batcave-bitflips — UMass Cybersecurity CTF

Description

Organizer description was not preserved in the local task files.

English summary: the challenge provided a corrupted ELF64 license checker with enough symbols left intact to inspect its globals and helper routines. The intended verification path was damaged, but the plaintext flag could still be recovered directly from the data section.

Analysis

The binary was not stripped, which immediately exposed useful globals: LICENSE_KEY, EXPECTED, FLAG, and SBOX, plus functions such as rotate, decrypt_flag, hash, and verify. Several instructions looked wrong in a way that strongly suggested bit-flip corruption rather than ordinary obfuscation.

The most suspicious examples were:

• rotate used (b * 8) | (b >> 6) instead of a normal 3-bit rotate-left like (b << 3) | (b >> 5).
• decrypt_flag used bitwise OR where XOR made much more sense for symmetric recovery.
• hash iterated for 0xBEEEEE rounds, which looked deliberately corrupted or at least untrustworthy.

At that point, fully repairing the verification path was unnecessary. The key observation was that both EXPECTED and FLAG were stored in .data, and XORing them immediately produced readable output:

UMASS{__p4tche5_0n_p4tche$__#}\x00\xee

The embedded NUL explains why the program would print only UMASS{__p4tche5_0n_p4tche$__#} with %s. The remaining byte 0xee is just trailing garbage after the string terminator. The embedded LICENSE_KEY string !_batman-robin-alfred_((67||67)) is likely the intended thematic license value, but recovering the flag did not require repairing the broken hash pipeline enough to validate it cleanly.

Solution

...