Dec 18, 2024

Shattered Tablet

Khardur

Hack-The-Box2024writeup

566 Words ||2 Minutes, 34 Seconds

2024-12-18 00:00 +0000

Info

Objective

Deep in an ancient tomb, you’ve discovered a stone tablet with secret information on the locations of other relics. However, while dodging a poison dart, it slipped from your hands and shattered into hundreds of pieces. Can you reassemble it and read the clues?

Workflow

Opening the file in IDA shows me an elf binary that shows a prompt when openend, stating “Hmmmm… I think the tables says: " Looking at ida; there is a whole list of characters that are pushed to the stack and a simple jump after that; Script to build the damn thing:

def get_hibyte(value):
    return (value >> 8) & 0xFF

def decode_data():
    # Initialize the `s` string as a list of None to hold the decoded characters
    s = [None] * 8

    # Initialize variables v5, v6, v7, v8 to 64-bit values (as bytes are referenced)
    v5 = [0] * 8
    v6 = [0] * 8
    v7 = [0] * 8
    v8 = [0] * 8

    # Set constraints based on the if conditions
    s[0] = chr(72)      # H
    s[1] = chr(84)      # T
    s[2] = chr(66)      # B
    s[3] = chr(123)     # {
    s[4] = chr(98)      # b
    s[5] = chr(114)     # r
    s[6] = chr(48)      # 0
    s[7] = chr(107)     # k

    v5[0] = chr(51)          # (_BYTE)v5
    v5[1] = chr(110)         # BYTE1(v5)
    v5[2] = chr(95)          # BYTE2(v5)
    v5[3] = chr(52)          # BYTE3(v5)
    v5[4] = chr(112)         # BYTE4(v5)
    v5[5] = chr(52)          # BYTE5(v5)
    v5[6] = chr(0x6E)           # BYTE6(v5) (not specified in the conditions)
    v5[7] = chr(0x74)         # HIWORD(v5) == chr(29810 (from 0x746E)

    v6[0] = chr(46)          # (_BYTE)v6
    v6[1] = chr(46)          # BYTE1(v6)
    v6[2] = chr(46)          # BYTE2(v6)
    v6[3] = chr(110)         # BYTE3(v6)
    v6[4] = chr(51)          # BYTE4(v6)
    v6[5] = chr(118)         # BYTE5(v6)
    v6[6] = chr(101)         # BYTE6(v6)
    v6[7] = chr(114)         # HIBYTE(v6)

    v7[0] = chr(95)          # (_BYTE)v7
    v7[1] = chr(116)         # BYTE1(v7)
    v7[2] = chr(48)          # BYTE2(v7)
    v7[3] = chr(95)          # BYTE3(v7)
    v7[4] = chr(98)          # BYTE4(v7)
    v7[5] = chr(51)          # BYTE5(v7)
    v7[6] = chr(95)          # BYTE6(v7)
    v7[7] = chr(114)         # HIBYTE(v7)

    v8[0] = chr(51)          # (_BYTE)v8
    v8[1] = chr(112)         # BYTE1(v8)
    v8[2] = chr(52)          # BYTE2(v8)
    v8[3] = chr(49)          # BYTE3(v8)
    v8[4] = chr(114)         # BYTE4(v8)
    v8[5] = chr(51)          # BYTE5(v8)
    v8[6] = chr(0)           # BYTE6(v8) (not specified in the conditions)
    v8[7] = chr(0x7D)         # HIWORD(v8) == chr(32100 (from 0x7D7C)

    # Decode the string `s`
    decoded_string = "".join(s)
    decoded_string2 = "".join(v5)
    decoded_string3 = "".join(v6)
    decoded_string4 = "".join(v7)
    decoded_string5 = "".join(v8)
    
    return decoded_string,decoded_string2,decoded_string3,decoded_string4,decoded_string5

if __name__ == "__main__":
    decoded,decoded2,decoded3,decoded4,decoded5 = decode_data()
    print(f"Decoded string: {decoded}{decoded2}{decoded3}{decoded4}{decoded5}")

still has a couple of mistakes;

fix later;

a single imput gives immediate false message; 0 - H

1 - T

2 - B

3 - {

4 - b

5 - r

6 - 0

7 - k

8 - n

9 - __

10- 4

11 - p

12 - 4

13 - r

14 - t

15 - .

16 - .

17 - .

18 - n

19 - 3

20 - v

21 - 3

22 - r

23 - __

24 - t

25 - 0

26 - __

27 - b

28 - 3

29 - __

30 - r

31 - 3

32 - p

33 - 4

34 - 1

35 - r

36 - 3

37 - d

38 - }

HTB{br0k3n_4p4rt...n3ver_t0_b3_r3p41r3d}

See Also