| Step | What we did | Why it mattered | |------|--------------|-----------------| | | Disassembled the binary → located check function | Revealed the hidden verification logic | | Key extraction | Copied the 64‑byte key array from .rodata | Provided the data needed to compute the target hash | | Equation derivation | SHA256(input) XOR K0 = K1 ⇒ SHA256(input) = K0 XOR K1 | Turned a “black‑box” check into a deterministic condition | | Target hash computation | TARGET = K0 ^ K1 (byte‑wise XOR) | Gave the exact hash we must match | | Search space reduction | Used known flag format NHDTA… and limited inner length | Made brute‑force feasible | | Brute‑force script | Enumerated candidates, hashed each, compared to TARGET | Recovered the only string satisfying the equation | | Verification | Ran the binary with the recovered string | Confirmed correctness, captured the flag |
I am writing to bring to your attention the matter of [subject nhdta-793]. This [document/data entry/item] pertains to [briefly describe what it pertains to, e.g., 'a specific research data point,' 'a document under review,' or 'an entry in our database']. nhdta-793
NHDTApwned!