Qui a implemente ca?

Apr 08, 2026

Cyber Saguenay CTF Reverse Engineering windowslicensemd5api

Qui a implemente ca?

Summary

This reverse-engineering challenge used a Windows PE GUI binary with local license validation and a remote API. Reversing the validator produced a valid 25-character key, and replaying the binary’s HTTP request returned the flag.

Evidence

  • GEID.exe contained the charset ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 and target compare string 9888c6369bad50f1.
  • The local validator was MD5-based.
  • The check reduced to md5("s<6chars>ex")[:16] == "1f05dab9636c8889".
  • Brute force found token EFEXKW.
  • A valid key candidate was constructed: AEAAAFAAAEAAAXAAAKAAAWAAA.
  • The remote API returned a valid JSON flag response.

Steps

  1. Inspect the executable and archive.
file GEID.exe
strings -n 6 GEID.exe
unzip -l earth.zip
  1. Locate constants and endpoint strings.
strings -t x -n 6 GEID.exe
strings -el -t x GEID.exe

Important constants:

  • Charset: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
  • Compare target: 9888c6369bad50f1
  • API host: api.escartem.moe
  • API path: /ctf2026/geid
  1. Reverse the validator. The relevant condition was equivalent to:
md5("s<6chars>ex")[:16] == "1f05dab9636c8889"
  1. Brute-force the 6-character token over [A-Z0-9]^6.
python3 bruteforce_token.py

The recovered token was:

EFEXKW
  1. Construct the valid key and replay the API request used by the application.
curl -sS -X POST "https://api.escartem.moe/ctf2026/geid" \
  -H "Content-Type: application/json" \
  --data '{"key":"AEAAAFAAAEAAAXAAAKAAAWAAA"}'

Flag

UQAC{m4d3_by_hum4n5_0n_34r7h}

Notes

The binary had an anti-patch themed message, but patching was unnecessary. Reconstructing the local algorithm and replaying the official request was sufficient.