Joe Grassl

A reverse engineering challenge from HackTheBox. The goal in this one is to decode a password in a manner similar to the keygen programs built for software piracy.

Running strings on the binary reveals that it's packed with UPX.

A quick web search turns up the tool and the binary can be unpacked with a single command.

Disassembling the program in radare2 quickly shows how it operates. It gets a password string from the user, runs it through the "exatlon" function, and then compares it to a big string of numbers separated by spaces. Entering the number string as the password doesn't return the flag, so it must be somewhere in the string itself.

By running the program with radare2 in debug mode, entering "aaaa" as the password, and viewing the registers at a breakpoint, it is clear that the user input is being encoded by the "exatlon" function in a way that matches the numerical string it's being compared to.

On a hunch, I test out dividing the encoded value of "a" by its decimal ASCII value of 97. This returns a value of exactly 16. So, every number in the comparison string is an ASCII character whose decimal value has been multiplied by 16.

I wrote a quick Python script to decode the mystery string...

...and it works like a charm!