Description
A classic Crackme. Find the password, get the flag! Binary can be downloaded here. Crack the Binary file locally and recover the password. Use the same password on the server to get the flag! Access the server using nc titan.picoctf.net 56916
Setup
Reversing
Download crackme100 and analyze it with Ghidra/objdump to understand the password mangling loops.
Use gdb to break just before setvbuf and read the comparison string from memory (info locals).
wget https://artifacts.picoctf.net/c_titan/83/crackme100 && \
chmod +x crackme100 && \
objdump -D crackme100 | less
Solution
- Step 1Capture the mangled targetIn gdb, break at 0x4011e8 (right before setvbuf). After entering any password, run info locals to see the local_* buffers. Copy the target string stored in local_68.gdb crackme100 # break *0x4011e8; run; info locals
- Step 2Reverse the loopWrite a short Python helper that subtracts the same per-character offsets applied in main(). Running it three times in reverse order reconstructs the true password.python3 solver.py # reverse the modulo-26 math
- Step 3Submit remotelyTest the recovered password against the local binary, then connect to nc titan.picoctf.net 56916 and enter it to receive the real flag.nc titan.picoctf.net 56916
Flag
picoCTF{s0lv3_angry_symb0ls_150f...}
Entering the recovered password on the remote instance prints the flag.