Scope

The text that came as description with the CTF was the following:

There has been rumours about a new secure locker under development. You have managed to obtain a first demo of the locker. Can you find a way to crack it?

Only one file/executable was given as a source for this challenge:

fancy-images
├─ chall

Walkthrough

chall is an executable which simulates a locker, containing secrets, which are only accessible with a key.

Essential code:

char* verify_key(char* key_arg)
    char* result
    
    if (strlen(key_arg) == 26)
        char* hex_key
        
        for (int32_t i = 0; i <= 0xc; i += 1)
            sscanf(s: &key_arg[i * 2], format: "%2hhx", &hex_key + i, "%2hhx")
        
        for (int32_t i = 0; i <= 0xc; i += 1)
            *(&hex_key + i) ^= 0x42
        
        char must_be_zero = 0
        
        for (int32_t i = 0; i <= 12; i += 1)
            must_be_zero ^= *(&hex_key + i)
        
        if (must_be_zero == 0)
            int32_t* key = malloc(bytes: 12)
            
            if (key != 0)
                memcpy(key, &hex_key, 12)
                
                // final key has to be an array of these
                // elements:
                // - [0]
                // - [val < time.now]
                // - [val > time.now]
                if (key[2] >= time(nullptr))
                    if (key[1] > time(nullptr))
                        puts(str: "Time travel is not allowed")
                        free(mem: key)
                        result = nullptr
                    else if (*key < 0 || *key > 1) // locker ID = 0
                        puts(str: "Invalid locker id")
                        free(mem: key)
                        result = nullptr
                    else
                        result = "the secret is only available in…"

Reverse the process, write a key generator in python, enter the generated key.

Process reversed:

  1. Create an 4 byte int-array with the values [0][< time.now][> time.now]
  2. Create a checksum (initial value 0, then XOR with each byte in the array)
  3. Append the checksum to the array
  4. XOR every value in the array with 0x42
  5. Print the resulting values as a hex string

Key generator:

import time
import struct

def make_key(locker_id=0):
    now = int(time.time())
    key0 = locker_id
    key1 = now - 1
    key2 = now + 3600
    b = struct.pack('<III', key0, key1, key2)
    b = list(b)
    # Add 13th byte for checksum
    checksum = 0
    for x in b:
        checksum ^= x
    b.append(checksum)
    # XOR with 0x42
    b = [x ^ 0x42 for x in b]
    return ''.join(f'{x:02x}' for x in b)

print(make_key())

Generate a key and enter it into the application then it will print the flag :)