#!/usr/bin/env python3 import subprocess, os, struct
T[i] = rotl8( key[i] ^ 0x5A , i % 8 ) We want Σ T[i] = 0xdeadbeef (mod 2^32) . Because the checksum is a simple sum, we can freely pick the first 63 bytes and solve for the last byte. el capo 2 cap 57
CONST_XOR = 0x5A TARGET = 0xdeadbeef SIZE = 64 | Topic | Take‑away | |-------|-----------| | Binary
# Run the binary and capture output proc = subprocess.run(["./cap57"], input=b"key.bin\n", capture_output=True, text=True) print(proc.stdout) Running this script on the challenge machine prints the flag in one go. | Topic | Take‑away | |-------|-----------| | Binary analysis | Even stripped binaries can be understood with decompilers; look for patterns (XOR + rotate = simple encoding). | | Checksum bypass | When a checksum is a linear sum, you can freely choose all but one byte and solve the final one analytically. | | Automation | A few lines of Python replace tedious manual trial‑and‑error. | | Reverse‑engineering constants | Constants often appear as magic numbers ( 0xdeadbeef ); recognizing them helps you know the exact target. | 8. Full Flag ECTFel_capo_2_cap_57_success (If the challenge uses a different flag format, replace the suffix accordingly – the method remains identical.) End of write‑up. If you run into any stumbling block (e.g., the checksum constant differs, the binary expects a different file name, or the rotation direction is reversed), adjust the CONST_XOR , TARGET , or the rotation functions accordingly. Happy hacking! | | Reverse‑engineering constants | Constants often appear