BM02 - 250pts

# Briefing

Download the file and find a way to get the flag. Contents: program
Challenge Files:

# Solution

1. 1.
Running the program simply outputs `I'm not going to make it that easy for you.`.
2. 2.
Decompiling the binary using Ghidra reveals a `printFlag()` function that prints the flag if it is called with `0x539` as an argument.
`printFlag` function:
1
void printFlag(int param_1)
2
3
{
4
byte bVar1;
5
byte bVar2;
6
long in_FS_OFFSET;
7
uint local_2c;
8
byte local_28 ;
9
long local_10;
10
11
local_10 = *(long *)(in_FS_OFFSET + 0x28);
12
if (param_1 == 0x539) {
13
local_28 = 0x15;
14
local_28 = 0x70;
15
local_28 = 0xe5;
16
local_28 = 100;
17
local_28 = 0x7a;
18
local_28 = 0xd4;
19
local_28 = 0x6d;
20
local_28 = 0x75;
21
local_28 = 0xeb;
22
local_28 = 0xf4;
23
local_28 = 0x6a;
24
local_28 = 0xd1;
25
local_28 = 0xfa;
26
local_28 = 0xd1;
27
local_28 = 0xf9;
28
local_28 = 0xe8;
29
local_28 = 0x9d;
30
local_28 = 0x7c;
31
local_28 = 0x41;
32
local_2c = 0;
33
while (local_2c < 0x13) {
34
bVar2 = (byte)local_2c;
35
bVar1 = ~-((~local_28[local_2c] + bVar2 ^ 0x48) - bVar2);
36
bVar2 = ((bVar1 << 3 | bVar1 >> 5) - bVar2 ^ 0x5d) - 0x23 ^ bVar2;
37
bVar1 = (bVar2 * '\x02' | bVar2 >> 7) + 0xbf;
38
local_28[local_2c] = (bVar1 * ' ' | bVar1 >> 3) ^ 0x65;
39
local_2c = local_2c + 1;
40
}
41
puts((char *)local_28);
42
}
43
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
44
/* WARNING: Subroutine does not return */
45
__stack_chk_fail();
46
}
47
return;
48
}
Copied!
3. 3.
We run the program using GDB and do the following:
1. 1.
Breakpoint at `puts`: `b puts`
2. 2.
Run: `r`
3. 3.
Call `printFlag` with the correct argument: `call (char *) printFlag(0x539)`
4. 4.
The flag is shown as `Flag: patchItFixIt`.

## Flag

`patchItFixIt`