From 132e604f3bcc2699439260c147d7f14413d2b217 Mon Sep 17 00:00:00 2001
From: 0x35c <>
Date: Tue, 6 May 2025 13:56:20 +0200
Subject: [PATCH] level03: done

---
 level03/ressources/exploit |  1 +
 level03/source.c           |  3 ++-
 level03/walkthrough        | 13 +++++++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 level03/ressources/exploit
 create mode 100644 level03/walkthrough

diff --git a/level03/ressources/exploit b/level03/ressources/exploit
new file mode 100644
index 0000000..b5fd099
--- /dev/null
+++ b/level03/ressources/exploit
@@ -0,0 +1 @@
+(echo 322424827; cat) | ./level03
diff --git a/level03/source.c b/level03/source.c
index 13ebec2..1b0a524 100644
--- a/level03/source.c
+++ b/level03/source.c
@@ -10,10 +10,11 @@ int decrypt(char key)
 
 	// Stack canary protection (or SSP)
 	// *(_DWORD *)((char *)&str[4] + 1) = __readgsdword(0x14u);
+	//
 	strcpy((char *)str, "Q}|u`sfg~sf{}|a3");
 	len = strlen((const char *)str);
 	for (int i = 0; i < len; ++i)
-		*((char *)str + i) ^= key;
+		str[i] ^= key;
 	// Key needs to equal 12
 	if (!strcmp((const char *)str, "Congratulations!"))
 		return system("/bin/sh");
diff --git a/level03/walkthrough b/level03/walkthrough
new file mode 100644
index 0000000..c1484a8
--- /dev/null
+++ b/level03/walkthrough
@@ -0,0 +1,13 @@
+# Level03
+
+Using hexrays, we can decompile the code and see that it `decrypt()`s a constant string (`"Q}|u`sfg~sf{}|a3"` with a key that we can input (more or less).
+Basically, the code will `xor` each character of the string with the key.
+The modified string will then be compared to `"Congratulations!"` and execute a shell if the value matches.
+All we have to do is find the key where `'Q'^key == 'C'`. We use this (xor calculator)[https://xor.pw/] to find the value, which is 18 in decimal.
+Finally, we need to input this through the `scanf()` call. This will store our input in a variable that will then be passed as the first parameter of the `test()` function.
+The second parameter is `322424845` and `test()` will call `decrypt()` with the difference between `a2` and `a1` (let's call it `key`).
+Since `a2 == 322424845` and we want `key == 18`, we need to have `a1 == a2 - 18`, which is `322424827`.
+We just need to input this value into the program.
+
+Here is the command:
+`(echo 322424827; cat) | ./level03`