index

Introduction

Yet another random small(ish) ctf that I played. This one also had a lot of fun osint that we blooded(?)/did pretty well on. But I forgot to write about it. Just remember @tien rambling about Molly.

Rev/Constant Folding

I just finished writing my very own super secret encryption program. I’m so confident in its security that I’ll give you the binary and the output of my program! Bet you can’t figure out the secret I gave it >:)

Output of the program: bypkrpihayqo

Note: put the input to the program inside sdctf before submitting

We were given a program script and asked to find an input string such that:

1
encrypt(input) == "bypkrpihayqo"

1
int __fastcall main(int argc, const char ** argv, const char ** envp) {
2
    void * v3; // rsp
3
    void * v4; // rsp
4
    void * v5; // rsp
5
    void * v6; // rsp
6
    void * v7; // rsp
7
    char v10[8]; // [rsp+0h] [rbp-70h] BYREF
8
    __int64 v11; // [rsp+8h] [rbp-68h]
9
    char * s; // [rsp+10h] [rbp-60h]
10
    __int64 v13; // [rsp+18h] [rbp-58h]
11
    char * src; // [rsp+20h] [rbp-50h]
12
    __int64 v15; // [rsp+28h] [rbp-48h]
13
    char * dest; // [rsp+30h] [rbp-40h]
14
    __int64 v17; // [rsp+38h] [rbp-38h]
15
    char * v18; // [rsp+40h] [rbp-30h]
16
    __int64 v19; // [rsp+48h] [rbp-28h]
17
    char * v20; // [rsp+50h] [rbp-20h]
18
    unsigned __int64 v21; // [rsp+58h] [rbp-18h]
19

20
    v21 = __readfsqword(0x28 u);
21
    v11 = 12;
22
    v3 = alloca(16);
23
    s = v10;
24
    printf("Enter your secret: ");
25
    fgets(s, 13, _bss_start);
26
    v13 = 84;
27
    v4 = alloca(96);
28
    src = v10;
29
    gen_padding(v10, 13, 4);
30
    v15 = 96;
31
    v5 = alloca(112);
32
    dest = v10;
33
    strcpy(v10, s);
34
    strcat(dest, src);
35
    v17 = 96;
36
    v6 = alloca(112);
37
    v18 = v10;
38
    shuffle(dest, v10);
39
    v19 = 12;
40
    v7 = alloca(16);
41
    v20 = v10;
42
    fold(v18, v10);
43
    printf("Your processed secret: %s\n", v20);
44
    return v21 - __readfsqword(0x28 u);
45
}
46
unsigned __int64 __fastcall gen_padding(__int64 a1) {
47
    int i; // [rsp+1Ch] [rbp-24h]
48
    int j; // [rsp+20h] [rbp-20h]
49
    char v4[13]; // [rsp+2Bh] [rbp-15h] BYREF
50
    unsigned __int64 v5; // [rsp+38h] [rbp-8h]
51

52
    v5 = __readfsqword(0x28 u);
53
    strcpy(v4, "jvucsiwfaebq");
54
    for (i = 0; i <= 6; ++i) {
55
        for (j = 0; j < 12; ++j)
56
            *
57
            (_BYTE * )(a1 + 12 * i + j) = (i + 3) * j * (v4[j] - 97) % 26 + 97;
58
    }
59
    return v5 - __readfsqword(0x28 u);
60
}
61

62
__int64 __fastcall shuffle(__int64 a1, __int64 a2) {
63
    __int64 result; // rax
64
    int i; // [rsp+18h] [rbp-8h]
65

66
    for (i = 0; i < 96; ++i)
67
        *
68
        (_BYTE * )(i + a2) = * (_BYTE * )(17 * i % 96 + a1);
69
    result = a2 + 96;
70
    *(_BYTE * )(a2 + 96) = 0;
71
    return result;
72
}
73

74
unsigned __int64 __fastcall fold(char * a1, __int64 a2) {
75
    void * v2; // rsp
76
    void * v3; // rsp
77
    void * v4; // rsp
78
    void * v5; // rsp
79
    void * v6; // rsp
80
    void * v7; // rsp
81
    void * v8; // rsp
82
    void * v9; // rsp
83
    __int64 v11; // [rsp+0h] [rbp-C0h] BYREF
84
    char * src; // [rsp+8h] [rbp-B8h]
85
    int i; // [rsp+10h] [rbp-B0h]
86
    int j; // [rsp+14h] [rbp-ACh]
87
    int k; // [rsp+18h] [rbp-A8h]
88
    int v16; // [rsp+1Ch] [rbp-A4h]
89
    int v17; // [rsp+20h] [rbp-A0h]
90
    int v18; // [rsp+24h] [rbp-9Ch]
91
    __int64 v19; // [rsp+28h] [rbp-98h]
92
    char * dest; // [rsp+30h] [rbp-90h]
93
    __int64 v21; // [rsp+38h] [rbp-88h]
94
    char * v22; // [rsp+40h] [rbp-80h]
95
    __int64 v23; // [rsp+48h] [rbp-78h]
96
    char * v24; // [rsp+50h] [rbp-70h]
97
    __int64 v25; // [rsp+58h] [rbp-68h]
98
    char * v26; // [rsp+60h] [rbp-60h]
99
    __int64 v27; // [rsp+68h] [rbp-58h]
100
    char * v28; // [rsp+70h] [rbp-50h]
101
    __int64 v29; // [rsp+78h] [rbp-48h]
102
    char * v30; // [rsp+80h] [rbp-40h]
103
    __int64 v31; // [rsp+88h] [rbp-38h]
104
    char * v32; // [rsp+90h] [rbp-30h]
105
    __int64 v33; // [rsp+98h] [rbp-28h]
106
    char * v34; // [rsp+A0h] [rbp-20h]
107
    unsigned __int64 v35; // [rsp+A8h] [rbp-18h]
108

109
    src = a1;
110
    v11 = a2;
111
    v35 = __readfsqword(0x28 u);
112
    v16 = 48;
113
    v17 = 24;
114
    v18 = 12;
115
    v19 = 47;
116
    v2 = alloca(48);
117
    dest = (char * ) & v11;
118
    v21 = 47;
119
    v3 = alloca(48);
120
    v22 = (char * ) & v11;
121
    v23 = 47;
122
    v4 = alloca(48);
123
    v24 = (char * ) & v11;
124
    strncpy((char * ) & v11, a1, 0x30 u);
125
    strncpy(v22, & src[v16], v16);
126
    for (i = 0; i < v16; ++i)
127
        v24[i] = (dest[i] - 97 + v22[i] - 97) % 26 + 97;
128
    v25 = v17 - 1 LL;
129
    v5 = alloca(16 * ((v17 + 15 LL) / 0x10 uLL));
130
    v26 = (char * ) & v11;
131
    v27 = v25;
132
    v6 = alloca(16 * ((v17 + 15 LL) / 0x10 uLL));
133
    v28 = (char * ) & v11;
134
    v29 = v25;
135
    v7 = alloca(16 * ((v17 + 15 LL) / 0x10 uLL));
136
    v30 = (char * ) & v11;
137
    strncpy((char * ) & v11, v24, v17);
138
    strncpy(v28, & v24[v17], v17);
139
    for (j = 0; j < v17; ++j)
140
        v30[j] = (v26[j] - 97 + v28[j] - 97) % 26 + 97;
141
    v31 = v18 - 1 LL;
142
    v8 = alloca(16 * ((v18 + 15 LL) / 0x10 uLL));
143
    v32 = (char * ) & v11;
144
    v33 = v31;
145
    v9 = alloca(16 * ((v18 + 15 LL) / 0x10 uLL));
146
    v34 = (char * ) & v11;
147
    strncpy((char * ) & v11, v30, v18);
148
    strncpy(v34, & v30[v18], v18);
149
    for (k = 0; k < v18; ++k)
150
        *
151
        (_BYTE * )(k + v11) = (v32[k] - 97 + v34[k] - 97) % 26 + 97;
152
    *(_BYTE * )(v18 + v11) = 0;
153
    return v35 - __readfsqword(0x28 u);
154
}

The binary contains a few key functions:

generate_padding(): produces a fixed 84-character padding string from a hardcoded source “jvucsiwfaebq”.
shuffle(buffer): reorders a 96-character buffer based on some indices, call that SHUFFLE_INDICES.
fold(buffer): compresses the buffer from 96 → 48 → 24 → 12 characters using mod-26 character addition.
main(input): applies padding, shuffle, then fold to return a final 12-character string.

It’s trivial to attempt a brute force. But, the brute-force method is clearly inefficient, so we analyze and reverse the operations.

Understanding Shuffle

SHUFFLE_INDICES[i] = (i * 17) % 96 for i in 0..95

Since 17 is coprime to 96, the mapping is bijective and thus reversible. To invert:

1
reverse_shuffle[i] = j # where SHUFFLE_INDICES[j] = i
2
# that is:
3
reverse_shuffle[SHUFFLE_INDICES[i]] = i

More compactly, since 17 * 17 ≡ 1 mod 96, the modular inverse of 17 mod 96 is 17. So to reverse:

1
original[j] = shuffled[(j * 17) % 96]

This lets us reconstruct the original input+padding buffer from a shuffled one.

Folding is a 3-step reduction:

Fold 96 → 48: folded[i] = (ord(S[i]) + ord(S[i+48]) - 194) % 26 + 97
Fold 48 → 24: same pattern on result
Fold 24 → 12: same again to produce final string

Each final output character is a linear combination of 8 shuffled characters:

1
fold3[m] = (S[m] + S[m+12] + S[m+24] + S[m+36] + S[m+48] + S[m+60] + S[m+72] + S[m+84]) % 26

Each S[i] maps to either:

An input character (if SHUFFLE_INDICES[i] < 12), or
A known padding character (SHUFFLE_INDICES[i] ≥ 12 → padding[SHUFFLE_INDICES[i] - 12])

This allows us to express each fold3[i] (i.e., target character) as a linear sum of one unknown and 7 knowns.

For each i in 0..11 (target character):
- Identify the 8 contributing positions in the shuffled buffer: i, i+12, …, i+84
- For each, map SHUFFLE_INDICES[pos]
- If SHUFFLE_INDICES[pos] < 12 → input[SHUFFLE_INDICES[pos]] is unknown
- Otherwise → add padding value to sum
Each target character gives a direct equation: x_k = (target_val - sum_of_padding_contributions) % 26
Construct input string from x_0 .. x_11

1
import string
2

3
# Precomputed padding generation
4
def generate_padding():
5
    src = "jvucsiwfaebq"
6
    padding = []
7
    for i in range(7):  # 0-6 inclusive (7 rows)
8
        for j in range(12):
9
            c = ord(src[j]) - ord('a')
10
            val = (c * j * (i + 3)) % 26
11
            padding.append(chr(val + ord('a')))
12
    return ''.join(padding)
13

14
PADDING = generate_padding()
15
SHUFFLE_INDICES = [(i * 17) % 96 for i in range(96)]
16

17
def compute_input_vars(target):
18
    input_chars = [None] * 12
19
    target_nums = [ord(c) - ord('a') for c in target]
20

21
    for m in range(12):
22
        sum_padding = 0
23
        input_idx = None
24
        for k in range(8):
25
            i = m + 12 * k
26
            buffer_idx = SHUFFLE_INDICES[i]
27
            if buffer_idx < 12:
28
                input_idx = buffer_idx
29
            else:
30
                pad_val = ord(PADDING[buffer_idx - 12]) - ord('a')
31
                sum_padding += pad_val
32
        if input_idx is None:
33
            raise Exception("No input variable found")
34
        input_val = (target_nums[m] - sum_padding) % 26
35
        input_chars[input_idx] = chr(input_val + ord('a'))
36

37
    return ''.join(input_chars)
38

39
TARGET = "bypkrpihayqo"
40
secret = compute_input_vars(TARGET)
41
print("Secret:", secret)

Running the above returns the 12-character secret input that produces the encrypted target “brassicarulz”.

it’s sure a hell of a lot faster than the probably 500 years needed to brute-force LMAO

No brute-force required; we reverse-engineered the constant-folded structure mathematically.

flag is: sdctf{brassicarulz}.

Instead of blindly brute-forcing, we recognize structure in the transformations (especially the fold’s linear nature and the shuffle’s bijective mapping), and turn the encryption into a solvable system of modular equations.

Simple linear algebra over Z/26Z beats brute force.

SDCTF 2025

Introduction

Rev/Constant Folding

Understanding Shuffle