We received the application binary file together with the python source code.
Tools to use:
When you start the application, you get:
While checking the code in
fidler.py, we see that it first call to
Which will return
True if it
password_check will return
Checking it and we can see that our input is being checked against the
To find the key we can just copy the code inside python:
>>> altered_key = 'hiptu'
>>> key = ''.join([chr(ord(x) - 1) for x in altered_key])
We moved to the second stage:
There are two ways to solve it, you can just play and get the flag:
Use the mouse scroll to make the coins move faster.
But if you want to bypass it and understand what happens, we can go straight a head to the function
filder.py because it call to the
victory_screen function and we need to understand how to get to this function:
To get the
victory_screen we need that our
current_coins will be between the following limits:
target_amount - 2**20 < current_coins < target_amount + 2**20
# target_amount = (2**36) + (2**35) = 103079215104
103078166528 < current_coins < 103080263680
We will pick up a number between these limits: 103078166529.
The math calculation
int(103078166529 / 10**8) will convert it to 1030 which will pass as the token to
victory_screen(..) which will call the
last_value = frob
encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072, 1095, 1090, 1027,
1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
decoded_flag = 
for i in range(len(encoded_flag)):
c = encoded_flag[i]
val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
last_value = c
return ''.join([chr(x) for x in decoded_flag])
It will print the flag:
Of course we can also bypass all these stages and just try to call the
decode_flag() function with a random number:
It easy to complete it, we need to have “i” in the beginning.