DEFCON CTF Qualifier 2016 // baby-re

Capture the Flag, DEFCON 2 Comments 2749

Get to reversing.

Opening the executable in Binary Ninja and going down to the bottom of main shows that we have two very obvious paths to take at 0x4028e7.

2016-05-21-17:56:48-screenshot

One possible outcome is 0x402941, which prints out “Wrong”. The other option would be at 0x4028e9, and looks like it’s going to print out the flag later for us! Because the program obfuscates what the flag is by doing a ton of instructions in CheckSolution, symbolic execution seems to be the most logical choice to solve the unknown input. I usually use angr for these types of problems.

Now, we want to definitely want to avoid 0x402941 (“Wrong”), but we actually don’t want to find 0x4028e9; we want to find any instruction after the printf statement on 0x402936. I chose to solve for 0x40294b (you could pick any address around there).

The solution is effectively about four lines of Python.

2016-05-21-18:30:07-screenshot

If you’re trying to run this script yourself, please use the code uploaded on the angr-doc GitHub repository.

2 Comments

  1. 1111 May 24, 2016 at 7:01 am

    Could you please fix the “angr-doc GitHub repository” link?

  2. David Manouchehri May 24, 2016 at 5:34 pm

    Done. It’s going to be merged into the official angr/angr-doc repository eventually, but the UCSB angr team has been busy; just linked it back to my personal repository for the moment.

Leave a Reply

Search

Back to Top