Hello! Over the weekend and a couple of the past days, I had a chance to participate in SquareCTF2019 with my co-workers at work. It was our first time ganging up together to do CTF together. Our team was placed in 28th out of 223 teams by solving 6 out of 10 challenges. We realized that there are many things we need to build up, but in fact it was our first one, I am very proud of our team and everyone who participated in did such an awesome job!
I solved one of the binary challenges, Aesni — Challenge#2, and here I will be showing how I cracked this challenge. Honestly, it wasn’t too complicated one and simple to solve; however, it was taking a bit to figure out how to fit all the puzzles to get the flag.
So the challenge seems to be working a binary. By clicking the link you can download the binary.
Quick look up on the binary shows that it is a 32-bit (x86) executable file. When I simply ran it, it exited after displaying this no entry ⛔ emoji. And throwing 10 “A” as an argument doesn’t seem doing anything but at least we can tell it can take an argument. I also tried to throw like over 5,000 “A” to see if it crashes, but no luck. Time to do some static analysis.
Once running the binary through
gdb (I use
gdb-peda in case you wonder), I checked the security and attempted to set a breakpoint at a
main function. Most securities are disabled except for NX (non-executable), which is making all writable address non-executable to prevent attacks like buffer overflow from happening. But the
main function seemed to be stripped off.
I used the “info file” command to find the entry point at
0x8048060 in order to proceed my analysis.
And I set that entry point as a breakpoint and began analysis.
When I do static analysis, I usually look for some interesting instructions such as
jmp. I reached the first
cmp function and it basically compare
EAX string as
0x2. And if
cmp shows that the two values are equal,
je will jump to the specified label (
0x80482110). If not, it will keep execution flowing.
Looks interesting and maybe I can now chime in to see what if I modify the at that point of
0x2 instead of
0x1. (I also recommend to just run the program as-is when you do the static analysis at the first time, but this is for my walkthrough, so I just go ahead and make changes :})
Then, I continued through it. And I got a crash at the location
I did some research on what
repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi] instructions does. It turned out to be the
repz means to increment
edi then repeat
cmps as long as
[edi] compare equal. And somehow our modification made the program crashes; however, we looks like a “secret” string pointing at
ESI location = “ThIs-iS-fInE”
Run the program specifying the secret sauce as the argument. It gives us the flag!
Honestly, I am 100% sure it wasn’t an intended or elegant way to solve the puzzle. I am sure it has to do with finding a right key to decode encoded strings to find the secret sauce type of challenge. But well there is not always a right way to solve the problem. :) Thanks for reading!