add image

2020-07-14 03:34:57 -04:00 · 2020-07-14 03:34:57 -04:00 · f0395722e1
parent ea86d2a87e
commit f0395722e1
1 changed files with 10 additions and 5 deletions
--- a/2020/rgbctf/lych-king/README.md
+++ b/2020/rgbctf/lych-king/README.md
@ -103,11 +103,16 @@ computing the XOR of the output with the input to recover the key. by default we
 so i gave up and switched to fuzzing. the flavor text says the binary was slightly changed, so i
 guessed the initial argument of 1997 was changed to something else. by cribdragging the ciphertext
 (looking for any points in the stream where XOR with any digits 0-9 can produce `rgbctf{`) i found
-exactly one such offset -- 152. then i created a script to patch the binary for 1997, the exact
-instruction that loads it can be found in `s3m8_info` at address `0x407c57`. i found this by simply
-searching the memory in ghidra for 1997. this corresponds to a file offset of `0x7c5b:0x7c5f`. then
-i tried numbers in order until the pad contained the right numbers to produce `rgbctf{` at offset
-152.
+exactly one such offset -- 152.
+
+then i created a script to patch the binary for 1997, the exact instruction that loads it can be
+found in `s3m8_info` at address `0x407c57`. i found this by simply searching the memory in ghidra
+for 1997. this corresponds to a file offset of `0x7c5b:0x7c5f`.
+
+![ghidra view showing the instruction that must be patched](ghidra.png)
+
+then i tried numbers in order until the pad contained the right numbers to produce `rgbctf{` at
+offset 152.

 ```python
 def run_patch(i):