NCS Competition 2021 Writeup
Search…
BM03 - 250pts
Briefing
Download the file and find a way to get the flag. Contents: flag
Challenge Files:
Solution
- 1.Decompiling the binary shows an
output()function and a line inoutput()that stops printing the flag if therowsargument is less than6.outputfunction:1void output(int rows,int cols)2​3{4long lVar1;5undefined8 *puVar2;6undefined8 *puVar3;7long in_FS_OFFSET;8int i;9int j;10int flag [6] [85];11char flagChars [11];12long local_10;13​14local_10 = *(long *)(in_FS_OFFSET + 0x28);15lVar1 = 0xff;16puVar2 = &DAT_00100a00;17puVar3 = (undefined8 *)flag;18while (lVar1 != 0) {19lVar1 = lVar1 + -1;20*puVar3 = *puVar2;21puVar2 = puVar2 + 1;22puVar3 = puVar3 + 1;23}24flagChars[0] = ' ';25flagChars[1] = '_';26flagChars[2] = '/';27flagChars[3] = '\\';28flagChars[4] = '(';29flagChars[5] = ')';30flagChars[6] = '`';31flagChars[7] = ',';32flagChars[8] = '|';33flagChars[9] = '.';34flagChars[10] = '\0';35i = 0;36while (i < rows) {37j = 0;38while (j < cols) {39putchar((int)flagChars[flag[(long)i * 0x55 + (long)j] / 100]);40j = j + 1;41}42putchar(10);43i = i + 1;44}45if (rows < 6) {46puts("\x1b[31m Error displaying rest of flag\x1b[0m");47}48if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {49/* WARNING: Subroutine does not return */50__stack_chk_fail();51}52return;53}Copied! - 2.Launch the program in GDB then do the following:
- 1.Breakpoint at
output:b output - 2.Call
outputbut will therowsargument set to6:call output(6,0x55) - 3.Continue past the breakpoint:
c - 4.The flag is printed:1__ __ _ ____ __2____/ /___ / /_ __ __ ____ _ ____ _ (_)____ ____ _ / __// /_ _ __3/ __ // _ \ / __ \ / / / // __ `// __ `// // __ \ / __ `/ / /_ / __/| | /| / /4/ /_/ // __// /_/ // /_/ // /_/ // /_/ // // / / // /_/ / / __// /_ | |/ |/ /5\__,_/ \___//_.___/ \__,_/ \__, / \__, //_//_/ /_/ \__, /______/_/ \__/ |__/|__/6/____/ /____/ /____//_____/Copied!
Flag
debugging_ftwLast modified 1yr ago