snyk CTF 2025 - Math For Me

1. Writeup: Math For Me - Reverse Engineering
2. [email protected], 2025-02-28
3.  
4.  
5. % file math4me
6. math4me: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=662371bb4df3dc3e85b895f2e3f0f1c880c63471, for GNU/Linux 3.2.0, not stripped
7.  
8. % strings math4me
9. …
10. %d: %d
11. Welcome to the Math Challenge!
12. Find the special number:
13. Congratulations! Here's your flag: %s
14. That's not the special number. Try again!
15.  
16. Decompile with IDA-Free
17.  
18. Right magic number that makes check_number() true: 20
19.  
20. % cat m4m.c
21. #include <stdio.h>
22. #include <string.h>
23.  
24. int check_number(int n)
25. {
26. return (5 * n + 4) / 2 == 52; // true for input 20
27. }
28.  
29. void compute_flag_char(char *target, int i, int input_num) // i=5, 6, ... 36
30. {
31. int funnyoffset; // [rsp+1Ch] [rbp-A4h]
32. int plusminus[20]; // [rsp+20h] [rbp-A0h]
33. char longnumberstring[72]; // [rsp+70h] [rbp-50h] BYREF
34.  
35. strcpy(longnumberstring, "5552ef842ecab9be1b15536653855555552ef842ecab9be1b1553665385555");
36. plusminus[0] = 1;
37. plusminus[1] = 3;
38. plusminus[2] = -2;
39. plusminus[3] = 4;
40. plusminus[4] = -1;
41. plusminus[5] = 2;
42. plusminus[6] = -3;
43. plusminus[7] = 1;
44. plusminus[8] = 4;
45. plusminus[9] = -2;
46. plusminus[10] = 3;
47. plusminus[11] = -1;
48. plusminus[12] = 2;
49. plusminus[13] = -4;
50. plusminus[14] = 1;
51. plusminus[15] = -2;
52. plusminus[16] = 3;
53. plusminus[17] = -1;
54. plusminus[18] = 2;
55. funnyoffset = i * input_num % 5 + plusminus[i % 10];
56. printf("%d: %d\n", i, funnyoffset);
57. *(char *)(i + target) = longnumberstring[i] + funnyoffset;
58. }
59.  
60. int main(void)
61. {
62. int input_num; // [rsp+8h] [rbp-48h] BYREF
63. int i; // [rsp+Ch] [rbp-44h]
64. char v6[37]; // [rsp+10h] [rbp-40h] BYREF
65. char v7[19]; // [rsp+35h] [rbp-1Bh] BYREF
66.  
67. puts("Welcome to the Math Challenge!");
68. printf("Find the special number: ");
69. scanf("%d", &input_num);
70. memcpy(v6, "flag{", 5);
71. if ( check_number(input_num) )
72. {
73. for ( i = 5; i <= 36; ++i )
74. compute_flag_char(v6, (unsigned int)i, input_num);
75. strcpy(v7, "}");
76. printf("Congratulations! Here's your flag: %s\n", v6);
77. }
78. else
79. {
80. puts("That's not the special number. Try again!");
81. }
82. return 0;
83. }
84. % gcc m4m.c -o m4m
85. % echo 20 | ./m4m
86. Welcome to the Math Challenge!
87. Find the special number: 20
88. 5: 2
89. 6: -3
90. 7: 1
91. 8: 4
92. 9: -2
93. 10: 1
94. 11: 3
95. 12: -2
96. 13: 4
97. 14: -1
98. 15: 2
99. 16: -3
100. 17: 1
101. 18: 4
102. 19: -2
103. 20: 1
104. 21: 3
105. 22: -2
106. 23: 4
107. 24: -1
108. 25: 2
109. 26: -3
110. 27: 1
111. 28: 4
112. 29: -2
113. 30: 1
114. 31: 3
115. 32: -2
116. 33: 4
117. 34: -1
118. 35: 2
119. 36: -3
120. Congratulations! Here's your flag: flag{h556cd-NOTGONNATELLYOU-368391gc
121.  
122. Note: add trailing '}':
123. flag{h556cdd`=ag.c53664:45569368391gc}
124.