UniVsThreats 26 Quals CTF - Starfield Relay - Reverse Engineering Writeup

Category: Reverse Engineering

Flag: UVT{Kr4cK_M3_N0w-cR4Km3_THEN-5T4rf13Ld_piNgS_uR_pR0b3Z_xTND-I_h1D3_in_l0Gz_1n_v01D_iN_ZEN}

Challenge Description#

A recovered spacecraft utility binary is believed to validate a multi-part unlock phrase. The executable runs a staged validation flow and eventually unlocks additional artifacts for deeper analysis. Your goal is to reverse the binary, recover each stage fragment and reconstruct the final flag.

Analysis#

I treated this as a staged validator with likely decoys, so I started with cheap static triage instead of going straight into heavy debugging. The file type confirmed a 64-bit Windows console PE, and the first string pass already showed the challenge structure: base prefix check, two token checks, VM execution, then stage2 artifact extraction (pings, logs, void).

1
file "crackme.exe"

1
crackme.exe: PE32+ executable (console) x86-64, for MS Windows

1
strings -a "crackme.exe" | rg -i "UVT\{|enter base prefix|enter stage2 token|enter token \(8 chars\)|starfield_pings|system.log|zen_void.bin"

1
UVT{
2
enter base prefix (4 chars):
3
enter stage2 token (8 chars):
4
enter token (8 chars):
5
stage5: next: decode starfield_pings/pings.txt (filter ttl=1337)
6
stage5: next: inspect logs/system.log for shuffled zen-tagged fragments
7
stage5: next: inspect void/zen_void.bin (islands inside zero-runs)

From there I mapped stage handlers in main and pulled each primitive. Stage 0/1 were intentionally simple: UVT{ and a 3-byte generator function that writes 0x4b 0x72 0x34.

1
r2 -q -e scr.color=false -A -c "s 0x140115aa0; pdf" "crackme.exe"

1
...
2
mov byte [rcx], 0x4b
3
mov byte [rcx+1], 0x72
4
mov byte [rcx+2], 0x34
5
...

Then I inverted stage2/stage3 byte equations to recover the two 8-byte tokens, and validated both directly.

1
python3.12 -c "
2
t2 = bytes.fromhex('31 24 dc fa 25 2c e4 c5')
3
s2 = bytes((((b - 0x13 - i*7) & 0xff) ^ ((i*0x11 + 0x6d) & 0xff)) for i, b in enumerate(t2))
4

5
t3 = [0xd7,0xd1,0xa7,0xed,0x54,0x39,0x68,0x49]
6
s3 = bytes((((b - 3*i) & 0xff) ^ ((0xa7 - 0xb*i) & 0xff)) for i, b in enumerate(t3))
7

8
print('stage2_token', s2.decode())
9
print('stage3_token', s3.decode())
10
"

1
stage2_token st4rG4te
2
stage3_token pR0b3Z3n

Those tokens are not final fragments; they drive crypto checks. Stage2 decrypts to cK_M3_ (PBKDF2-SHA256 + ChaCha20), and stage3 decrypts to N0w-cR4Km3_ (PBKDF2-SHA256 + AES-GCM).

1
python3.12 -c "
2
from Crypto.Protocol.KDF import PBKDF2
3
from Crypto.Hash import SHA256
4
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
5

6
km = PBKDF2(b'st4rG4te', b'uvt::s2::pbkdf2::v2', dkLen=48, count=60000, hmac_hash_module=SHA256)
7
pt = Cipher(algorithms.ChaCha20(km[:32], km[32:48]), mode=None).decryptor().update(bytes.fromhex('cc056fdab9be'))
8
print(pt.decode())
9
"

1
cK_M3_

1
python3.12 -c "
2
from Crypto.Protocol.KDF import PBKDF2
3
from Crypto.Hash import SHA256
4
from Crypto.Cipher import AES
5

6
km = PBKDF2(b'pR0b3Z3n', b'uvt::s3::pbkdf2::v4', dkLen=44, count=90000, hmac_hash_module=SHA256)
7
c = AES.new(km[:32], AES.MODE_GCM, nonce=km[32:44], mac_len=16)
8
c.update(b'uvt::stage3::aad::v4')
9
pt = c.decrypt_and_verify(bytes.fromhex('8f998d30eb808c858b8f01'), bytes.fromhex('e0c31b0565d6a3eb07d57cb916b592c4'))
10
print(pt.decode())
11
"

1
N0w-cR4Km3_

The VM stage produced THEN- after bytecode decode/emulation, and that gave enough material to pass the stage5 checksum gate and build the stage5 fragment 5T4rf13Ld_piNgS_.

smug

Stage5 was the annoying pivot: decryption kept failing until I corrected the AAD literal to the exact double-colon form from the binary (uvt::stage2blob::aad::v4|id=101). With that fixed, the embedded blob decrypted to a ZIP containing the real stage6–9 evidence files.

facepalm

1
python3.12 -c "
2
from pathlib import Path
3
from Crypto.Protocol.KDF import PBKDF2
4
from Crypto.Hash import SHA256
5
from Crypto.Cipher import AES
6
import io, zipfile
7

8
blob = Path('res_type10_id101_lang1033.bin').read_bytes()
9
nonce, tag, ct = blob[9:21], blob[21:37], blob[37:]
10

11
prefix = b'UVT{Kr4cK_M3_N0w-cR4Km3_THEN-'
12
u = sum(prefix[-5:]) & 0xff
13
const = bytes([0x69,0x08,0x68,0x2e,0x3a,0x6d,0x6f,0x10,0x38,0x03,0x2c,0x35,0x12,0x3b,0x0f,0x03])
14
stage5 = bytes([u ^ c for c in const])
15

16
key = PBKDF2(prefix + stage5, b'uvt::stage2blob::v4', dkLen=32, count=120000, hmac_hash_module=SHA256)
17
c = AES.new(key, AES.MODE_GCM, nonce=nonce, mac_len=16)
18
c.update(b'uvt::stage2blob::aad::v4|id=101')
19
pt = c.decrypt_and_verify(ct, tag)
20

21
z = zipfile.ZipFile(io.BytesIO(pt))
22
print(*z.namelist(), sep='\n')
23
"

1
logs/README_LOGS.txt
2
logs/system.log
3
logs/telemetry.log
4
probe_extender/README.txt
5
probe_extender/probe_extender.py
6
starfield_pings/pings.txt
7
void/zen_void.bin
8
void/zen_void_readme.txt
9
web/app.js
10
web/index.html
11
web/style.css

Stage6 came from ttl=1337 rows in pings.txt with the parity-split 5-bit mapping. My first interpretation produced a clue-like decoy; the hash-matching decode was uR_pR0b3Z_xTND-.

1
python3.12 -c "
2
import re
3
from pathlib import Path
4

5
txt = Path('stage2_extracted/starfield_pings/pings.txt').read_text()
6
vals = [int(x)-64 for x in re.findall(r'time=(\\d+)ms ttl=1337', txt)]
7

8
even = bytes([b ^ 0x52 for b in bytes.fromhex('270d62612a1c7f3036343a383e3c2220')])
9
odd  = bytes([b ^ 0x13 for b in bytes.fromhex('60627c7e787a74767072574749716341')[::-1]])
10

11
alpha = bytearray(32)
12
for i in range(16):
13
    alpha[2*i] = even[i]
14
    alpha[2*i+1] = odd[i]
15

16
print(bytes(alpha[v] for v in vals).decode())
17
"

1
uR_pR0b3Z_xTND-

Stage7 came from system.log: keep zen entries, sort by slot, XOR fragx by k, then base64-decode to get I_h1D3_in_l0Gz_.

1
python3.12 -c "
2
import json, base64
3
from pathlib import Path
4

5
rows = []
6
for line in Path('stage2_extracted/logs/system.log').read_text().splitlines():
7
    if line.startswith('{'):
8
        o = json.loads(line)
9
        if o.get('subsys') == 'zen' and 'fragx' in o:
10
            rows.append((o['slot'], int(o['k'], 16), bytes.fromhex(o['fragx'])))
11
rows.sort()
12

13
b = b''.join(bytes([x ^ k for x in frag]) for _, k, frag in rows)
14
print(base64.b64decode(b).decode())
15
"

1
I_h1D3_in_l0Gz_

Stage8/9 came from non-zero islands in zen_void.bin: valid-range island XOR 0x2a gave 1n_v01D_, then sum(stage8) % 256 decoded the 7-byte island to iN_ZEN}.

1
python3.12 -c "
2
from pathlib import Path
3

4
b = Path('stage2_extracted/void/zen_void.bin').read_bytes()
5

6
islands = []
7
i = 0
8
while i < len(b):
9
    if b[i] == 0:
10
        i += 1
11
        continue
12
    j = i
13
    while j < len(b) and b[j] != 0:
14
        j += 1
15
    islands.append((i, b[i:j]))
16
    i = j
17

18
s8 = None
19
for off, d in islands:
20
    if 0x9000 <= off < 0xF000 and len(d) == 8:
21
        cand = bytes(x ^ 0x2a for x in d)
22
        if cand == b'1n_v01D_':
23
            s8 = cand
24
            break
25

26
k9 = sum(s8) % 256
27
s9 = None
28
for off, d in islands:
29
    if len(d) == 7:
30
        cand = bytes(x ^ k9 for x in d)
31
        if cand == b'iN_ZEN}':
32
            s9 = cand
33
            break
34

35
print(s8.decode())
36
print(s9.decode())
37
"

1
1n_v01D_
2
iN_ZEN}

With all ten fragments rebuilt and reassembled, the final flag string was:

dance

1
python3.12 -c "
2
flag = (
3
    'UVT{'
4
    'Kr4'
5
    'cK_M3_'
6
    'N0w-cR4Km3_'
7
    'THEN-'
8
    '5T4rf13Ld_piNgS_'
9
    'uR_pR0b3Z_xTND-'
10
    'I_h1D3_in_l0Gz_'
11
    '1n_v01D_'
12
    'iN_ZEN}'
13
)
14
print(flag)
15
"

1
UVT{Kr4cK_M3_N0w-cR4Km3_THEN-5T4rf13Ld_piNgS_uR_pR0b3Z_xTND-I_h1D3_in_l0Gz_1n_v01D_iN_ZEN}

Solution#

1
# !/usr/bin/env python3.12
2

3
import base64
4
import io
5
import json
6
import re
7
import zipfile
8
from pathlib import Path
9

10
import pefile
11
from Crypto.Cipher import AES
12
from Crypto.Hash import SHA256
13
from Crypto.Protocol.KDF import PBKDF2
14
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
15

16
def extract_blob_101(pe_path: Path) -> bytes:
17
    pe = pefile.PE(str(pe_path))
18
    for t in pe.DIRECTORY_ENTRY_RESOURCE.entries:
19
        if t.struct.Id != 10:
20
            continue
21
        for e in t.directory.entries:
22
            if e.struct.Id != 101:
23
                continue
24
            for lang in e.directory.entries:
25
                d = lang.data.struct
26
                data = pe.get_memory_mapped_image()[d.OffsetToData : d.OffsetToData + d.Size]
27
                if data.startswith(b"UVTBLOB4"):
28
                    return data
29
    raise RuntimeError("resource 10/101 not found")
30

31
def stage2_fragment() -> bytes:
32
    km = PBKDF2(b"st4rG4te", b"uvt::s2::pbkdf2::v2", dkLen=48, count=60000, hmac_hash_module=SHA256)
33
    return Cipher(algorithms.ChaCha20(km[:32], km[32:48]), mode=None).decryptor().update(bytes.fromhex("cc056fdab9be"))
34

35
def stage3_fragment() -> bytes:
36
    km = PBKDF2(b"pR0b3Z3n", b"uvt::s3::pbkdf2::v4", dkLen=44, count=90000, hmac_hash_module=SHA256)
37
    c = AES.new(km[:32], AES.MODE_GCM, nonce=km[32:44], mac_len=16)
38
    c.update(b"uvt::stage3::aad::v4")
39
    return c.decrypt_and_verify(
40
        bytes.fromhex("8f998d30eb808c858b8f01"),
41
        bytes.fromhex("e0c31b0565d6a3eb07d57cb916b592c4"),
42
    )
43

44
def stage5_fragment(prefix_to_stage4: bytes) -> bytes:
45
    u = sum(prefix_to_stage4[-5:]) & 0xFF
46
    const = bytes([0x69, 0x08, 0x68, 0x2E, 0x3A, 0x6D, 0x6F, 0x10, 0x38, 0x03, 0x2C, 0x35, 0x12, 0x3B, 0x0F, 0x03])
47
    return bytes([u ^ c for c in const])
48

49
def decode_stage6(pings_text: str) -> bytes:
50
    vals = [int(x) - 64 for x in re.findall(r"time=(\d+)ms ttl=1337", pings_text)]
51
    even = bytes([b ^ 0x52 for b in bytes.fromhex("270d62612a1c7f3036343a383e3c2220")])
52
    odd = bytes([b ^ 0x13 for b in bytes.fromhex("60627c7e787a74767072574749716341")[::-1]])
53
    alpha = bytearray(32)
54
    for i in range(16):
55
        alpha[2 * i] = even[i]
56
        alpha[2 * i + 1] = odd[i]
57
    return bytes(alpha[v] for v in vals)
58

59
def decode_stage7(system_log_text: str) -> bytes:
60
    rows = []
61
    for line in system_log_text.splitlines():
62
        if not line.startswith("{"):
63
            continue
64
        obj = json.loads(line)
65
        if obj.get("subsys") == "zen" and "fragx" in obj:
66
            rows.append((obj["slot"], int(obj["k"], 16), bytes.fromhex(obj["fragx"])))
67
    rows.sort()
68
    blob = b"".join(bytes([x ^ k for x in frag]) for _, k, frag in rows)
69
    return base64.b64decode(blob)
70

71
def decode_stage8_stage9(void_data: bytes) -> tuple[bytes, bytes]:
72
    islands = []
73
    i = 0
74
    while i < len(void_data):
75
        if void_data[i] == 0:
76
            i += 1
77
            continue
78
        j = i
79
        while j < len(void_data) and void_data[j] != 0:
80
            j += 1
81
        islands.append((i, void_data[i:j]))
82
        i = j
83

84
    stage8 = None
85
    for off, d in islands:
86
        if 0x9000 <= off < 0xF000 and len(d) == 8:
87
            cand = bytes(x ^ 0x2A for x in d)
88
            if cand == b"1n_v01D_":
89
                stage8 = cand
90
                break
91
    if stage8 is None:
92
        raise RuntimeError("stage8 not found")
93

94
    k9 = sum(stage8) % 256
95
    stage9 = None
96
    for _, d in islands:
97
        if len(d) == 7:
98
            cand = bytes(x ^ k9 for x in d)
99
            if cand == b"iN_ZEN}":
100
                stage9 = cand
101
                break
102
    if stage9 is None:
103
        raise RuntimeError("stage9 not found")
104

105
    return stage8, stage9
106

107
def main() -> None:
108
    s0 = b"UVT{"
109
    s1 = b"Kr4"
110
    s2 = stage2_fragment()
111
    s3 = stage3_fragment()
112
    s4 = b"THEN-"
113
    s5 = stage5_fragment(s0 + s1 + s2 + s3 + s4)
114

115
    blob = extract_blob_101(Path("crackme.exe"))
116
    nonce, tag, ct = blob[9:21], blob[21:37], blob[37:]
117

118
    key = PBKDF2(s0 + s1 + s2 + s3 + s4 + s5, b"uvt::stage2blob::v4", dkLen=32, count=120000, hmac_hash_module=SHA256)
119
    c = AES.new(key, AES.MODE_GCM, nonce=nonce, mac_len=16)
120
    c.update(b"uvt::stage2blob::aad::v4|id=101")
121
    pt_zip = c.decrypt_and_verify(ct, tag)
122

123
    z = zipfile.ZipFile(io.BytesIO(pt_zip))
124
    s6 = decode_stage6(z.read("starfield_pings/pings.txt").decode())
125
    s7 = decode_stage7(z.read("logs/system.log").decode())
126
    s8, s9 = decode_stage8_stage9(z.read("void/zen_void.bin"))
127

128
    flag = (s0 + s1 + s2 + s3 + s4 + s5 + s6 + s7 + s8 + s9).decode()
129
    print(flag)
130

131
if __name__ == "__main__":
132
    main()

1
python3.12 solve.py

1
UVT{Kr4cK_M3_N0w-cR4Km3_THEN-5T4rf13Ld_piNgS_uR_pR0b3Z_xTND-I_h1D3_in_l0Gz_1n_v01D_iN_ZEN}