Cybersec Reverse

[RE] Entropy Discord

Writeups for Patriot CTF 2025 event.

rev - Entropy Discord

0x01 Basic Info 

1

./entropy-discord: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3d97bd7da5c93a0d18f7f4c479dca11439d1ff7d, for GNU/Linux 3.2.0, stripped

The main function was messy and looks like wrote by Rust. By analysis, all the things that main function did is to set up some things.

Start by looking at sub_6ED0, which is the real logic of the program.

0x02 Protection

  1. sub_6ED0 will triggers an int3 which is the software breakpoints.
  2. Then install a SIGTRAP handler that sets byte_55961
  3. which means once you attach the program with debugger, you will get a fake flag
  4. LMAO, PCTF{n0t_th3_r34l_fl4g_k33p_l00k1ng}.
  5. And go to a wrong path.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

      *fd = &unk_47BE0;
      v29 = sub_AEC0;
      s1[0] = &off_528B8;
      s1[1] = &dword_0 + 2;
      v22 = fd;
      v23 = 1u;
      sub_45440(s1);
      byte_55961 = 0;
      signal(5, handler);
      __debugbreak();

0x03 What does the function did actually?

  1. Read 0x10 bytes from /dev/urandom into a buffer. v0 = open("/dev/urandom", 0);
  2. Then, do some transformer to those bytes.
  3. And generate a 64-bit “entropy hash” which is var_168 and XOR with 0xDEABDEABDEADB33F 
    1
2

    mov     rax, 0DEABDEABDEADB33Fh
xor     [rsp+2C8h+var_168], rax
  4. Compare with var_2C0 
    1
2

    mov     rax, 0CAFEBABE13371337h
cmp     [rsp+2C8h+var_2C0], rax
  5. Jump to loc_98C8 if equal lea rax, off_52958 ; "\n[+] Transformation check passed!\n" else fail. lea rax, off_529A8 ; "\n[-] Transformation check failed!\n"
  6. After pass the check, the program will use the entropy to decrypt an embedded blob at 0x47ED2. lea rax, off_52968 ; "[*] Decrypting flag with entropy hash.."...
  7. So far we can write the solve ScRiPt. Yippe!!!

0x04 Solve Script

  • Uses a Java-style LCG keystream: state = (state * 0x5DEECE66D + 0xB) mod 2^48, keystream byte = state >> 8.
  • Decrypts only the first 0x1e (30) bytes of the blob. The remainder is plain ASCII "[+] Congratulations! You've tamed the entropy!" etc.
  • Embedded blob
1

 33 87 08 B8 A2 F5 B8 04 74 D6 0B E7 AE 20 E6 33 E7 F3 5D A5 CD 54 02 28 4B FB E8 7D 23 23 0A 5B 2B 5D 20 46 4C 41 47 3A 20 5B 2B 5D 20 43 6F 6E 67 72 61 74 75 6C 61 74 69 6F 6E 73 21 20 59 6F 75 27 76 65 20 74 61 6D 65 64 20 74 68 65 20 65 6E 74 72 6F 70 79 21 0A 0A 5B 2D 5D 20 54 72 61 6E 73 66 6F 72 6D 61 74 69 6F 6E 20 63 68 65 63 6B 20 66 61 69 6C 65 64
  • Expected plaintext for the encrypted part starts with the flag line e.g. "[+] FLAG: PCTF{...}".The solver can recover the initial 48-bit seed from that prefix and decrypt.

0x05 Script 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201

"""
Decrypt the embedded entropy blob from entropy-discord.
Only the first 30 bytes are encrypted with a Java-style LCG keystream.
Requires: python, z3-solver (pip install z3-solver).
"""

from z3 import *

# Full blob at 0x47ED2; first 30 bytes are ciphertext.
BLOB = bytes(
    [
        0x33,
        0x87,
        0x08,
        0xB8,
        0xA2,
        0xF5,
        0xB8,
        0x04,
        0x74,
        0xD6,
        0x0B,
        0xE7,
        0xAE,
        0x20,
        0xE6,
        0x33,
        0xE7,
        0xF3,
        0x5D,
        0xA5,
        0xCD,
        0x54,
        0x02,
        0x28,
        0x4B,
        0xFB,
        0xE8,
        0x7D,
        0x23,
        0x23,
        0x0A,
        0x5B,
        0x2B,
        0x5D,
        0x20,
        0x46,
        0x4C,
        0x41,
        0x47,
        0x3A,
        0x20,
        0x5B,
        0x2B,
        0x5D,
        0x20,
        0x43,
        0x6F,
        0x6E,
        0x67,
        0x72,
        0x61,
        0x74,
        0x75,
        0x6C,
        0x61,
        0x74,
        0x69,
        0x6F,
        0x6E,
        0x73,
        0x21,
        0x20,
        0x59,
        0x6F,
        0x75,
        0x27,
        0x76,
        0x65,
        0x20,
        0x74,
        0x61,
        0x6D,
        0x65,
        0x64,
        0x20,
        0x74,
        0x68,
        0x65,
        0x20,
        0x65,
        0x6E,
        0x74,
        0x72,
        0x6F,
        0x70,
        0x79,
        0x21,
        0x0A,
        0x0A,
        0x5B,
        0x2D,
        0x5D,
        0x20,
        0x54,
        0x72,
        0x61,
        0x6E,
        0x73,
        0x66,
        0x6F,
        0x72,
        0x6D,
        0x61,
        0x74,
        0x69,
        0x6F,
        0x6E,
        0x20,
        0x63,
        0x68,
        0x65,
        0x63,
        0x6B,
        0x20,
        0x66,
        0x61,
        0x69,
        0x6C,
        0x65,
        0x64,
    ]
)

ENC_LEN = 30  # number of bytes actually encrypted

FLAG_PREFIXES = [b"pctf{", b"PCTF{"]

MOD = 1 << 48
MULT = 0x5DEECE66D
ADD = 0xB


def solve_seed():
    """
    Recover the initial 48-bit state with loose constraints:
    - Plaintext is printable.
    - Contains a flag prefix (case-insensitive pctf{) somewhere in the encrypted region.
    """
    s0 = BitVec("s0", 48)
    s = s0
    solver = Solver()
    plains = []
    for i, c in enumerate(BLOB[:ENC_LEN]):
        s = (s * MULT + ADD) & (MOD - 1)
        ks = Extract(7, 0, s >> 8)  # keystream byte
        p = BitVec(f"p_{i}", 8)
        solver.add(p == c ^ ks)
        plains.append(p)
    # printable constraint
    for p in plains:
        solver.add(p >= 0x20, p <= 0x7e)
    # require a flag prefix somewhere
    hits = []
    for pref in FLAG_PREFIXES:
        for off in range(0, ENC_LEN - len(pref) + 1):
            hits.append(
                And(
                    plains[off] == pref[0],
                    plains[off + 1] == pref[1],
                    plains[off + 2] == pref[2],
                    plains[off + 3] == pref[3],
                    plains[off + 4] == pref[4],
                )
            )
    solver.add(Or(*hits))
    if solver.check() != sat:
        raise RuntimeError("Seed not solved; adjust constraints.")
    model = solver.model()
    seed = model[s0].as_long()
    plain_bytes = [model[p].as_long() for p in plains]
    return seed, bytes(plain_bytes)


def decrypt(seed):
    s = seed
    out = []
    for c in BLOB[:ENC_LEN]:
        s = (s * MULT + ADD) & (MOD - 1)
        ks = (s >> 8) & 0xFF
        out.append(c ^ ks)
    return bytes(out) + BLOB[ENC_LEN:]


if __name__ == "__main__":
    seed, first_part = solve_seed()
    plaintext = decrypt(seed)
    print(f"[+] Seed: 0x{seed:012x}")
    print(f"[+] Decrypted (first {ENC_LEN} bytes): {first_part}")
    print("[+] Full decrypted message:")
    print(plaintext.decode("ascii", errors="replace"))

1
2
3
4
5
6
7

[+] Seed: 0x000000002279
[+] Decrypted (first 30 bytes): b'PCTF{iTz_mY_puT3R--My_3nT40PY}'
[+] Full decrypted message:
PCTF{iTz_mY_puT3R--My_3nT40PY}
[+] FLAG: [+] Congratulations! You've tamed the entropy!

[-] Transformation check failed

Get Flag!

© 2020 - 2026 SISUBENY
Built with Hugo
Theme Stack designed by Jimmy