crackmes Medium

Wallpaper

reversing puzzle brute-force

Challenge text

I used to have a nice wallpaper a long time ago, but I just can’t remember it Several solutions are possible, but not many. Try them all to find the flag!

Binary: wallpaper (64-bit ELF, static, stripped)

First Look

Quick recon:

1
2
3

file wallpaper
strings -n 4 wallpaper
objdump -d wallpaper

Useful strings:

  • enter password
  • good job, validate with CMO{your_input}
  • wrong password

So the binary expects an input string and the flag format is directly CMO{<valid_input>}.

Input Constraints from Reversing

From disassembly:

  1. It reads exactly 0x26 bytes (38 bytes) into a buffer.
  2. Every byte is checked with a bit-test mask 0x000f000000000400.
  3. Allowed byte values are only:
    • 0x0a (newline)
    • 0x30 ('0')
    • 0x31 ('1')
    • 0x32 ('2')
    • 0x33 ('3')

So the password must be 37 chars from 0..3, then newline.

Core Logic = 4x4 Sliding Puzzle

The main state is a 64-bit value:

  • Start state: 0xb6fd071e9c8a3425
  • Goal state (after final XOR simplification): 0xfedcba9876543210

Interpretation: 16 nibbles = a 4x4 board, with 0 as blank.

Each input char controls the blank movement:

  • 0: up
  • 1: left
  • 2: down
  • 3: right

Invalid moves immediately fail (the bit-test table at 0x3bb97ffd7ffd6eec enforces legal directions depending on blank position).

So the challenge is:

  • Find length-37 move strings over {0,1,2,3}
  • Starting from 0xb6fd071e9c8a3425
  • Reach 0xfedcba9876543210

Solving Strategy

Use IDA* / DFS with Manhattan-distance heuristic for the 15-puzzle model:

  • Minimal solution depth is 37.
  • Enumerating depth-37 solutions gives exactly 4 valid inputs.

All valid inputs:

  1. 1001223210123010301233322110103321001
  2. 1001223211032100301233322110103321001
  3. 1012321012301033011233322110103321001
  4. 1012321103210033011233322110103321001

Each one prints good job.

Final Flags

  • CMO{1001223210123010301233322110103321001}
  • CMO{1001223211032100301233322110103321001}
  • CMO{1012321012301033011233322110103321001}
  • CMO{1012321103210033011233322110103321001}

Verification

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

import subprocess

sol = [
    "1001223210123010301233322110103321001",
    "1001223211032100301233322110103321001",
    "1012321012301033011233322110103321001",
    "1012321103210033011233322110103321001",
]

for s in sol:
    p = subprocess.run(["./wallpaper"], input=(s + "\n").encode(), stdout=subprocess.PIPE)
    print(s, b"good job" in p.stdout)