From f0395722e1688275488e84acd758cd476cc37459 Mon Sep 17 00:00:00 2001 From: haskal Date: Tue, 14 Jul 2020 03:34:57 -0400 Subject: [PATCH] add image --- 2020/rgbctf/lych-king/README.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/2020/rgbctf/lych-king/README.md b/2020/rgbctf/lych-king/README.md index ea137dd..e6c01da 100644 --- a/2020/rgbctf/lych-king/README.md +++ b/2020/rgbctf/lych-king/README.md @@ -103,11 +103,16 @@ computing the XOR of the output with the input to recover the key. by default we so i gave up and switched to fuzzing. the flavor text says the binary was slightly changed, so i guessed the initial argument of 1997 was changed to something else. by cribdragging the ciphertext (looking for any points in the stream where XOR with any digits 0-9 can produce `rgbctf{`) i found -exactly one such offset -- 152. then i created a script to patch the binary for 1997, the exact -instruction that loads it can be found in `s3m8_info` at address `0x407c57`. i found this by simply -searching the memory in ghidra for 1997. this corresponds to a file offset of `0x7c5b:0x7c5f`. then -i tried numbers in order until the pad contained the right numbers to produce `rgbctf{` at offset -152. +exactly one such offset -- 152. + +then i created a script to patch the binary for 1997, the exact instruction that loads it can be +found in `s3m8_info` at address `0x407c57`. i found this by simply searching the memory in ghidra +for 1997. this corresponds to a file offset of `0x7c5b:0x7c5f`. + +![ghidra view showing the instruction that must be patched](ghidra.png) + +then i tried numbers in order until the pad contained the right numbers to produce `rgbctf{` at +offset 152. ```python def run_patch(i):