Constructor

C++ Constructor reverse enginnering

This is a reverse engineering challenge. Given a tar file and after we extract it we got an ELF file.

when we run the ELF file it seems like it doesnt do much, it just prints out this eyes emoji. Then we proceed to dissasamble it using ghidra.

from the info we gathered before we know the ELF is stripped. As we can see the _start function doesn't do much, cause the program is coded in C++ constructor. this video explains constructor very well https://youtu.be/FZK7BZhST9g?si=sL2HgASgf3QaZ4vT .

So, we proceed to search for the function that have the actual code. We found this function

it has the string "Correct!" in it and the decryption algorithm is in the do while loop.

what the do while loop does:

Read encrypted byte from address 0x403040
XOR with incrementing value 'bVar6', starting from an unknown seed
XOR the result with (i >> 1)
XOR with constant 0x5a
loop until 0x2a which is 42

then we extract the 42 encrypted bytes directly from the binary:

then decrypt using python

cipher_bytes = bytes.fromhex(
    "33 21 00 6d 5f ab 86 b4 d4 2d 36 3a 4e 90 8c e3"
    "cc 2e 09 6c 49 b8 8f f7 cc 22 4e 4d 5e b8 80 cb"
    "d3 da 20 29 70 02 b7 d1 b7 c4".replace(" ", "")
)

assert len(cipher_bytes) == 42

bVar6 = 0
plaintext = bytearray()

for i in range(42):
    temp = cipher_bytes[i] ^ ((i >> 1) & 0xFF) ^ 0x5a
    original = temp ^ (bVar6 & 0xFF)
    plaintext.append(original)
    bVar6 = (bVar6 + 0x1f) & 0xFF  # Ensure byte overflow like in C

print("Recovered plaintext:")
print(plaintext.decode(errors='replace'))  # replace errors if any non-printable

Flag: idek{he4rd_0f_constructors?_now_you_d1d!!}

PreviousidekCTF 2025 NextMyspace2

Last updated 15 days ago