ezimmermann on 1:13 PM 08/02/2022: Loving the static analysis and think I might have a flag, but it requires GLIBC_2_34 (experimental) on your system to run. Is that part of the challenge? Working on it...
S01den on 10:17 PM 08/02/2022: Nope, no tricks with libraries!
ezimmermann on 9:39 PM 08/06/2022: The flag that solves the crackme is any solution to the 2x2 rubik's cube listed in the executable. I submitted a well-thought-out explanation of this, including half a dozen examples of acceptable flags that got the "g00d flag" reply from the program, but these were rejected as "incorrect" by sar, so I have no idea what the flag is then... That also means that by definition, this comment is not a spoiler, since apparently I haven't solved it according to sar. You can look up the paper I posted on discord if you're struggling with this and want some insight and think you might come up with a more acceptable flag.
ezimmermann on 1:24 PM 08/07/2022: The flag I found was "URRfRUfu" which is accepted by the program, but was rejected by sar. Since I came up with what the website owner believes is an incorrect flag, then revealing is, by definition, not a spoiler. Anyway, for anyone interested in how this crackme works, full explanation follows:
S01den's cube
https://crackmes.one/crackme/62d08a7a33c5d44a934e97bb
Full Solution by Everleigh Zimmermann
2 August 2022
The Flag for this crackme is a solution to a 2x2 Rubik's cube, written in semi-standard Rubik's
notation.
I really enjoyed this crackme, because I love Rubik's cubes, and have played with the 2x2 cube.
If you have done any cubing, you think more in terms of pieces rather than stickers, where a piece
contains 1-3 stickers. Corner pieces have the most, with 3 stickers each, and a 2x2 cube has nothing
but corners, which means it has a very high sticker-per-piece ratio of 3:1.
Therefore, if you reverse the software, you'll find that the rotation code is written to deal with
stickers rather than pieces, and that's why it's so long and tricky. When a side is rotated, it moves all
of the stickers to their proper new places. The cube handling code appears to be correct, if not a bit
wordy, preferring to do everything long form... i.e. "for a Front turn, move sticker A to B, move sticker
C to D, etc."
The flag itself is the solution to a particular scrambled 2x2 cube using almost standard notation.
Except, instead of using tick marks to signify anti-clockwise, you just lowercase
the letter instead.
So three turns clockwise: URU
Three turns anti-clockwise: uru
The 2x2 cube to solve can be found in cleartext at file offset 0x00003048, and consists of 24 bytes:
00003040: 6f 6f 62 76 62 62 6a 42 oobvbbjB
00003050: 72 6f 72 76 6a 42 76 72 6a 42 72 76 6a 42 6f 62 rorvjBvrjBrvjBob
I created the following structure from the bytes (Address remapping done by Binary Ninja)
00004048 struct cube cube =
00004048 {
00004048 struct side up =
00004048 {
00004048 char top_left = 'o'
00004049 char top_right = 'o'
0000404a char bottom_left = 'b'
0000404b char bottom_right = 'v'
0000404c }
0000404c struct side back =
0000404c {
0000404c char top_left = 'b'
0000404d char top_right = 'b'
0000404e char bottom_left = 'j'
0000404f char bottom_right = 'B'
00004050 }
00004050 struct side front =
00004050 {
00004050 char top_left = 'r'
00004051 char top_right = 'o'
00004052 char bottom_left = 'r'
00004053 char bottom_right = 'v'
00004054 }
00004054 struct side down =
00004054 {
00004054 char top_left = 'j'
00004055 char top_right = 'B'
00004056 char bottom_left = 'v'
00004057 char bottom_right = 'r'
00004058 }
00004058 struct side left =
00004058 {
00004058 char top_left = 'j'
00004059 char top_right = 'B'
0000405a char bottom_left = 'r'
0000405b char bottom_right = 'v'
0000405c }
0000405c struct side right =
0000405c {
0000405c char top_left = 'j'
0000405d char top_right = 'B'
0000405e char bottom_left = 'o'
0000405f char bottom_right = 'b'
00004060 }
00004060 }
As you can see, there are 6 unique letters used, and each letter is used 4 times. Since a 2x2
cube has 6 faces of 4 stickers per face, this makes sense.
You can assign any color you like to each side, I chose the following:
r = Red
j = Green
B = Blank (White)
v = Yellow
o = Orange
b = Blue
So just fire up your favorite 2x2 Rubik's cube solver, and enter the cube. For example:
https://rubiks-cube-solver.com/2x2/
Click "Edit", then click the 4 red squares, then the 4 green ones, and so on. You'll end up
with something that looks like this:
o-o
b-v
j-B r-o j-B b-b
r-v r-v o-b j-B
j-B
v-r
Then click Solve, and you get:
U R2 F' R U F' U'
R2 means "turn R twice" so we turn that into 2 upper OR lowercase R's (doesn't matter which)
We also don't support ticks, so those become lowercase letters
So we end up with:
URRfRUfu
Which is one of many possible "flags":
user@user-pc:~/Downloads$ ./cm_rb_easy URRfRUfu
[*] G00d flag!
user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfu
[*] G00d flag!
Any letters that are not in the set [BDFLRUbdflru] are ignored and can be used for stylizing your flag.
user@user-pc:~/Downloads$ ./cm_rb_easy "Using other chars is fine AREN'T YOU having fun?"
[*] G00d flag!
Any valid solution is a valid flag... so we can tack on some moves at the end that undo themselves
using their lowercase versions.
user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuFFff
[*] G00d flag!
And of course turning a side 4 times has no affects, so 4 letters in a row can be added anywhere.
user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuFFFF
[*] G00d flag!
Flags can even be very long....
user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
[*] G00d flag!
Up to 100 characters. Then you get told to stop by the author...
user@user-pc:~/Downloads$ ./cm_rb_easy UrrfRUfuLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
[!] The flag is too long...
- Everleigh
ezimmermann on 1:27 PM 08/07/2022: The previous comment had all of its indentation lost and whitespace gaps reduced to single spaces.. Keep that in mind when reading it. You can find a .zip containing the original with indentation intact by searching my name on the Discord server.
50r4 on 11:00 AM 01/18/2023: WRITE-UP: https://s00ra.github.io/crackmes/2.html