EHAX CTF 2026 - Pathfinder - Reverse Engineering Writeup

Category: Reverse Engineering

Flag: EHAX{2E3S2W6S8E2NE2S}

Challenge Description#

You can go funky ways

Analysis#

1
file "pathfinder"

1
pathfinder: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=49d4c26d0aea83a8776dafd321a309b57fe2a66b, for GNU/Linux 4.4.0, stripped

The binary being a stripped PIE ELF told me I should expect minimal symbol help and runtime-resolved addresses, so I started by hunting high-signal constants and prompts before deep control-flow work.

1
strings -a "pathfinder" | rg -i "EHAX\{|pathfinder|best path|Flag"

1
EHAX{
2
Are you a pathfinder?
3
Ok, tell me the best path:
4
You have what it takes. Flag: %s

That immediately confirmed two important things: the challenge was definitely expecting a path string as input, and the final formatter already hardcoded the event prefix.

1
r2 -e scr.color=0 -A -q -c 's 0x11ee;pdg' "pathfinder" | rg "for \(var_ch|0x2020|0x40a0|fcn\.000011c9|\*\(var_ch"

1
for (var_ch = 0; var_ch < 100; var_ch = var_ch + 1) {
2
    uVar1 = *(var_ch + 0x2020);
3
    uVar2 = fcn.000011c9(var_ch);
4
    *(var_ch + 0x40a0) = uVar1 ^ uVar2;

1
r2 -e scr.color=0 -A -q -c 's 0x11c9;pdg' "pathfinder"

1
uint32_t fcn.000011c9(int64_t arg1)
2
{
3
    return arg1 << 3 ^ arg1 * 0x1f + 0x11U ^ 0xffffffa5;
4
}

This was the first real click: a 100-byte blob from .rodata gets XOR-decoded with an index-dependent keystream into a 10x10 table at 0x40a0. So the “pathfinder” prompt is really a maze/graph walk checker backed by decoded cell metadata.

1
r2 -e scr.color=0 -A -q -c 's 0x1444;pdg' "pathfinder"

1
bool fcn.00001444(char *arg1)
2
{
3
    ...
4
    if (*var_18h == '\0') {
5
        if ((var_28h == 9) && (var_24h == 9)) {
6
            iVar8 = fcn.0000126b(arg1);
7
            bVar9 = iVar8 == -0x7945adf4;
8
        }
9
        ...
10
    }
11
    uVar3 = *(uVar1 * 0xc + 0x4120);
12
    uVar2 = *(uVar1 * 0xc + 0x4128);
13
    ...
14
    uVar4 = fcn.0000123f(var_28h,var_24h);
15
    uVar5 = fcn.0000123f(uVar6,uVar7);
16
    if ((uVar5 & (uVar1 * 'k' ^ var_4h._1_1_ ^ 0x3c)) == 0 &&
17
        (uVar4 & (uVar1 * 'k' ^ var_4h ^ 0x3c)) == 0) {
18
        return false;
19
    }
20
    ...
21
}

1
r2 -e scr.color=0 -A -q -c 's 0x1602;pdg' "pathfinder" | rg "EHAX\{|%d%c|var_14h < 2|\*s = cVar1|\*s = '\\}'|sprintf"

1
iVar2 = sym.imp.sprintf(arg2,"EHAX{");
2
if (var_14h < 2) {
3
    *s = cVar1;
4
    iVar2 = sym.imp.sprintf(s,"%d%c",var_14h,cVar1);
5
*s = '}';

From the validator, each character (N/S/E/W) selects a 12-byte movement descriptor from 0x4120, updates (x,y) accumulators, and checks movement legality with per-cell bitmasks. The end condition is exact: land on (9,9) and satisfy the hash gate. The formatter at 0x1602 run-length-encodes the successful raw path between EHAX{ and } (single chars stay literal, repeated runs become count+char).

1
from collections import deque
2
from pathlib import Path
3

4
blob = Path("pathfinder").read_bytes()[0x2020:0x2020 + 100]
5

6
def key(i: int) -> int:
7
    return ((((i << 3) & 0xFFFFFFFF) ^ ((i * 0x1F + 0x11) & 0xFFFFFFFF) ^ 0xFFFFFFA5) & 0xFF)
8

9
grid = [b ^ key(i) for i, b in enumerate(blob)]
10

11
step = {
12
    "N": (-1, 0, 0x04, 0x01),
13
    "S": ( 1, 0, 0x01, 0x04),
14
    "E": ( 0, 1, 0x02, 0x08),
15
    "W": ( 0,-1, 0x08, 0x02),
16
}
17

18
def cell(r, c):
19
    return grid[r * 10 + c]
20

21
def can_move(r, c, ch):
22
    dr, dc, m_cur, m_next = step[ch]
23
    nr, nc = r + dr, c + dc
24
    if not (0 <= nr < 10 and 0 <= nc < 10):
25
        return False
26
    return not ((cell(nr, nc) & m_next) == 0 and (cell(r, c) & m_cur) == 0)
27

28
q = deque([(0, 0, "")])
29
seen = {(0, 0)}
30
while q:
31
    r, c, p = q.popleft()
32
    if (r, c) == (9, 9):
33
        print("path", p)
34
        break
35
    for ch in "NSEW":
36
        if can_move(r, c, ch):
37
            dr, dc, _, _ = step[ch]
38
            nr, nc = r + dr, c + dc
39
            if (nr, nc) not in seen:
40
                seen.add((nr, nc))
41
                q.append((nr, nc, p + ch))

1
from collections import deque
2
from pathlib import Path
3

4
b = Path("pathfinder").read_bytes()
5
enc = b[0x2020:0x2020 + 100]
6

7
def key(i: int) -> int:
8
    return ((((i << 3) & 0xFFFFFFFF) ^ ((i * 0x1F + 0x11) & 0xFFFFFFFF) ^ 0xFFFFFFA5) & 0xFF)
9

10
grid = [c ^ key(i) for i, c in enumerate(enc)]
11
step = {
12
    "N": (-1, 0, 0x04, 0x01),
13
    "S": (1, 0, 0x01, 0x04),
14
    "E": (0, 1, 0x02, 0x08),
15
    "W": (0, -1, 0x08, 0x02),
16
}
17

18
def cell(r: int, c: int) -> int:
19
    return grid[r * 10 + c]
20

21
def ok(r: int, c: int, ch: str) -> bool:
22
    dr, dc, m0, m1 = step[ch]
23
    nr, nc = r + dr, c + dc
24
    if not (0 <= nr < 10 and 0 <= nc < 10):
25
        return False
26
    return not (((cell(nr, nc) & m1) == 0) and ((cell(r, c) & m0) == 0))
27

28
q = deque([(0, 0, "")])
29
seen = {(0, 0)}
30

31
while q:
32
    r, c, p = q.popleft()
33
    if (r, c) == (9, 9):
34
        print("path", p)
35
        break
36
    for ch in "NSEW":
37
        if ok(r, c, ch):
38
            dr, dc, _, _ = step[ch]
39
            nr, nc = r + dr, c + dc
40
            if (nr, nc) not in seen:
41
                seen.add((nr, nc))
42
                q.append((nr, nc, p + ch))

1
from collections import deque
2
from pathlib import Path
3

4
b = Path("pathfinder").read_bytes()
5
enc = b[0x2020:0x2020 + 100]
6
def key(i):
7
    return ((((i << 3) & 0xffffffff) ^ ((i * 0x1f + 0x11) & 0xffffffff) ^ 0xffffffa5) & 0xff)
8
grid = [c ^ key(i) for i, c in enumerate(enc)]
9
step = {
10
    "N": (-1, 0, 0x04, 0x01),
11
    "S": (1, 0, 0x01, 0x04),
12
    "E": (0, 1, 0x02, 0x08),
13
    "W": (0, -1, 0x08, 0x02),
14
}
15
def cell(r, c): return grid[r * 10 + c]
16
def ok(r, c, ch):
17
    dr, dc, m0, m1 = step[ch]; nr, nc = r + dr, c + dc
18
    if not (0 <= nr < 10 and 0 <= nc < 10):
19
        return False
20
    return not (((cell(nr, nc) & m1) == 0) and ((cell(r, c) & m0) == 0))
21
q = deque([(0, 0, "")]); seen={(0,0)}
22
while q:
23
    r,c,p=q.popleft()
24
    if (r,c)==(9,9):
25
        print("path",p)
26
        break
27
    for ch in "NSEW":
28
        if ok(r,c,ch):
29
            dr,dc,_,_=step[ch]
30
            nr,nc=r+dr,c+dc
31
            if (nr,nc) not in seen:
32
                seen.add((nr,nc)); q.append((nr,nc,p+ch))

1
path EESSSWWSSSSSSEEEEEEEENNESS

Once the BFS gave a single clean route to (9,9), that path was exactly what the checker wanted.

dance

1
printf "y\nEESSSWWSSSSSSEEEEEEEENNESS\n" | ./pathfinder

1
Are you a pathfinder?
2
[y/n]: Ok, tell me the best path: You have what it takes. Flag: EHAX{2E3S2W6S8E2NE2S}
3
Bye.

The binary accepted the route and printed the final run-length encoded flag directly.

Solution#

1
from collections import deque
2
from pathlib import Path
3

4
BINARY = "pathfinder"
5
OFFSET = 0x2020
6
SIZE = 100
7

8
def key(i: int) -> int:
9
    return ((((i << 3) & 0xFFFFFFFF) ^ ((i * 0x1F + 0x11) & 0xFFFFFFFF) ^ 0xFFFFFFA5) & 0xFF)
10

11
def decode_grid() -> list[int]:
12
    data = Path(BINARY).read_bytes()[OFFSET:OFFSET + SIZE]
13
    return [b ^ key(i) for i, b in enumerate(data)]
14

15
def can_move(grid: list[int], r: int, c: int, d: str) -> tuple[bool, int, int]:
16
    step = {
17
        "N": (-1, 0, 0x04, 0x01),
18
        "S": ( 1, 0, 0x01, 0x04),
19
        "E": ( 0, 1, 0x02, 0x08),
20
        "W": ( 0,-1, 0x08, 0x02),
21
    }
22
    dr, dc, m_cur, m_next = step[d]
23
    nr, nc = r + dr, c + dc
24
    if not (0 <= nr < 10 and 0 <= nc < 10):
25
        return False, nr, nc
26

27
    def cell(x: int, y: int) -> int:
28
        return grid[x * 10 + y]
29

30
    blocked = (cell(nr, nc) & m_next) == 0 and (cell(r, c) & m_cur) == 0
31
    return (not blocked), nr, nc
32

33
def shortest_path(grid: list[int]) -> str:
34
    q = deque([(0, 0, "")])
35
    seen = {(0, 0)}
36
    while q:
37
        r, c, p = q.popleft()
38
        if (r, c) == (9, 9):
39
            return p
40
        for d in "NSEW":
41
            ok, nr, nc = can_move(grid, r, c, d)
42
            if ok and (nr, nc) not in seen:
43
                seen.add((nr, nc))
44
                q.append((nr, nc, p + d))
45
    raise RuntimeError("No valid path found")
46

47
def rle_path(path: str) -> str:
48
    out = []
49
    i = 0
50
    while i < len(path):
51
        j = i
52
        while j < len(path) and path[j] == path[i]:
53
            j += 1
54
        run = j - i
55
        if run == 1:
56
            out.append(path[i])
57
        else:
58
            out.append(f"{run}{path[i]}")
59
        i = j
60
    return "".join(out)
61

62
def main() -> None:
63
    grid = decode_grid()
64
    path = shortest_path(grid)
65
    print(f"EHAX{{{rle_path(path)}}}")
66

67
if __name__ == "__main__":
68
    main()

1
python3.12 solve.py

1
EHAX{2E3S2W6S8E2NE2S}