- flag

ctf 08-04-2024

Today we will be tackling some simple reverse engineering. The first thing to note is in the descriptor itself: “packed present” — is the binary packed?

We can use a simple tool known as DIE (Detect it Easy) to figure this out. After downloading the flag binary and running diec -rd flag, we obtain:

    Packer: UPX(3.08)[NRV,brute]

This tells us that the binary has been packed with UPX. We can easily unpack this with upx -d flag:

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2024
UPX 4.2.2       Markus Oberhumer, Laszlo Molnar & John Reiser    Jan 3rd 2024

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    887219 <-    335288   37.79%   linux/amd64   flag

Unpacked 1 file.

Now that we have unpacked the binary, we can drop it into Ghidra to view the disassembly and decompilation. Ghidra is a very useful reverse engineering tool, and it is open-sourced by the National Security Agency (NSA) as a popular alternative to IDA.

We see in the decompiler that the data flag is copied into memory:

int main(int argc,char **argv)

  char *__dest;
  puts("I will malloc() and strcpy the flag there. take it.");
  __dest = (char *)malloc(100);
  return 0;

And the corresponding disassembly:

                             *                          FUNCTION                          *
                             int __stdcall main(int argc, char * * argv)
             int               EAX:4          <RETURN>
             int               EDI:4          argc
             char * *          RSI:8          argv
             undefined8        Stack[-0x10]:8 local_10                                XREF[2]:     00401180(W), 
                             main                                            XREF[3]:     Entry Point(*), 
                                                                                          _start:00401075(*), 004b3a50(*)  
        00401164 55              PUSH       RBP
        00401165 48 89 e5        MOV        RBP,RSP
        00401168 48 83 ec 10     SUB        RSP,0x10
        0040116c bf 58 66        MOV        argc,s_I_will_malloc()_and_strcpy_the_f_00496658 = "I will malloc() and strcpy th
                 49 00
        00401171 e8 0a 0f        CALL       puts                                             int puts(char * __s)
                 00 00
        00401176 bf 64 00        MOV        argc,0x64
                 00 00
        0040117b e8 50 88        CALL       malloc                                           void * malloc(size_t __size)
                 00 00
        00401180 48 89 45 f8     MOV        qword ptr [RBP + local_10],RAX
        00401184 48 8b 15        MOV        RDX=>s_UPX...?_sounds_like_a_delivery_s_004966   = "UPX...? sounds like a deliver
                 e5 0e 2c 00                                                                 = 00496628
        0040118b 48 8b 45 f8     MOV        RAX,qword ptr [RBP + local_10]
        0040118f 48 89 d6        MOV        argv=>s_UPX...?_sounds_like_a_delivery_s_00496   = "UPX...? sounds like a deliver
        00401192 48 89 c7        MOV        argc,RAX
        00401195 e8 86 f1        CALL       strcpy                                           char * strcpy(char * __dest, cha
                 ff ff
        0040119a b8 00 00        MOV        EAX,0x0
                 00 00
        0040119f c9              LEAVE
        004011a0 c3              RET

Following the data, we get the flag:

Flag: UPX…? sounds like a delivery service :)

Author's photo

Lin Jiang

I’m a high school student that's passionate about computer science. Join me in having fun through recreational programming!

See other articles:

undefinedThumbnail - bof

Nana told me that buffer overflow is one of the most common software vulnerability. Is that true?

ctf 07-04-2024