NCS Competition 2021 Writeup
Search…
BM02 - 250pts
Briefing
Download the file and find a way to get the flag. Contents: program
Challenge Files:
Solution
- 1.Running the program simply outputs
I'm not going to make it that easy for you.. - 2.Decompiling the binary using Ghidra reveals a
printFlag()function that prints the flag if it is called with0x539as an argument.printFlagfunction:1void printFlag(int param_1)2​3{4byte bVar1;5byte bVar2;6long in_FS_OFFSET;7uint local_2c;8byte local_28 [24];9long local_10;10​11local_10 = *(long *)(in_FS_OFFSET + 0x28);12if (param_1 == 0x539) {13local_28[0] = 0x15;14local_28[1] = 0x70;15local_28[2] = 0xe5;16local_28[3] = 100;17local_28[4] = 0x7a;18local_28[5] = 0xd4;19local_28[6] = 0x6d;20local_28[7] = 0x75;21local_28[8] = 0xeb;22local_28[9] = 0xf4;23local_28[10] = 0x6a;24local_28[11] = 0xd1;25local_28[12] = 0xfa;26local_28[13] = 0xd1;27local_28[14] = 0xf9;28local_28[15] = 0xe8;29local_28[16] = 0x9d;30local_28[17] = 0x7c;31local_28[18] = 0x41;32local_2c = 0;33while (local_2c < 0x13) {34bVar2 = (byte)local_2c;35bVar1 = ~-((~local_28[local_2c] + bVar2 ^ 0x48) - bVar2);36bVar2 = ((bVar1 << 3 | bVar1 >> 5) - bVar2 ^ 0x5d) - 0x23 ^ bVar2;37bVar1 = (bVar2 * '\x02' | bVar2 >> 7) + 0xbf;38local_28[local_2c] = (bVar1 * ' ' | bVar1 >> 3) ^ 0x65;39local_2c = local_2c + 1;40}41puts((char *)local_28);42}43if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {44/* WARNING: Subroutine does not return */45__stack_chk_fail();46}47return;48}Copied! - 3.We run the program using GDB and do the following:
- 1.Breakpoint at
puts:b puts - 2.Run:
r - 3.Call
printFlagwith the correct argument:call (char *) printFlag(0x539) - 4.The flag is shown as
Flag: patchItFixIt.
Flag
patchItFixItLast modified 1yr ago