Skip to content

Going in Reverse⚓︎

Going_in_reverse

Difficulty:
Direct link: Going in reverse
Area: Retro Store
In-game avatar: Kevin McFarland

Hints⚓︎

Hint 1

Holy cow! Another retro floppy disk, what are the odds? Well it looks like this one is intact.

Hint 2

Maybe it is encrypted OR encoded?

Hint 3

It looks like the program on the disk contains some weird coding.

Objective⚓︎

Request

Kevin in the Retro Store needs help rewinding tech and going in reverse. Extract the flag and enter it here.

Kevin McFarland

You know, there's something beautifully nostalgic about stumbling across old computing artifacts. Just last week, I was sorting through some boxes in my garage and came across a collection of 5.25" floppies from my college days - mostly containing terrible attempts at programming assignments and a few games I'd copied from friends.

Finding an old Commodore 64 disk with a mysterious BASIC program on it? That's like discovering a digital time capsule. The C64 was an incredible machine for its time - 64KB of RAM seemed like an ocean of possibility back then. I spent countless hours as a kid typing in program listings from Compute! magazine, usually making at least a dozen typos along the way.

The thing about BASIC programs from that era is they were often written by clever programmers who knew how to hide things in plain sight. Sometimes the most interesting discoveries come from reading the code itself rather than watching it execute. It's like being a digital archaeologist - you're not just looking at what the program does, you're understanding how the programmer thought.

Take your time with this one. Those old-school programmers had to be creative within such tight constraints. You'll know the flag by the Christmas phrase that pays.

Item⚓︎

We get a BASIC program while talking to Kevin.
Going_in_reverse

High-Level Steps⚓︎

  1. Analyze – Inspect the BASIC program logic.
  2. Reverse – Undo the XOR-based obfuscation.
  3. Recover – Extract and submit the decoded flag.
flowchart TD

  subgraph Row1["Analyze"]
    direction LR
    A[Read BASIC program]
    B[Identify XOR-based checks]
    A --> B
  end

  subgraph Row2["Reverse"]
    direction LR
    C[Derive XOR key]
    D[Apply XOR to encoded values]
    C --> D
  end

  subgraph Row3["Recover"]
    direction LR
    E[Decode flag string]
    F[Obtain plaintext flag]
    G[Objective completed]
    E --> F --> G
  end

  Row1 --> Row2
  Row2 --> Row3

Solution⚓︎

The BASIC program.⚓︎

Here in below below code, each character of the user input password (in the variable PASS$) is checked if Its matching with the character of the expected password (in the variable ENC_PASS$) in the same position. If any of them dont match, user is sent to line 90 where “ACCESS DENIED” is printed and program end for the user.

So what if we calculate XOR 7 for each character of the expected password D13URKBT. 

10 REM *** COMMODORE 64 SECURITY SYSTEM ***
20 ENC_PASS$ = "D13URKBT"
30 ENC_FLAG$ = "DSA|auhts*wkfi=dhjwubtthut+dhhkfis+hnkz"
40 INPUT "ENTER PASSWORD: "; PASS$
50 IF LEN(PASS$) <> LEN(ENC_PASS$) THEN GOTO 90
60 FOR I = 1 TO LEN(PASS$)
70 IF CHR$(ASC(MID$(PASS$,I,1)) XOR 7) <> MID$(ENC_PASS$,I,1) THEN GOTO 90
80 NEXT I
85 FLAG$ = "" : FOR I = 1 TO LEN(ENC_FLAG$) : FLAG$ = FLAG$ + CHR$(ASC(MID$(ENC_FLAG$,I,1)) XOR 7) : NEXT I : PRINT FLAG$
90 PRINT "ACCESS DENIED"
100 END

So what if we calculate XOR 7 for each character of the expected password D13URKBT.

calculate_xor.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#XOR a single character with 7.
def xor7_char(c):
    return chr(ord(c) ^ 7)


input_string = input("enter the string : ")
print(f"input string : {input_string}")

xor_string = ""
for c in input_string:
    xor_string += xor7_char(c)  
print(f"xor string : {xor_string}")


python calculate_xor.py
Enter the string : 
D13URKBT

Going_in_reverse

But that is just to bypass the logic so we don't get sent to line 90 and exit.
Then the line 85 effectively calculates the XOR 7 of the variable ENC_FLAG$
` is a comment in BASIC, so we just need to calculate the XOR 7 for DSA|auhts*wkfi=dhjwubtthut+dhhkfis+hnkz

BASIC program
10 REM *** COMMODORE 64 SECURITY SYSTEM ***
20 ENC_PASS$ = "D13URKBT"
30 ENC_FLAG$ = "DSA|auhts*wkfi=dhjwubtthut+dhhkfis+hnkz"
40 INPUT "ENTER PASSWORD: "; PASS$
50 IF LEN(PASS$) <> LEN(ENC_PASS$) THEN GOTO 90
60 FOR I = 1 TO LEN(PASS$)
70 IF CHR$(ASC(MID$(PASS$,I,1)) XOR 7) <> MID$(ENC_PASS$,I,1) THEN GOTO 90
80 NEXT I
85 FLAG$ = "" : FOR I = 1 TO LEN(ENC_FLAG$) : FLAG$ = FLAG$ + CHR$(ASC(MID$(ENC_FLAG$,I,1)) XOR 7) : NEXT I : PRINT FLAG$
90 PRINT "ACCESS DENIED"
100 END

Calculating the XOR 7 for DSA|auhts*wkfi=dhjwubtthut+dhhkfis+hnkz⚓︎

python calculate_xor.py
Enter the string : 
DSA|auhts*wkfi=dhjwubtthut+dhhkfis+hnkz

Going_in_reverse

We get CTF{frost-plan:compressors,coolant,oil}

We submit the above output and that is accepted as the answer.

Answer

CTF{frost-plan:compressors,coolant,oil}
Going_in_reverse

Response⚓︎

Kevin McFarland

Excellent work! You've just demonstrated one of the most valuable skills in cybersecurity - the ability to think like the original programmer and unravel their logic without needing to execute a single line of code.

Learnings⚓︎

  1. Reading and understanding code is important - sometimes we don't have to execute the code.

Prevention & Hardening Notes⚓︎

  1. Avoid using reversible operations like XOR for protecting secrets. We should treat that as a password and use one-way hash e.g. SHA-256.