| Dimension X |
you already know im on this |
2026-06-13 23:29 |
| High cortisol |
gg
>>> MBB <<<
[!] Enter The Key : xQ9_vP4_tK2_mZ8
DECRYPTED FLAG: FLAG{78hm4352rg425g08u,jk43f178yhn2376bfrt}
writeup incoming |
2026-06-11 07:58 |
| P4r4d0x of the P4l4nt1r |
you can test by running this in powershell:
$bytes = [byte[]](
0x50,0x41,0x4c,0x41,0x4e,0x54,0x49,0x52,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0xf0,0x20,0xff,0x0f,0x0a,
0xbf,0x2a,0xf2,0x68,0x7c,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x64,0xab,0x23,0xae,0x0a
)
[IO.File]::WriteAllBytes("keys.bin", $bytes)
cmd /c ".\p0tp.exe < keys.bin" |
2026-06-11 06:36 |
| P4r4d0x of the P4l4nt1r |
key 1 hex:
50414c414e54495241414141414141f020ff0f
key 2 hex:
bf2af2687c41414141414141414141414164ab23ae
that was fun, took me around 5 hours
writeup coming |
2026-06-11 06:28 |
| Hard CME 2 |
done.
submitted write up
V1RTU4L_M4CH1N3_5T4CK |
2026-06-07 20:45 |
| A real test for a professional |
For the program, I decompiled guardsman.exe and found it was not just using the visible seed string. It first builds keys from that string, checks one file, then if the check fails it reads 64 bytes from about 90% into its own executable and rebuilds the real keys.
The crypto was custom but simple:
MurmurHash64A -> MT19937 -> 64-byte key
Then the files are decrypted with XOR, with a weird rule that avoids changing bytes into newline characters.
I recreated that logic in a local solver, then walked the layers:
a files -> intermediate keys
b files -> final data/hash keys
c/hash -> validates c/data
c/data -> password
After decrypting c/data, the password was:
eUIBPa98aIOJve647adsMKEWATq8qev
The spaces matter. I tested it against the program: with the leading and trailing space it prints Correct password; without them it prints Incorrect password. |
2026-06-07 06:34 |