Challenge text
I used to have a nice wallpaper a long time ago, but I just can’t remember it Several solutions are possible, but not many. Try them all to find the flag!
Binary: wallpaper (64-bit ELF, static, stripped)
First Look
Quick recon:
|
|
Useful strings:
enter passwordgood job, validate with CMO{your_input}wrong password
So the binary expects an input string and the flag format is directly CMO{<valid_input>}.
Input Constraints from Reversing
From disassembly:
- It reads exactly
0x26bytes (38bytes) into a buffer. - Every byte is checked with a bit-test mask
0x000f000000000400. - Allowed byte values are only:
0x0a(newline)0x30('0')0x31('1')0x32('2')0x33('3')
So the password must be 37 chars from 0..3, then newline.
Core Logic = 4x4 Sliding Puzzle
The main state is a 64-bit value:
- Start state:
0xb6fd071e9c8a3425 - Goal state (after final XOR simplification):
0xfedcba9876543210
Interpretation: 16 nibbles = a 4x4 board, with 0 as blank.
Each input char controls the blank movement:
0: up1: left2: down3: right
Invalid moves immediately fail (the bit-test table at 0x3bb97ffd7ffd6eec enforces legal directions depending on blank position).
So the challenge is:
- Find length-37 move strings over
{0,1,2,3} - Starting from
0xb6fd071e9c8a3425 - Reach
0xfedcba9876543210
Solving Strategy
Use IDA* / DFS with Manhattan-distance heuristic for the 15-puzzle model:
- Minimal solution depth is 37.
- Enumerating depth-37 solutions gives exactly 4 valid inputs.
All valid inputs:
1001223210123010301233322110103321001100122321103210030123332211010332100110123210123010330112333221101033210011012321103210033011233322110103321001
Each one prints good job.
Final Flags
CMO{1001223210123010301233322110103321001}CMO{1001223211032100301233322110103321001}CMO{1012321012301033011233322110103321001}CMO{1012321103210033011233322110103321001}
Verification
|
|