Backdoor CTF 2014 - Bin200

This time, we are dealing with an alcoholic.

Task:

"Jill was high after consuming ( 2³ ) glasses of alcohol. In this state, he wrote a C++ program to hide a message, but he doesn't remember it now.
Help him recover it. He managed to write a single line of comment."

We received the source code in a file called obfuscated.cpp.

Source Code:

#include<cstdio>
#include<cstdlib>
#define l101(a) rand()%a
#define zlz1 bbb
#define zz mmm
#define zzz mlm
#define bsd gbbrsh
#define xx void
#define backdoor \m/
#define bbb cfc
#define ffff ff
#define ads using
#define un unfortunately
#define fff main
#define gu brnf**k
#define l10l cfc
#define mmm void
#define bbbb cfc
#define vgg long long
#define bub std
#define mlm printf
#define ffffff f
#define lj1 dsnt
#define bmB support
#define cfc int
#define nv guu
#define aa namespace
#define m1m inff
ads aa bub;
xx ffff(), fffff();
mmm ggg();
vgg f = 0x7265616c6c795f69;
zlz1 ccc[] = {0x5a,90,0x5d,89,115,74,68,70,0x5c,79,0x43,87,123,101,110,0x40,0x67};
bbbb fff() {
  l10l ll01 = l101((0x00f1b00>>4)+0x08ff08-354);
  bbbb aaa = 0;
  mlm("%f%l%lld\n"+4, ffffff);
  f++;
  if(ll01<(ll01&-0x1))??<ff ggg="">
}
zz ff(){
  for(bbbb guu=1;guu<18 data-blogger-escaped-guu="">(guu&0x0));++guu) {
    ccc[nv-1] = ((ccc[guu-(((8*(0xd5f650))+1)&1)] ^ (0x31-guu)));
  }
}
zz ggg()??<
  for(l10l cc=0;cc<=0x11;++cc)??<mlm c="" cc="" ccc="" x="">
%>
// oops subtracted by 1 not keeping my base is mind</mlm><!--18--></ff></cstdlib></cstdio>

And we also got a hint: Hint: Preprocess -> Compile -> Execute
So we, basicly, did what they said. Firstly, we have preproceded file without a compilation. And then compiled, and executed the new preprocessed file (new.cpp).

wiremage@oxyz ~/c/b/bin200> g++ -trigraphs -E obfuscated.cpp > new.cpp
wiremage@oxyz ~/c/b/bin200> g++ new.cpp 
wiremage@oxyz ~/c/b/bin200> ./a.out 
8243101811275816809

That gave us a nice number, lol.

Next, we took a peek inside the new.cpp source and found an unnecessary if statement, so we removed it.
We discovered that the number we got on the first run came from:

printf("%f%l%lld\n" + 4, f);

However, if you look at the next two lines, you'll see calls to functions that also perform some printf operations. So, we decided to force their execution by removing the if condition.

int main() {
  int ll01 = rand()%(0x00f1b00>>4)+0x08ff08-354;
  int aaa = 0;
  printf("%f%l%lld\n"+4, f);
  f++;
  if(ll01<(ll01&-0x1)){ff();ggg();//THIS IF HERE WE REMOVED LOL Remember remove only if part, so ff();ggg(); got executed!
}
void ff(){
  for(int guu=1;guu<18&&(guu>(guu&0x0));++guu) {
    ccc[guu-1] = ((ccc[guu-(((8*(0xd5f650))+1)&1)] ^ (0x31-guu)));
  }
}
void ggg(){
  for(int cc=0;cc<=0x11;++cc){printf("%x%c"+2, ccc<:cc]);
%>

After that -> compiled file again -> executed -> got the flag.

wiremage@oxyz ~/c/b/bin200> g++ new.cpp 
wiremage@oxyz ~/c/b/bin200> ./a.out 
8243101811275816809
just_another_FLaG

Encode just_another_FLaG with MD5 and thats it, you own the flag.

The flag: a38834db6eb9d31e3c7e878bae3da748