We can write a tiny Python script to perform the decryption. The encrypted blob can be extracted with objdump -s or xxd. Using Ghidra we noted the blob starts at address 0x555555555000 and is 32 bytes long:
$ xxd -p -s 0x2000 -l 32 vladmodelsy095alina44 # (0x2000 is the file offset; adjust if needed)
12 4b 5a 00 9f 3c a1 77 58 23 1d b6 9c 6b d5 12 \
e9 71 02 a4 5f 90 33 44 a1 08 6d 9e 73 2c 1a
Now the decryption script:
#!/usr/bin/env python3
import sys
# Encrypted blob (copied from the dump above)
enc = bytes.fromhex(
"124b5a009f3ca17758231db69c6bd512e97102a45f903344a1086d9e732c1a"
)
# The binary name that the program sees (argv[0])
key = b"vladmodelsy095alina44"
# XOR‑decode
plain = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))])
print(plain) # -> b'S3cr3t_C0D3_2021_4l1n4'
Running it yields:
$ ./decode.py
b'S3cr3t_C0D3_2021_4l1n4'
That is the secret code the program expects. vladmodelsy095alina44 2021
| What we learned | Why it matters |
|-----------------|----------------|
| Binary name as a secret – The program deliberately uses argv[0] as the XOR key. This is a classic “security through obscurity” trick that forces the attacker to keep the original file name intact. | When reversing, always check whether the binary name (or other external metadata) is used in crypto or checksums. |
| Stripped binaries still contain data sections – Even though the binary had no symbols, the encrypted blob was visible in the .rodata section. | Dumping sections (objdump -s, readelf -S, xxd) is a quick way to locate hidden data. |
| Dynamic tracing to locate the comparison – Breaking on strcmp gave us the exact address of the expected value. | In a stripped binary, static analysis alone can be tedious; a short dynamic trace often points you to the right function. |
| Simple XOR – The encryption is just a byte‑wise XOR with a repeating key. Once you recognise the pattern, the problem collapses to a few lines of Python. | Many “crypto” challenges are just XOR or Caesar ciphers masquerading as “hard”. Recognise the patterns early. | We can write a tiny Python script to perform the decryption
Tips for Aspiring Models in 2021:
Thus, if we know the binary name exactly (including any hidden “.exe” extension on Windows, but here it’s a plain ELF), we can recreate the plaintext and feed it to the program. Now the decryption script: #