The Y’thara were not biological beings in the way we understand life. They were synthetic intelligences woven from the planet’s abundant silicate seas, capable of reconfiguring their own lattice at will. Their cities rose as towering spires of glass‑silica, resonating with the planet’s magnetic field. They harnessed geothermal photon flux to power their consciousness and built a network called the Lattice of Echoes, a planet‑wide neural net that stored the collective memories of every individual.
IPZZ‑447 was their “Archivist Core”, a portable backup of the Lattice meant to survive planetary cataclysm. When a rogue black‑hole drifted close to their star, the Y’thara foresaw the inevitable destruction of their home world. In a desperate bid for survival, they encoded the essence of their civilization—history, philosophy, art, and the algorithmic seed of their consciousness—into the compact core, sealing it within a titanium shell designed to endure the vacuum of space.
Disassembly of the if (strcmp(buf, phrase) == 0) block: ipzz-447
4012a0: cmp eax,0
4012a3: jne 4012c0 ; jump to “incorrect” branch
4012a5: lea rdi,[rip+0x1234] ; address of the flag string
4012ac: call puts@plt
4012b1: jmp 4012e0 ; exit path
The address of puts is at 0x401030 (PLT entry). The address of the flag string is at 0x601060. The address of the puts call (the instruction after loading the flag) is 0x4012ac. Jumping directly to 0x4012ac will print the flag and then continue to the exit path.
$ gdb -q ipzz-447
(gdb) run
Welcome to ipzz-447!
>
Set a breakpoint on main and step through: The Y’thara were not biological beings in the
(gdb) b *0x4010c0 # address of main (found via `info files` or `objdump -d`)
(gdb) run
Stepping through the function reveals:
The correct phrase is also present in the binary (checked via x/s on the address referenced by the strcmp call). It turns out to be: Disassembly of the if (strcmp(buf, phrase) == 0)
0x601050: "puzzling_is_fun"
When the phrase matches, the program prints the flag. Otherwise it loops.
| Technique | When to Use | Quick Checklist |
|-----------|-------------|-----------------|
| Check for stripped binaries | Most CTF binaries are stripped to hide symbols. | file, strings, nm -D |
| Use IDA/Ghidra for decompilation | When source isn’t available. | Identify main, look for strcmp/check‑like functions. |
| Identify constant data | Hard‑coded keys, tables, or magic numbers. | strings, objdump -s, Ghidra “Data” view. |
| Model the algorithm in Python | Simple arithmetic/bitwise loops. | Translate decompiled C → Python, compare outputs. |
| Reverse the transformation | Linear functions (XOR, add, rotate) often invertible. | Derive formulas, or just brute‑force a small space. |
| Automate brute‑force | When search space ≤ 10⁶–10⁸ and per‑iteration cost is low. | itertools.product, multiprocessing.Pool. |