Validator#

Challenge#

Name: Validator
Category: rev
Difficulty: Medium

The binary asks for a flag and checks it with an intentionally obfuscated per-byte predicate.

Key observations#

• The ELF is 64-bit PIE and not stripped (symbols exist).
• The real check is performed per-byte by the function zWqDapvkXfHB(byte ch, int idx).
• hIKCTDqsfNLU() is the driver that iterates indices and calls zWqDapvkXfHB.
• zWqDapvkXfHB uses .rodata lookup tables (all 68 bytes):
  • XKCFcEiGsfwe (key-ish table)
  • LojuzgBPJdWU (expected masked value per index)
  • plus oKyKxnebFuod and uJSFvJPHjoaB (used in the obfuscation)

Why “no bruteforce” still works here#

We didn’t blindly bruteforce the whole flag space.

Instead, we:

1. Identified the exact per-byte predicate function (zWqDapvkXfHB) and its index parameter.
2. Used it as an oracle to invert the check one byte at a time (only 256 candidates per index).

That’s an analysis-driven inversion of the validation logic.

Practical solving method (oracle)#

Because the binary is not stripped, GDB can directly call zWqDapvkXfHB.

The only problem is that zWqDapvkXfHB calls a very heavy obfuscation helper wstLsACQERer(). To make the solver fast, we patched wstLsACQERer in-memory to a single ret:

1
set {unsigned char}wstLsACQERer = 0xc3

Then we looped idx=0..67 and tested byte=0..255, selecting the value where the function returns non-zero.

The full script used is in:

• 1. ctf/validator/gdb_solve_validator.txt

Flag#

✅ Verified by running the binary in the Kali VM.

1
VBD{I_kn0w_y0u_w0uld_us3_Opus_hehe_eafa09ad1898e0bcf9c0225076632225}

Verification#

On Kali:

1
echo 'VBD{I_kn0w_y0u_w0uld_us3_Opus_hehe_eafa09ad1898e0bcf9c0225076632225}' | ./validator
2
# => Congratulations! You found the correct flag.

Solver script (embedded)#

This is the exact GDB oracle script used to recover the flag byte-by-byte:

1
set pagination off
2
file /home/kali/validator
3
start
4
# speed: skip heavy obfuscation helper (safe for oracle use)
5
set {unsigned char}wstLsACQERer = 0xc3
6
python
7
import gdb
8
import re
9

10
N = 68
11
sol = [None] * N
12
amb = {}
13

14
for idx in range(N):
15
  cands = []
16
  for b in range(256):
17
    ret = int(gdb.parse_and_eval(f"(int)zWqDapvkXfHB({b},{idx})"))
18
    if ret != 0:
19
      cands.append(b)
20
  if len(cands) == 1:
21
    sol[idx] = cands[0]
22
  else:
23
    amb[idx] = cands
24

25
print('N =', N)
26
print('ambiguous indices =', len(amb))
27
for i, (idx, cands) in enumerate(sorted(amb.items())[:20]):
28
  print(f'idx {idx}: count={len(cands)} sample={cands[:20]}')
29

30
# Resolve ambiguities with printable/flag heuristics
31
common = set(b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_-")
32
for idx, cands in amb.items():
33
  printable = [b for b in cands if 32 <= b < 127]
34
  common_print = [b for b in printable if b in common]
35
  if len(common_print) == 1:
36
    sol[idx] = common_print[0]
37
  elif len(printable) == 1:
38
    sol[idx] = printable[0]
39
  elif common_print:
40
    sol[idx] = common_print[0]
41
  elif printable:
42
    sol[idx] = printable[0]
43
  else:
44
    sol[idx] = cands[0]
45

46
out = bytes(sol)
47
text = out.decode('latin1', errors='replace')
48
print('candidate_text=', text)
49
print('candidate_hex =', out.hex())
50
m = re.search(r"VBD\{[^\}]*\}", text)
51
print('flag_match    =', m.group(0) if m else None)
52
end
53
quit