logoChat01.ai

password of zipfile is hackthebox, this is HTB CTF...

Создано: 22 июня 2026 г.

Отвечено с использованием GPT-5.5 Thinking от Chat01

Вопрос

a12c732e-deba-45eb-b216-53887973c2ba.zip

password of zipfile is hackthebox, this is HTB CTF reversing challenge, and this is the challenge scenario: "VM, MBA, OP, JI (Junk Instructions), what are these terms. Well, now you're going to defeat them.". Try to solve until you find the full flag, don't stop until you still not find it, then explain in steps by steps how you can solve, the flag format is "HTB{<TEXT>}. Good luck!

Мысль

bash -lc cd /mnt/data/rev_callfuscated_work/rev_callfuscated flag='HTB{Sliced_Up_the_Function_4_Ya}' printf '%s\n' "$flag" | ./crackme

Thought for 15m 18s

Ответ

Solved.

Flag: HTB{Sliced_Up_the_Function_4_Ya}

I verified it directly against the binary:

text
Welcome to callfuscated crackme.
To register enter your password: Correct. Validate the challenge using the flag: HTB{Sliced_Up_the_Function_4_Ya}

How I solved it

  1. Extracted the ZIP

    The password was:

    text
    hackthebox

    The archive contained:

    text
    rev_callfuscated/crackme

  2. Identified the binary

    text
    ELF 64-bit LSB executable, x86-64, dynamically linked, stripped

    Running it with a dummy input showed:

    text
    Welcome to callfuscated crackme.
To register enter your password: Incorrect flag. Try again

  3. Found the real main

    The ELF entry passed this address to __libc_start_main:

    text
    main = 0x409002

  4. Defeated the junk/call obfuscation

    The binary used call-threading:

    asm
    call some_block
...
some_block:
    pop r8
    real_instruction
    call next_block

    So linear disassembly was misleading. I lifted the real instruction stream by following call targets that began with:

    asm
    pop r8

    and ignored the fake return addresses.

  5. Recovered the VM bytecode

    The program initializes a DWORD array on the stack from:

    text
    rbp-0x950

    with length:

    text
    0x24a dwords

    This was the VM bytecode.

  6. Mapped VM opcodes

    The VM was stack-based. The useful opcodes were:

    text
    0  = push immediate
1  = pop/discard
2  = add
3  = sub
5  = multiply
7  = OR
8  = XOR
10 = load byte from pointer

    The obfuscated helper functions looked scary because of MBA-style expressions and random junk, but their real behavior was simple. For example:

    text
    op2: 0x2b6 + 0x2056 = 0x230c
op5: 0x41 * 0x100 = 0x4100
op7: 0x4100 | 0x41 = 0x4141
op8: 0x41414141 ^ 0x0915033a = 0x4854427b
op3: subtraction

  7. Understood the check

    The VM builds the input in 4-byte chunks:

    text
    chunk = (((c0 * 0x100 | c1) * 0x100 | c2) * 0x100 | c3)

    Then each chunk is checked like this:

    text
    (chunk XOR mask) - expected == 0

    So:

    text
    chunk = mask XOR expected

  8. Recovered all chunks

    The masks and expected values gave:

    text
    0: 0x0915033a ^ 0x41414141 = 0x4854427b = HTB{
1: 0x427d7872 ^ 0x11111111 = 0x536c6963 = Slic
2: 0x30310a00 ^ 0x55555555 = 0x65645f55 = ed_U
3: 0x2a052e32 ^ 0x5a5a5a5a = 0x705f7468 = p_th
4: 0xcff5ecdf ^ 0xaaaaaaaa = 0x655f4675 = e_Fu
5: 0x1914031e ^ 0x77777777 = 0x6e637469 = ncti
6: 0xf6f7c6ad ^ 0x99999999 = 0x6f6e5f34 = on_4
7: 0x6c6a524e ^ 0x33333333 = 0x5f59617d = _Ya}

    Concatenating them gives:

text
HTB{Sliced_Up_the_Function_4_Ya}

Поделиться этим Q&A