PicoCTF Reversing WebAssembly Part-2

Today's challenge is similar to yesterdays. A site uses WebAssembly to verify a key that we pass. We have a JS file that calls the Wasm functions and the Wasm binary file that has the underlying logic/code.

This time Wasm binary is pretty good, it does not leak the flag at all.

We need to reverse engineer the wasm file to find out what's happening. Running strings on the binary, it suggests it's likely a C based wasm implementation.

Let's setup a wasm-decompiler to make more sense of Wasm.

wasm-decompile qCCYI0ajpD.wasm -o qCCYI0ajpD.dcmp

This is the check_flag function, This function is the core logic. It calls strcmp to compare the string at memory location 1024 (likely the correct flag stored in d_nAcdbf1a) with the string at memory location 1072 (where input is stored, likely user input). It returns 1 if the strings match, and 0 otherwise. Furthermore, it essentially checks if the user-supplied input is the correct flag.

Also, 1067 points to a smaller buffer.

Besides, there is an interesting copy function :

Here is how it works. It takes a and b as inputs. If a turns out to be zero return early. Else read one byte (key) from the memory of 1067, XOR this byte with a store the result at 1072.

It selects the key based on a numeric logic of 4 - ( b % 5)

So if we can write a simple python function to do the same we can decode the value at 1024 address which is likely a flag.

Here is the script that solved it :

Hope this was useful to you. One more challenge left.

LiveAPI makes it easy to find, understand, and use APIs in big tech systems. It quickly creates clear documents for code that doesn't have any, saving you time.

You can try it right now! 🚀

Join the waitlist for LiveReview, which will be available soon for quicker AI code reviews.