
| Santa | It looks like the program on the disk contains some weird coding. |
| Kevin | You know, there's something beautifully nostalgic about stumbling across old computing artifacts. Just last week, I was sorting through some boxes in my garage and came across a collection of 5.25" floppies from my college days - mostly containing terrible attempts at programming assignments and a few games I'd copied from friends. Finding an old Commodore 64 disk with a mysterious BASIC program on it? That's like discovering a digital time capsule. The C64 was an incredible machine for its time - 64KB of RAM seemed like an ocean of possibility back then. I spent countless hours as a kid typing in program listings from Compute! magazine, usually making at least a dozen typos along the way. The thing about BASIC programs from that era is they were often written by clever programmers who knew how to hide things in plain sight. Sometimes the most interesting discoveries come from reading the code itself rather than watching it execute. It's like being a digital archaeologist - you're not just looking at what the program does, you're understanding how the programmer thought. Take your time with this one. The beauty of reverse engineering isn't in rushing to the answer, but in appreciating the craft of whoever wrote it. Those old-school programmers had to be creative within such tight constraints. |
Acknowledgements
| Provided By | Notes |
|---|---|
| None | None |