THJCC CTF 2026 writeup RE
Super baby reverse
The flag is literary inside of the decompiled program
00401169 int32_t main(int32_t argc, char** argv, char** envp)
00401174 void* fsbase
00401174 int64_t rax = *(fsbase + 0x28)
00401197 int64_t var_148
00401197 __builtin_strncpy(dest: &var_148, src: "THJCC{BaBY_r3v3rs3_f0r_beggin3r}",
Fllllllag_ch3cker_again?
004021d9 int32_t main(int32_t argc, char** argv, char** envp)
004021e5 void* fsbase
004021e5 int64_t rax = *(fsbase + 0x28)
00402208 int64_t encryptedFLag
00402208 __builtin_memcpy(dest: &encryptedFLag,
00402208 src: "\x00\x20\x7b\x30\x1c\x4a\x32\x00\x27\x01\x5e\x2f\x07\x00\x26\x06\x5b\x47\x40\x"
00402208 "2d\x02\x2c\x2a\x07\x01\x5d\x38\x34\x70\x29\x04\x37\x55\x43\x36\x5f\x14\x00\x2c\x58"
00402208 "61\x22",
00402208 count: 0x2a)
00402248 int64_t var_e0 = 0x2a
0040225d int64_t key
0040225d __builtin_strncpy(dest: &key, src: "Th1s_1s_th3_k3y", count: 0xf)
0040226f int64_t var_d8 = 0xf
00402284 std::vector<uint8_t>::vector()
00402298 uint8_t var_c8[0x20]
00402298 std::vector<uint8_t>::reserve(&var_c8)
0040231f char var_e9
0040231f
0040231f for (int64_t i = 0; i u<= 0x29; i += 1)
004022f0 var_e9 = *(&key + i u% 0xf) ^ *(i + &encryptedFLag)
0040230a std::vector<uint8_t>::push_back(&var_c8)
The flag is xored against the key Th1s_1s_th3_k3y
Decryption
```
enc = bytes([
0x00, 0x20, 0x7b, 0x30, 0x1c, 0x4a, 0x32, 0x00, 0x27, 0x01, 0x5e, 0x2f, 0x07, 0x00, 0x26, 0x06,
0x5b, 0x47, 0x40, 0x2d, 0x02, 0x2c, 0x2a, 0x07, 0x01, 0x5d, 0x38, 0x34, 0x70, 0x29, 0x04, 0x37,
0x55, 0x43, 0x36, 0x5f, 0x14, 0x00, 0x2c, 0x58, 0x61, 0x22
])
key = b"Th1s_1s_th3_k3y"
flag = bytes([enc[i] ^ key[i % len(key)] for i in range(len(enc))])
print(flag.decode())
```
Web

Looks like there is an enpoint that is getting caoled. Simple iteration of requests
#!/bin/bash
for i in $(seq 0 999); do
n=\((printf "%03d" \)i)
response=\((curl -s "http://chal.thjcc.org:14514/?n=\)n" \
-X POST \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0' \
-H 'Accept: */*' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Referer: http://chal.thjcc.org:14514/' \
-H 'Origin: http://chal.thjcc.org:14514' \
-H 'Connection: keep-alive' \
-H 'Priority: u=4' \
-H 'Content-Length: 0')
echo "n=\(n: \)response"
if [ "$response" != "Nope, Try Again!" ]; then
echo ""
echo ">>> Different response at n=$n <<<"
echo ">>> Response: $response"
break
fi
done
The result was under n = 777