Oh no, the elves have forgotten to close the windows and the draft made mess of Santa's code! Maybe you could clean it up?
#include/*502_-_zU3X)}tM1#Hq$4D"35*/<stdio.h>//W6juf:tvs.]DrIoMM(axv0@|k?+jkES5r
#define/*&jhm|0zs(*/B/*zDq|:OHcU~Dv|;7,FE)9s(Ue!5gM*/break//v9BF(TT1Gq"19#?kJ2*H
#define/*JH8gDjl*/C(x)/*c9UOy:3*/case/*@MgHEK+94c9*/x/*bb]V+F#*/://u$T._.$ms'cjF
#define/*XSGrEWMy94I!VMe_n*/E(x)/*UUG9F{)zJB*/else/*CJsY*9D|SfgQ-XL*/x//s{2GfRjU
#define/*jDdwh4pU,*/F(x)/*@48h|llEw&qpgsJl7ifhb)*/if/*ux7-7_$}9*P*/(x)//s0qQes26
#define/*6#ZZoxYnO4xaPrjtX!?4IFw.o(J.F!aw;l1J*/G/*(K)A*N^+.p#'*/getchar//R3k7&Fz
#define/*i3pPy[qc!eLd1x*/H/*yUP"V{xqnjY*/char//9hek:99{qBf[JY4J]IQ(|uC?fP"l+vyI8
#define/*&#AH67b)-BfgJ*/I(x)/*3*N):*@uqGsPWx8qa6@m6Jh*/int x//FR9+X'O:zMD(h4vS1I
#define/*hJ5*/N(x)/*rjl|(eQP#|z*/const/*7,XJg5(b{55*/x//{v|REgeXz(Lt4i!ip}t$4NFO
#define/*KHZ4M6Iisfr*-*/P/*1=j~}wrY*,{Ed$LBv6RFjZL$.!~dYEQ,!nLcP*/putchar//%cf1H
#define/*NNpSIo2OmEA~By*/R(x)/*KO5g{I.-}d4*/return/*B1W|t9J#IMl*/x//&{GOKv%1DeOR
#define/*{2&kPmy$}*/S/*We3LM~2)9-S+vv0"]F*/switch//(d't:h%G1PW'PMq:YT$99wc'Armhm
#define/*@:ZX?_W)3Ow*/U(x)/*m.ZxP@*/unsigned/*@':qb8*/x//Z0GPh4pWKUeua|U$V0JqZz0
#define/*1b*/W(x)/*A8M{Ww*/while/*lZ8(@={auRxbu(0pQ48vR]Y*/(x)//-gw7zlWYT.LW+rE3
N(H)*d="\0329>\036=\016"/*FzeM,;=3;T@Ddy_k}.3$Z?*/"b\040\012!9\016"/*uKjE"vL!jSf
Ua&hW[A#{mRI3s|ZsKm[9Hy*/"\034b\0377b>\035?-\036=*\xff",*b="++T*+$T#+"/*-4TuyBux
R*/"G++!}++g+Jn+'[{>qb+/$++S+!H+:;v+Ig+*ut"/*#]UMNDx7&g1Db08'fA?dG~;!$Agqcj9d7kY
Pb:6=LN:#n7g1^jEa(^~#Esv^?KT@_v7mv:)Gs:=84A'6d52X3:z'}Yc@*/">x0+t(++({+jy$+;1_+"
"&(+4+%D+>%2++e+@+"/*.AdT0D+}1'2Y**/"6(E+^>+&P+:^$++{TY+#46>^+'+++)~+"/*medVBKLr
|KgL,VcJT#h!C#3;YgsyYEW*/"+'eH+++)/+=+_q+/S_>2+++cdX+P"/*pYGWqg@*YTM,{Oz,R:lfL3A
jmBLNi~9D~lXv9|Ro);*^CVq6pZ&?kX6e1sY=)R;?eEO.=-jC5V*/"<'<_X<;<<4<-&]g:>++Q.DcG>"
"h-_*-/@i-*-2.>tw#.NG"/*Sk3NzCn9HK[Xbmh)ZBNxOU6&(4CsDo9HN*/">-c_._>+'pk+_%d+"/*e
KkKW=SK%N^sG?J{BDv]beCstKi9AM;W]dc@0;VBGPQZPK9Nm*/".>wHB+(+5kD+gXc++=.h[l[;q-:]"
"9X~<u]-5{C,2o+V[fx"/*MLh3wxz0UW6UcLiirf*vwP.27~h$tpz1VBjakH-gN&!-kp*/"A-9v>$3%"
">d;+Yp+~++%+{f+T+!34+PW+Oc[5X0<"/*RDCzF8Y0i,bbWa-MjYNq+,dO=,ty#U#z{740pXD{avr@3
MAtj*/"H(+=+#=+F+)$T+Z*C++"/*-MKeCw&y*_Fq)_#Ac5{o4[6f5d#~AGi&?g7YJ--Ck~fhXu*/"J"
"+$Y+##F>~-"/*Th2N8[9o(MGz6[*e0=l[_ic2*]]nawirp%j%;.Qb;0di@;Y%h&_{mI~En'D,}2Trrm
d=88J,Te*/"9]&<A-mBq-W>'rm>S>>C+jY+Q;+x/+zm+1~"/*C@G9Yw-i6-^WHr#S71p1|WbfzMa(fm:
}--b3TC4+?h%nXX,*/"+@:+Ic+[}-<<<$_{<<A:%[$->s=>l6+4<y<7Y3[!"/*LBI&T.E7+oGpFdKw;2
MppMYs;9H8Ow0X2Rz4W_Ti*5uEta*/"-?>>!h->Wz+pg"/*o)Mf_X(c:X.+n@Bt0oH6kz5chq(n,SRUR
ag9bZh=O^^hl}-sNZa#I.*/"*<ie]dp>F)%>['->/>e>>9a+<:<$b]5)<l@<rg<a<"/*+E!ctUOo:,Pa
)tGM~:G;HD@Tjb::*/"G}'])n>M!2>>=[T:-<z<'D"/*Iqb)U?mCXJ^$3Re*/"1<6+^>*>>]69<@=<j"
"~[J7u-;ZD>W+{e<(c[I->Tf-B>T"/*qYD7M(S_XGcvuUL~_PekkwA5#6*/"_+>r>?1>G>T>&%]9B"/*
Lv8ZDr?RjGs;-J3~o0X'!I6;Rw#r!R9,X&;}4*/">n_[$S#->>p^W>J#>T>?s+7:>>A]E3$<"/*=G:4V
8=!d?OR6#j3*/":?4<5ER<Y<j?l<i<m<5Y@<f9]>sV>[-"/*'8DM^vq#_NjYs!:jP'u}{;&{(m%H~Esu
!;?bv;q{&0vt8$K$=iX7r)X$1@'11ozHm~)K&{zO?MV7Ni{A^?VMrm!DyyNl*/"7e<jF3<j:+&g>>]:"
/*{_)xTWM0gydIb*/"7>sM>>{[N-xp>g>;+6D%<"/*1Gxb4RjC]zQl:x*/"<Y];>eH2[a>[/-Q@_"/*5
klM%MTS7-G*/"<->]rZZ<X[b/*-Yw>f=t+7B<B]b]W=m>!6[[7-"/*t3f]*Q[;~}5t:~hG:^KO[E)&Jz
Shorl[Y*/"xs]<FTl<<[-)}>M^+?}>o-@"/*{_)xTWgydIb*/"}<aGu<@=]w>84[(-7'<7(P+Xlf>(;"
")]+"/*vv*A;-]y;yZtIPqxU2owVmKGltr{B4wb94]A2le'qZ?vrr7*/">(''+B+$?++J+cz+u"/*i;U
{N^-iw80*/"+$/[?33-Rq<([k't-'>>%b++6<D<9o"/*3MxfPEPA}iUt=WlP-Nk-jf2^x=W.qG]Ww9Kx
#I*/"r]$K>@&>&[&-"/*h7W0!8!b'Z*/"S9<<V&+XO5>%~>}]@<IYO"/*n*/"]<ET{[}v-Y@w>ZT"/*7
bi)v1)FJ!*/">f>O&A>+GT<*<q<<]~>)u>;]<5<"/*'_]6z*OTYR^C|*/"<xH_]'>%V>xnX>>b"/*C@G
9Yw-i6-^WHr#S71p1|WbfzMa(fm:}--b3TC4+?h%nXX,*/">&[6L?<<L<<hW<?<"/*!1.oC(f3*/"}1"
"<gQ<I%S<<+L>>p5>{V>>N"/*@17zHqHDXY}@er9=-V%@Q#xM(Bsh=P-6N%&TR*/">&*/>>%6&>;@"/*
_iTnvnJbvi$[6*/">p-;]j<H7<<e<x<8p<'<0u<xd<6"/*{W8~.?_~#O7#5*/"<[_x>3>lSh+z'/+pB"
"++#[>98++#&++(+?Y+:o:+"/*6U*/"S+h;p<!8-?oE]{w<;&!+jn<"/*0zau:c$EPm*/"$@-[s$h>E"
/*n*/"i+#}!>!?+>o@-~Gz[@>b>"/*zk-=LkVIqd8qvO9oH]wySCxT*/")L*>y=]%gL<gHO[}"/*Do~i
4Co(MS!Di*/"/^[eL?>YZv+Z*<$-TR%]>>@(6+1>@]<#&"/*4BB;I;4BMN*/"<KV&<1(<<~-!"/*.AdT
0D+}1'2Y**/"]4oT]CsH>>E&>[p$}-Nv%"/*Ry.)ero|r7~OW43_QlZMn_^%u^l@5x)O({)p%jgC&~{5
BqHdfqlbVK(5{$'6O{})p'z~vcdsy:z7Yd!@Wh9JE25!+;*OfS*/"]OtH+>4o-o-=#[H-VG[=<-Z>qw"
"++q+*[A-(Tj]]Ko%]"/*!I*/"GQr<(%D[:+AEx+!Qc+k3"/*)#*/"+Wg+'I+++t+=+:+KK+"/*ZSRJF
YKk*/"Y<[a>*-}V%[>$A^+?z)>>/^]"/*mT0+D0v*/"Wak>$[L+~$[$@8<^k+YI?>24u-"/*A_AveOM{
5i~$OIQ*/"(Sk]9>odv+{>>uIH]j~<H<1D$<<8:"/*B]NBoj~k*/"<-T}F]PD>SP/>[<@K+C>-)I"/*e
*Ii,8zF5-WU08d*/":]x>[{-n)G[8-<w#<M[(-*}]V>^:*>7]*"/*|6Y}*/"<o@E<a[n;c<=<#->x>$"
"1-#Z]FC^>s>({L]X</I<6Uk[?<j"/*u~'=sq!L0XoM!d~bojCFsx7l~){VxF}Y:viR=7MM2!%K5!T63
^1pT(ja4!3Kx?z4Eh=E_Ra:'dvYBs4'@Arb*/"<+a{m>3op>-GR]7]y<;5[(-p]S<cH."/*Q,qTG32*/
"'[8ZR-Rz9]b<TZ*-;:,j+"/*_iTnvnJbvi$[6*/"S]?++:A+q((+MS+C([O"/*B]Nuoj~k*/"#>)+W"
"+eL+w&+$+%r"/*{W8~.?_~#O7#5*/"W+CUW+++{>J$O+;Y@++v#"/*0zau:c$EPm*/"m+++!0H+*"/*
6U*/"xr+n}$++eE++m#+(k}++"/*#]UMND&x#isa?ha@i!ofa5+465a...476'}Yc@*/"&++)_+9Gh+"
"Rg+s}+)&P+b+"/*ob+W^Yl~lLu_&X{ssO4"-*/"=+q+Bx<K2<-$B]"/*c;EB*^9'j*/">(&y.}%k>@"
".UZ[2[-]s"/*ys5P.ow5z$TA~D?3E[SnjF9G"'x5$J,yC66&vdjhdd%!I+mz*/"=_<]+&#+l#++"/*e
0m=g*/"*+pq+ed"/*rt#|Ex^fW*/"+}+)/++y.o"/*w;GPA++tv+x+=>+(pM+Yy_+h+92F9G"'c#x5$J
,3_y<I%_M<a*/"TC[c#7-]W'";/*-4Tugi5DA;?#"R(@yBuxR*/I(main)(){P(69);/*?LcsZnTxv7^
*/P(11*/*c;EB*^9'j*/10);I(K)/*ob+W^Yl~lLu_&X{ssO4"-*/=(1<<6)+2,L=(/*4I'04h5D|_+3
bCM%6[&[?X(N%e#[rhQI:UdJg*/4<<4)+6;P(58*2);/*e0m=g*/P(101);P(/*@Hc#=;*/114);;P(1
/*nGe5.6'*/<<5);P(107)/*H2}"jhB=g2N.?aS*/;P(101);N(H)*c=b;P(11/*w=Pc4sIz2~BA;k)o
*/*11);P(58/*?uK[*/);P(2/*>>*/<<4);H/*j!jS*/k=/*S1T%*/(H)G();I(i),s=1<<15,p=0;U(
H)m[1<<15]/*@5&o%OHT]5o1aDNsgiS|x]G:+^*/={0};F(k!=K/*xskgVsQ.I]?FI]=b*/||G()!=L)
R(2);K=0x34;k=(H)G();F(k/*_^%u^l@5HdfqlbVK(*/!=K||G()!=58*2)R(2);k=(H)G();F/*n_#
@j;2)$b*/(k!=104||G()!=16*/*l3o_{Dl^%Z^h*/5+21)R(2);k=(/*fr?BI1V9'~{?Ko*/H)G();F
(k!=0x57||G()!=4*25+5/*Mc0%{OfEl'%FL~);?;)l*/)R(2);k=(H)G();F(k!=0x4E||G()!=36)R
(2);k=(H)G();L=105;F(k!=82||G()!=L)R(2);k=(H)G();F(k!=103||G()!=k+1)R(2);k=(H)G(
);F(k!=7*16+4||G()!=(2<<5)-1)R(2);W(*c!=0)/*1+GSg7D+r4SgGh+*/{S(*(c++)){C(43)++m
[p];/*Qe_nbD:7]bO~l*/B;C(44)m[p]=*d!=0?*(d++):0;B;C(45)--m[p];/*f%*/B;C(46)P(m[p
]);B;C(60)p=(p+s-1)%s;B;C(62)p=(p+1)%s;/*ys5P.ow5z$F9G"'x5$J,yC66&vI+mz*/B;C(91)
F(!m[p]){i=0;W/*Q.4UI339&#yPNH|ldo*giA;?#"R(@7|Eklhk!.)Ny:@UKg6w~-vm?HCy{oicbwuO
A1Ki^;=45SS@*/(1){F(*c==0)R(1);F(*(c++)!=93||--i>=0){F(*(c-1)==91)++i;}E(B);}}B;
C(93)i=0;--c;W(1){F(c<b)R(1);F(*c/*rt#|Exchjw6AcX1HkOsP~S&$&mazkig1,"g;Di2GjM;=2
W7;_=JhX$i18J3cg]]6FQKmi(|Ok^fW*/!=91||--i>0){F(*(c--)==93)++i;}E(B);}B;}}R(0);}For this challenge we are given some C code. Running it asks us for a key input. I found two different solutions for this challenge.
First, I made the code more readable:
#include <stdio.h>
#define B break
#define C(x) case x :
#define E(x) else x
#define F(x) if (x)
#define G getchar
#define H char
#define I(x) int x
#define N(x) const x
#define P putchar
#define R(x) return x
#define S switch
#define U(x) unsigned x
#define W(x) while (x)
N(H) *d = "\0329>\036=\016"
"b\040\012!9\016"
"\034b\0377b>\035?-\036=*\xff", *b = "++T*+$T#+"
"G++!}++g+Jn+'[{>qb+/$++S+!H+:;v+Ig+*ut"
">x0+t(++({+jy$+;1_+"
"&(+4+%D+>%2++e+@+"
"6(E+^>+&P+:^$++{TY+#46>^+'+++)~+"
"+'eH+++)/+=+_q+/S_>2+++cdX+P"
"<'<_X<;<<4<-&]g:>++Q.DcG>"
"h-_*-/@i-*-2.>tw#.NG"
">-c_._>+'pk+_%d+"
".>wHB+(+5kD+gXc++=.h[l[;q-:]"
"9X~<u]-5{C,2o+V[fx"
"A-9v>$3%"
">d;+Yp+~++%+{f+T+!34+PW+Oc[5X0<"
"H(+=+#=+F+)$T+Z*C++"
"J"
"+$Y+##F>~-"
"9]&<A-mBq-W>'rm>S>>C+jY+Q;+x/+zm+1~"
"+@:+Ic+[}-<<<$_{<<A:%[$->s=>l6+4<y<7Y3[!"
"-?>>!h->Wz+pg"
"*<ie]dp>F)%>['->/>e>>9a+<:<$b]5)<l@<rg<a<"
"G}'])n>M!2>>=[T:-<z<'D"
"1<6+^>*>>]69<@=<j"
"~[J7u-;ZD>W+{e<(c[I->Tf-B>T"
"_+>r>?1>G>T>&%]9B"
">n_[$S#->>p^W>J#>T>?s+7:>>A]E3$<"
":?4<5ER<Y<j?l<i<m<5Y@<f9]>sV>[-"
"7e<jF3<j:+&g>>]:"
"7>sM>>{[N-xp>g>;+6D%<"
"<Y];>eH2[a>[/-Q@_"
"<->]rZZ<X[b/*-Yw>f=t+7B<B]b]W=m>!6[[7-"
">(''+B+$?++J+cz+u"
"+$/[?33-Rq<([k't-'>>%b++6<D<9o"
"r]$K>@&>&[&-"
"S9<<V&+XO5>%~>}]@<IYO"
"]<ET{[}v-Y@w>ZT"
">f>O&A>+GT<*<q<<]~>)u>;]<5<"
"<xH_]'>%V>xnX>>b"
">&[6L?<<L<<hW<?<"
"}1"
"<gQ<I%S<<+L>>p5>{V>>N"
">&*/>>%6&>;@"
">p-;]j<H7<<e<x<8p<'<0u<xd<6"
"<[_x>3>lSh+z'/+pB"
"++#[>98++#&++(+?Y+:o:+"
"S+h;p<!8-?oE]{w<;&!+jn<"
"$@-[s$h>E"
"i+#}!>!?+>o@-~Gz[@>b>"
")L*>y=]%gL<gHO[}"
"/^[eL?>YZv+Z*<$-TR%]>>@(6+1>@]<#&"
"<KV&<1(<<~-!"
"]4oT]CsH>>E&>[p$}-Nv%"
"]OtH+>4o-o-=#[H-VG[=<-Z>qw"
"++q+*[A-(Tj]]Ko%]"
"GQr<(%D[:+AEx+!Qc+k3"
"+Wg+'I+++t+=+:+KK+"
"Y<[a>*-}V%[>$A^+?z)>>/^]"
"Wak>$[L+~$[$@8<^k+YI?>24u-"
"(Sk]9>odv+{>>uIH]j~<H<1D$<<8:"
"<-T}F]PD>SP/>[<@K+C>-)I"
":]x>[{-n)G[8-<w#<M[(-*}]V>^:*>7]*"
"<o@E<a[n;c<=<#->x>$"
"1-#Z]FC^>s>({L]X</I<6Uk[?<j"
"<+a{m>3op>-GR]7]y<;5[(-p]S<cH."
"'[8ZR-Rz9]b<TZ*-;:,j+"
"S]?++:A+q((+MS+C([O"
"#>)+W"
"+eL+w&+$+%r"
"W+CUW+++{>J$O+;Y@++v#"
"m+++!0H+*"
"xr+n}$++eE++m#+(k}++"
"&++)_+9Gh+"
"Rg+s}+)&P+b+"
"=+q+Bx<K2<-$B]"
">(&y.}%k>@"
".UZ[2[-]s"
"=_<]+&#+l#++"
"*+pq+ed"
"+}+)/++y.o"
"TC[c#7-]W'";
I(main)() {
P(69);
P(11 * 10);
I(K) = (1 << 6) + 2, L = (4 << 4) + 6;
P(58 * 2);
P(101);
P(114);;
P(1 << 5);
P(107);
P(101);
N(H) * c = b;
P(11 * 11);
P(58);
P(2 << 4);
H k = (H) G();
I(i), s = 1 << 15, p = 0;
U(H) m[1 << 15] = { 0 };
F(k != K || G() != L) R(2);
K = 0x34;
k = (H) G();
F(k != K || G() != 58 * 2) R(2);
k = (H) G();
F(k != 104 || G() != 16 * 5 + 21) R(2);
k = (H) G();
F
(k != 0x57 || G() != 4 * 25 + 5) R(2);
k = (H) G();
F(k != 0x4E || G() != 36) R(2);
k = (H) G();
L = 105;
F(k != 82 || G() != L) R(2);
k = (H) G();
F(k != 103 || G() != k + 1) R(2);
k = (H) G();
F(k != 7 * 16 + 4 || G() != (2 << 5) - 1) R(2);
W( * c != 0) {
S( * (c++)) {
C(43)
++m[p];
B;
C(44)
m[p] = * d != 0 ? * (d++) : 0;
B;
C(45)
--m[p];
B;
C(46)
P(m[p]);
B;
C(60)
p = (p + s - 1) % s;
B;
C(62)
p = (p + 1) % s;
B;
C(91)
F(!m[p]) {
i = 0;
W(1) {
F( * c == 0) R(1);
F( * (c++) != 93 || --i >= 0) {
F( * (c - 1) == 91) ++i;
}
E(B);
}
}
B;
C(93)
i = 0;
--c;
W(1) {
F(c < b) R(1);
F( * c != 91 || --i > 0) {
F( * (c--) == 93) ++i;
}
E(B);
}
B;
}
}
R(0);
}We can see that the input gets compared using the F function in those lines:
F(k != K || G() != L) R(2);
K = 0x34;
k = (H) G();
F(k != K || G() != 58 * 2) R(2);
k = (H) G();
F(k != 104 || G() != 16 * 5 + 21) R(2);
k = (H) G();
F
(k != 0x57 || G() != 4 * 25 + 5) R(2);
k = (H) G();
F(k != 0x4E || G() != 36) R(2);
k = (H) G();
L = 105;
F(k != 82 || G() != L) R(2);
k = (H) G();
F(k != 103 || G() != k + 1) R(2);
k = (H) G();
F(k != 7 * 16 + 4 || G() != (2 << 5) - 1) R(2);Now, I simply used gdb and stepped through those lines to get the input that would satisfy the checks.
The input has to be BF4theWiN$Right? and with this we get the flag HV21{-HidDeN-bRaiNF-Ck-dEcoDer-}.
An alternative and much more elegant solution uses symbolic execution. For this I used angr and compiled the binary. Then I would run the following python script:
import angr, sys
def succ(state):
return b"HV21" in state.posix.dumps(sys.stdout.fileno())
proj = angr.Project('a.out')
init = proj.factory.entry_state()
sim = proj.factory.simgr(init)
sim.explore(find=succ)
if sim.found:
print(sim.found[0].posix.dumps(sys.stdin.fileno()))This simulates the binary until it finds a state where the output contains HV21. Running the script only takes a few
seconds.