diff options
| author | Malfurious <m@lfurio.us> | 2022-05-07 20:56:22 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2022-05-07 20:56:22 -0400 |
| commit | 69002ed19f3c239d9ed86da4e52ec5363279ddf0 (patch) | |
| tree | 84e62413591a91b59be3ace803abafce81291f17 /docs | |
| parent | e2f6f7d9ee2a5eb46030b90c3939985a56f3a5a6 (diff) | |
| download | lib-des-gnux-69002ed19f3c239d9ed86da4e52ec5363279ddf0.tar.gz lib-des-gnux-69002ed19f3c239d9ed86da4e52ec5363279ddf0.zip | |
Writeup angstromCTF 2022 / baby3
Signed-off-by: Malfurious <m@lfurio.us>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/writeups/angstromCTF_2022/baby3.txt | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/docs/writeups/angstromCTF_2022/baby3.txt b/docs/writeups/angstromCTF_2022/baby3.txt new file mode 100644 index 0000000..2c1d3a7 --- /dev/null +++ b/docs/writeups/angstromCTF_2022/baby3.txt @@ -0,0 +1,43 @@ +This program doesn't do anything. + +Category: re (40 points) +Chall author: preterite +Writeup author: malfurious + + + +As described, this challenge offers an ELF binary that has no observable effect +when run. However, disassembly of its main function shows the flag string +being constructed in memory via several mov instructions. Of course, the flag +is not read before returning. + + 0x00001139 55 push rbp + 0x0000113a 4889e5 mov rbp, rsp + 0x0000113d 4883ec40 sub rsp, 0x40 + 0x00001141 64488b042528. mov rax, qword fs:[0x28] + 0x0000114a 488945f8 mov qword [canary], rax + 0x0000114e 31c0 xor eax, eax + 0x00001150 48b861637466. movabs rax, 0x686d657b66746361 ; 'actf{emh' + 0x0000115a 48ba70616964. movabs rdx, 0x657a656d64696170 ; 'paidmeze' + 0x00001164 488945c0 mov qword [var_40h], rax + 0x00001168 488955c8 mov qword [var_38h], rdx + 0x0000116c 48b8726f646f. movabs rax, 0x72616c6c6f646f72 ; 'rodollar' + 0x00001176 48ba73746f6d. movabs rdx, 0x74656b616d6f7473 ; 'stomaket' + 0x00001180 488945d0 mov qword [var_30h], rax + 0x00001184 488955d8 mov qword [var_28h], rdx + 0x00001188 48b868697363. movabs rax, 0x6c6c616863736968 ; 'hischall' + 0x00001192 48ba656e6765. movabs rdx, 0x6f6d615f65676e65 ; 'enge_amo' + 0x0000119c 488945e0 mov qword [var_20h], rax + 0x000011a0 488955e8 mov qword [var_18h], rdx + 0x000011a4 c745f0677573. mov dword [var_10h], 0x7d737567 ; 'gus}' + 0x000011ab c645f400 mov byte [var_ch], 0 + 0x000011af b800000000 mov eax, 0 + 0x000011b4 488b55f8 mov rdx, qword [canary] + 0x000011b8 64482b142528. sub rdx, qword fs:[0x28] + ┌─< 0x000011c1 7405 je 0x11c8 + │ 0x000011c3 e868feffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void) + │ ; CODE XREF from main @ 0x11c1 + └─> 0x000011c8 c9 leave + 0x000011c9 c3 ret + +actf{emhpaidmezerodollarstomakethischallenge_amogus} |