Mama Bear

We did not finish the task on time

We received mama_bear binary – who received 2 inputs – password and secret, and return the output, which looks similar to the output in the description. After some reversing, we realized that it’s a vm – having an instruction set and a correlated operation. The instructions were pop, push, ror, return and a weird one we called mutate. They are all defined in run_program function:

pop:

push:

ror:

return:

mutate:

Here is some code of main function to run them all:

The instruction stream (stream of instructions for the main function to use in the vm):

The spread_table to be used by mutate:

The function to generate spread_table for each run program:

So – we implemented the functions above in python, and given a password and secret we successfully returned the same result as the mama_bear binary.

Now – we need to implement the reverse functions:

pop is the exact reverse of push.

rol is the exact reverse of ror:

But mutate has no obvious reverse. Furthermore, mutate loses information – it is setting/unsetting/remaining the bit according to the spread_table – so we created a hashmap of all mutate options (src[al,bl] -> target[al,bl]), which we created to use in mutate_reverse:

We have to set the pc before running each reversed program:

And now we have a reversed run_program. (We confirmed it by running the program and reverse_program and have no changes on the input). All we need to do next, is inserting the target output as an input to our reversed function, and brute force the password, until it outputs this string format: HackTM{.*}