diff options
| author | Malfurious <m@lfurio.us> | 2022-08-21 14:36:00 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2022-08-21 14:36:00 -0400 |
| commit | 94efc98b3d75d5520189c2d105541cd09aa3cff7 (patch) | |
| tree | c38042edc85560f9b807d9c58113eea40cda4adf /docs/writeups/angstromCTF_2022/baby3.txt | |
| parent | 83a7e196cfcefee11e9bed6542b2dd5954b3d055 (diff) | |
| parent | 8456a85a083c7cbc957e6a9176c0c7a608b63283 (diff) | |
| download | lib-des-gnux-94efc98b3d75d5520189c2d105541cd09aa3cff7.tar.gz lib-des-gnux-94efc98b3d75d5520189c2d105541cd09aa3cff7.zip | |
Merge branch 'malf-angstrom-2022'
* malf-angstrom-2022:
Writeup angstromCTF 2022 / whatsmyname
Writeup angstromCTF 2022 / uninspired
Writeup angstromCTF 2022 / baby3
Writeup angstromCTF 2022 / Auth Skip
angstromCTF 2022 results
Diffstat (limited to 'docs/writeups/angstromCTF_2022/baby3.txt')
| -rw-r--r-- | docs/writeups/angstromCTF_2022/baby3.txt | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/docs/writeups/angstromCTF_2022/baby3.txt b/docs/writeups/angstromCTF_2022/baby3.txt new file mode 100644 index 0000000..2c1d3a7 --- /dev/null +++ b/docs/writeups/angstromCTF_2022/baby3.txt @@ -0,0 +1,43 @@ +This program doesn't do anything. + +Category: re (40 points) +Chall author: preterite +Writeup author: malfurious + + + +As described, this challenge offers an ELF binary that has no observable effect +when run. However, disassembly of its main function shows the flag string +being constructed in memory via several mov instructions. Of course, the flag +is not read before returning. + + 0x00001139 55 push rbp + 0x0000113a 4889e5 mov rbp, rsp + 0x0000113d 4883ec40 sub rsp, 0x40 + 0x00001141 64488b042528. mov rax, qword fs:[0x28] + 0x0000114a 488945f8 mov qword [canary], rax + 0x0000114e 31c0 xor eax, eax + 0x00001150 48b861637466. movabs rax, 0x686d657b66746361 ; 'actf{emh' + 0x0000115a 48ba70616964. movabs rdx, 0x657a656d64696170 ; 'paidmeze' + 0x00001164 488945c0 mov qword [var_40h], rax + 0x00001168 488955c8 mov qword [var_38h], rdx + 0x0000116c 48b8726f646f. movabs rax, 0x72616c6c6f646f72 ; 'rodollar' + 0x00001176 48ba73746f6d. movabs rdx, 0x74656b616d6f7473 ; 'stomaket' + 0x00001180 488945d0 mov qword [var_30h], rax + 0x00001184 488955d8 mov qword [var_28h], rdx + 0x00001188 48b868697363. movabs rax, 0x6c6c616863736968 ; 'hischall' + 0x00001192 48ba656e6765. movabs rdx, 0x6f6d615f65676e65 ; 'enge_amo' + 0x0000119c 488945e0 mov qword [var_20h], rax + 0x000011a0 488955e8 mov qword [var_18h], rdx + 0x000011a4 c745f0677573. mov dword [var_10h], 0x7d737567 ; 'gus}' + 0x000011ab c645f400 mov byte [var_ch], 0 + 0x000011af b800000000 mov eax, 0 + 0x000011b4 488b55f8 mov rdx, qword [canary] + 0x000011b8 64482b142528. sub rdx, qword fs:[0x28] + ┌─< 0x000011c1 7405 je 0x11c8 + │ 0x000011c3 e868feffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void) + │ ; CODE XREF from main @ 0x11c1 + └─> 0x000011c8 c9 leave + 0x000011c9 c3 ret + +actf{emhpaidmezerodollarstomakethischallenge_amogus} |