pwnable.kr - flag
ctf 08-04-2024
Today we will be tackling some simple reverse engineering. The first thing to note is in the descriptor itself: “packed present” — is the binary packed?
We can use a simple tool known as DIE (Detect it Easy)
to figure this out. After downloading the flag binary and running diec -rd flag, we obtain:
ELF64
Packer: UPX(3.08)[NRV,brute]This tells us that the binary has been packed with UPX. We can easily unpack this with upx -d flag:
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2024
UPX 4.2.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 3rd 2024
File size Ratio Format Name
-------------------- ------ ----------- -----------
887219 <- 335288 37.79% linux/amd64 flag
Unpacked 1 file.Now that we have unpacked the binary, we can drop it into Ghidra to view the disassembly and decompilation. Ghidra is a very useful reverse engineering tool, and it is open-sourced by the National Security Agency (NSA) as a popular alternative to IDA.
We see in the decompiler that the data flag is copied into memory:
int main(int argc,char **argv)
{
char *__dest;
puts("I will malloc() and strcpy the flag there. take it.");
__dest = (char *)malloc(100);
strcpy(__dest,flag);
return 0;
}And the corresponding disassembly:
**************************************************************
* FUNCTION *
**************************************************************
int __stdcall main(int argc, char * * argv)
int EAX:4 <RETURN>
int EDI:4 argc
char * * RSI:8 argv
undefined8 Stack[-0x10]:8 local_10 XREF[2]: 00401180(W),
0040118b(R)
main XREF[3]: Entry Point(*),
_start:00401075(*), 004b3a50(*)
00401164 55 PUSH RBP
00401165 48 89 e5 MOV RBP,RSP
00401168 48 83 ec 10 SUB RSP,0x10
0040116c bf 58 66 MOV argc,s_I_will_malloc()_and_strcpy_the_f_00496658 = "I will malloc() and strcpy th
49 00
00401171 e8 0a 0f CALL puts int puts(char * __s)
00 00
00401176 bf 64 00 MOV argc,0x64
00 00
0040117b e8 50 88 CALL malloc void * malloc(size_t __size)
00 00
00401180 48 89 45 f8 MOV qword ptr [RBP + local_10],RAX
00401184 48 8b 15 MOV RDX=>s_UPX...?_sounds_like_a_delivery_s_004966 = "UPX...? sounds like a deliver
e5 0e 2c 00 = 00496628
0040118b 48 8b 45 f8 MOV RAX,qword ptr [RBP + local_10]
0040118f 48 89 d6 MOV argv=>s_UPX...?_sounds_like_a_delivery_s_00496 = "UPX...? sounds like a deliver
00401192 48 89 c7 MOV argc,RAX
00401195 e8 86 f1 CALL strcpy char * strcpy(char * __dest, cha
ff ff
0040119a b8 00 00 MOV EAX,0x0
00 00
0040119f c9 LEAVE
004011a0 c3 RETFollowing the data, we get the flag:
Flag:
UPX…? sounds like a delivery service :)
