reversefreeeasy

Auto Cooker

GPNCTF 2026

Task: intro reverse engineering ELF that runs the input flag through a 5-stage cooking-themed byte transform pipeline and compares against a hardcoded TARGET. Solution: each stage is reversible (XOR 0xAA, nibble swap, buffer reverse, padding mask), so invert the pipeline in reverse order from TARGET to recover the flag.

$ ls tags/ techniques/

xor elf not_stripped rev byte_transform easy intro

static_analysisconstant_extractiontransform_pipeline_inversionxor_self_inversenibble_swapbuffer_reversal

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Auto Cooker — GPNCTF 2026

Description

I always feel like cooking is such a chore... You have to chop up all your ingredients, cook them for hours and then make the plating look half-decent. But not with this new machine I got! You just have to put in your recipe (weirdly, the interface calls it a flag...) and it will get cooked for you. It's so easy, even someone with no experience in ~~cooking~~ reverse engineering can do it.

English summary: We are given a 64-bit ELF binary that reads a "recipe" (the flag), runs it through a series of cooking-themed transforms, and checks the result against a hardcoded target. The goal is to find the input flag that "cooks" into the expected output.

Analysis

The handout autocooker.tar.gz contains a single ELF:

ELF 64-bit LSB executable, x86-64, dynamically linked, GNU/Linux 3.2.0, NOT stripped, 16616 bytes.
checksec: Partial RELRO, No canary, NX enabled, No PIE (base 0x400000), not stripped.

Because the binary is not stripped, every transform function keeps its descriptive name, which essentially documents the whole algorithm:

check_recipe_length, explain_current_food, salt, fry, trim, mix, taste, main

Control flow in `main`

Reads the user's recipe (the flag) via fgets into a 64-byte buffer RECIPE at 0x4040e0 (size 0x40).
check_recipe_length: ensures RECIPE[TARGET_LENGTH] == 0 and RECIPE[TARGET_LENGTH-1] != 0 (length sanity check); otherwise it exits with "Your recipe is too complicated or too simple...".
Copies RECIPE into the 64-byte FOOD buffer at 0x404120.
Runs a 5-stage pipeline (with explain_current_food printing flavor text between stages), then taste compares FOOD to a hardcoded TARGET array and prints "Congratulations, you cooked a delicious plate of food!" on a full match.

The 5 transform stages (forward direction)

...

$ grep --similar

Similar writeups

[reverse][free]Hexecution— HackTheBox
[reverse][Pro]Kitchen Sink— tamuctf
[pwn][Pro]Taste— grodno_new_year_2026
[reverse][Pro]Challenge7— tamuctf
[reverse][Pro]Basic— spbctf