Ranger Login

Reverse Engineering

given a zip file that contains:

first, we see inside index.html and we see a wasm call module named check_flag:

In short, the HTML will call a WASM function named check_flag with two arguments: username and password. if it returns 1 (true), then it prints the flag.

now we see the check_flag function in challenge.js:

cause the grep result is a bit unclear, so in short:

check_flag is exported as a "c" function from WASM. So we have to reverse the WASM. first we convert the WASM to WAT (WebAssembly Text Format).

from the WAT we get:

and in the body function, there's a recurring pattern:

• i32.load8_u -> takes one byte from the argument

• i32.const <number> -> literal byte

• i32.ne -> check if the same

• br_if -> exit if wrong

from there, we get 2 hex string, username and password, each with 32 characters:

username: 888765cc1062ceef99457cef217d25c9

password: b54e4863ef82db84ada3143fff3d1fc2

then we just open the index.html and put it in solver.js:

const Module = require('./challenge.js');

Module.print = (...a) => console.log(...a);
Module.printErr = (...a) => console.error(...a);
Module.noExitRuntime = true;

Module.onRuntimeInitialized = () => {
  const u = '888765cc1062ceef99457cef217d25c9';
  const p = 'b54e4863ef82db84ada3143fff3d1fc2';
  const ok = Module.ccall('check_flag', 'number', ['string', 'string'], [u, p]);
  console.log(ok ? `RTRTNI25{${u}${p}}` : 'nope');
};

if we run it:

Flag: RTRTNI25{888765cc1062ceef99457cef217d25c9b54e4863ef82db84ada3143fff3d1fc2}