IceCTF 2018 Reverse Engineering - 1. Locked Out

Locked Out

[adversary ~/lockedout]$ ls -l
total 20
-r--r-----. 1 root drevil   27 Sep  8 01:19 flag.txt
-rwxr-sr-x. 1 root drevil 5628 Sep  8 01:19 lock
[adversary ~/lockedout]$ file lock
lock: setgid ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9b18e194915ef4732b200556ced55fa91aa99360, stripped

int __cdecl sub_920(char *s1)
{
  void *v1; // esi@1
  const char *v2; // esi@1
  int v3; // edi@1

  v1 = off_2048;
  strlen((const char *)off_2048);
  v2 = (const char *)__strdup(v1);
  memfrob(v2);
  v3 = strcmp(s1, v2);
  free((void *)v2);
  return v3;
}

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[280]; // [sp+0h] [bp-118h]@1
  int *v5; // [sp+110h] [bp-8h]@1

  v5 = &argc;
  puts("This is a pesky lock.. do you think you can open it?");
  printf("Enter key: ");
  if ( fgets(s, 256, stdin) )
  {
    s[strcspn(s, "\n")] = 0;
    if ( sub_920(s) )
    {
      puts("key failed");
    }
    else
    {
      puts("unlocked!");
      sub_8A0();
    }
  }
  return 0;
}

.data:00002048 off_2048        dd offset unk_A68       ; DATA XREF: sub_920+11r

.rodata:00000A68 aKrkXSg@CBYGomK db 'KrK^',13h,'X',1Eh,1Fh,'^Sg@]',1Eh,'C',1Fh,'}B',12h,'Y]|}GoM',19h,'\kH}pKC@~}z',12h
.rodata:00000A68                                         ; DATA XREF: .data:off_2048o
.rodata:00000A90                 db    0

# ssh -p 2222 ssh.icec.tf -l 0t9j7gqw35gii9t-lockedout
[adversary ~]$ cd ./lockedout
[adversary ~/lockedout]$ ./lock
This is a pesky lock.. do you think you can open it?
Enter key: aXat9r45UtyMjw4i5Wh8swVWmEg3vAbWZaijTWP8
unlocked!
sh-4.4$ cat flag.txt
IceCTF{you_m3ddling_k1ds}

sh-4.4$ exit