Get to reversing.
Opening the executable in Binary Ninja and going down to the bottom of main shows that we have two very obvious paths to take at
One possible outcome is
0x402941, which prints out “Wrong”. The other option would be at
0x4028e9, and looks like it’s going to print out the flag later for us! Because the program obfuscates what the flag is by doing a ton of instructions in
CheckSolution, symbolic execution seems to be the most logical choice to solve the unknown input. I usually use angr for these types of problems.
Now, we want to definitely want to avoid
0x402941 (“Wrong”), but we actually don’t want to find
0x4028e9; we want to find any instruction after the printf statement on
0x402936. I chose to solve for
0x40294b (you could pick any address around there).
The solution is effectively about four lines of Python.
If you’re trying to run this script yourself, please use the code uploaded on the angr-doc GitHub repository.