> For the complete documentation index, see [llms.txt](https://jedi.gitbook.io/jedi/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jedi.gitbook.io/jedi/ctf-archive/publish-your-docs/windowsofopportunity-easy.md). # WindowsOfOpportunity (easy) Here's the challenge's details: ![Challenge description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/i00y8c6uzllnp3adbg0l.png) From this problem, we get a zip file that contain a binary file. First, we try to run it and check what the file do ![Flag checker?](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fy4rsaquujsbhk84kfxq.png) It seems this is a typical password or flag checker problem. We can understand how the file work with some basic reverse engineering tools, such as IDA or Ghidra. In this post, i will use IDA ![Main function](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s0sxuycdddwwklecvsk9.png) We can see from the result of decompiling the main function that this program will check between user input that being processed with `arr` array. The code is comparing the sum of consecutive elements in the `s` array from user input with corresponding elements in the `arr` array. If at any point these sums don't match the values in `arr`, the program prints an error message and exits with a return code of -1. We can see below the value of the `arr` array. ![Suspicious Array](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2bnxbv0x5mji1mfqss7i.png) So, we just have to perform the same process as the program does. Luckily, we know that the format of the flag is HTB{.\*?}, so we can perform the process by start with the ascii value of HTB (which is 72), and then subtract first `arr` index with it. The result can be used to subtract the second `arr` index, and so on ```py arr = [ 156, 150, 189, 175, 147, 195, 148, 96, 162, 209, 194, 207, 156, 163, 166, 104, 148, 193, 215, 172, 150, 147, 147, 214, 168, 159, 210, 148, 167, 214, 143, 160, 163, 161, 163, 86, 158 ] size = len(arr) a = 72 print(chr(a), end="") for i in range(size): result = arr[i] - a print(chr(result), end="") a = result ``` We can validate the result by try to insert it to the windows file again ![The Flag!](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fts78u84pp58gc9znvy8.png) ![We got the point!](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t8ud2w4d3kkf2yl9wppg.png) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jedi.gitbook.io/jedi/ctf-archive/publish-your-docs/windowsofopportunity-easy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.