karabatik on 2026-02-09 21:22:
[Click to reveal]binary loads gadget.hex into rwx memory via virtualalloc and calls primitive functions inside it by offset so gadget.hex is basically a flat instruction set library containing add sub mul mod and or xor shl shr strlen strcmp and similar operations main first validates the gadget with a smoke test calling the add function at offset 0x40c with 10+20=30 then processes the flag input through a 3 stage pipeline on a separate thread first stage is standard rfc4648 base64 encode second stage is cyclic xor using a 2 byte key at 0x14000a101 which is 0x98 0xdf third stage is lowercase hex encode the result gets compared against a hardcoded hex string in rdata fdb6ece8caefdeb4c2a5d6efc0efd6b7ccb3a19cfc8bdeacc299a1b2fc8bdda7c0ecdaa6d59afca6c98aa9e6 using the gadgets own strcmp implementation to solve just reverse the chain hex decode then xor then base64 decode flag is z+{GAdg3t_CaN_Bu1ld_fu11_pr0GrAM}