NCS Competition 2021 Writeup
  • HHousen National Cyber Scholarship Competition 2021 Writeup
  • Forensics
    • FE02 - 100pts
    • FE03 - 100pts
    • FH01 - 500pts
    • FE04 - 100pts
    • FM01 - 250pts
    • FM02 - 250pts
    • FM03 - 250pts
    • FE01 - 100pts
  • Crypto
    • CM01 - 250pts
    • CM02 - 250pts
    • CX01 - 1000pts
    • CH01 - 500pts
    • CH02 - 500pts
  • Binary
    • BM01 - 250pts
    • BM02 - 250pts
    • BM03 - 250pts
    • BX01 - 1000pts
    • BX02 - 100pts
    • BE01 - 100pts
    • BE02 - 100pts
    • BH01 - 500pts
  • Networking
    • NM01 - 250pts
    • NE01 - 100pts
  • Web
    • WX01 - 1000pts
    • WE01 - 100pts
    • WE02 - 100pts
    • WH01 - 500pts
    • WH02 - 500pts
    • WM01 - 250pts
    • WM02 - 250pts
    • WM03 - 250pts
    • WM04 - 250pts
    • WM05 - 250pts
  • Challenge Name
Powered by GitBook
On this page
  • Briefing
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Binary

BM02 - 250pts

PreviousBM01 - 250ptsNextBM03 - 250pts

Last updated 4 years ago

Was this helpful?

Briefing

Download the file and find a way to get the flag. Contents: program

Challenge Files:

Solution

  1. Running the program simply outputs I'm not going to make it that easy for you..

  2. Decompiling the binary using Ghidra reveals a printFlag() function that prints the flag if it is called with 0x539 as an argument.

    printFlag function:

     void printFlag(int param_1)

 {
     byte bVar1;
     byte bVar2;
     long in_FS_OFFSET;
     uint local_2c;
     byte local_28 [24];
     long local_10;

     local_10 = *(long *)(in_FS_OFFSET + 0x28);
     if (param_1 == 0x539) {
         local_28[0] = 0x15;
         local_28[1] = 0x70;
         local_28[2] = 0xe5;
         local_28[3] = 100;
         local_28[4] = 0x7a;
         local_28[5] = 0xd4;
         local_28[6] = 0x6d;
         local_28[7] = 0x75;
         local_28[8] = 0xeb;
         local_28[9] = 0xf4;
         local_28[10] = 0x6a;
         local_28[11] = 0xd1;
         local_28[12] = 0xfa;
         local_28[13] = 0xd1;
         local_28[14] = 0xf9;
         local_28[15] = 0xe8;
         local_28[16] = 0x9d;
         local_28[17] = 0x7c;
         local_28[18] = 0x41;
         local_2c = 0;
         while (local_2c < 0x13) {
         bVar2 = (byte)local_2c;
         bVar1 = ~-((~local_28[local_2c] + bVar2 ^ 0x48) - bVar2);
         bVar2 = ((bVar1 << 3 | bVar1 >> 5) - bVar2 ^ 0x5d) - 0x23 ^ bVar2;
         bVar1 = (bVar2 * '\x02' | bVar2 >> 7) + 0xbf;
         local_28[local_2c] = (bVar1 * ' ' | bVar1 >> 3) ^ 0x65;
         local_2c = local_2c + 1;
         }
         puts((char *)local_28);
     }
     if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                         /* WARNING: Subroutine does not return */
         __stack_chk_fail();
     }
     return;
 }

  3. We run the program using GDB and do the following:

    1. Breakpoint at puts: b puts

    2. Run: r

    3. Call printFlag with the correct argument: call (char *) printFlag(0x539)

    4. The flag is shown as Flag: patchItFixIt.

Flag

patchItFixIt

bm02.zip