1 files changed, 43 insertions, 0 deletions

diff --git a/docs/writeups/angstromCTF_2022/baby3.txt b/docs/writeups/angstromCTF_2022/baby3.txt
new file mode 100644
index 0000000..2c1d3a7
--- /dev/null
+++ b/docs/writeups/angstromCTF_2022/baby3.txt
@@ -0,0 +1,43 @@
+This program doesn't do anything.
+
+Category:       re (40 points)
+Chall author:   preterite
+Writeup author: malfurious
+
+
+
+As described, this challenge offers an ELF binary that has no observable effect
+when run.  However, disassembly of its main function shows the flag string
+being constructed in memory via several mov instructions.  Of course, the flag
+is not read before returning.
+
+     0x00001139      55             push rbp
+     0x0000113a      4889e5         mov rbp, rsp
+     0x0000113d      4883ec40       sub rsp, 0x40
+     0x00001141      64488b042528.  mov rax, qword fs:[0x28]
+     0x0000114a      488945f8       mov qword [canary], rax
+     0x0000114e      31c0           xor eax, eax
+     0x00001150      48b861637466.  movabs rax, 0x686d657b66746361 ; 'actf{emh'
+     0x0000115a      48ba70616964.  movabs rdx, 0x657a656d64696170 ; 'paidmeze'
+     0x00001164      488945c0       mov qword [var_40h], rax
+     0x00001168      488955c8       mov qword [var_38h], rdx
+     0x0000116c      48b8726f646f.  movabs rax, 0x72616c6c6f646f72 ; 'rodollar'
+     0x00001176      48ba73746f6d.  movabs rdx, 0x74656b616d6f7473 ; 'stomaket'
+     0x00001180      488945d0       mov qword [var_30h], rax
+     0x00001184      488955d8       mov qword [var_28h], rdx
+     0x00001188      48b868697363.  movabs rax, 0x6c6c616863736968 ; 'hischall'
+     0x00001192      48ba656e6765.  movabs rdx, 0x6f6d615f65676e65 ; 'enge_amo'
+     0x0000119c      488945e0       mov qword [var_20h], rax
+     0x000011a0      488955e8       mov qword [var_18h], rdx
+     0x000011a4      c745f0677573.  mov dword [var_10h], 0x7d737567 ; 'gus}'
+     0x000011ab      c645f400       mov byte [var_ch], 0
+     0x000011af      b800000000     mov eax, 0
+     0x000011b4      488b55f8       mov rdx, qword [canary]
+     0x000011b8      64482b142528.  sub rdx, qword fs:[0x28]
+ ┌─< 0x000011c1      7405           je 0x11c8
+ │   0x000011c3      e868feffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
+ │   ; CODE XREF from main @ 0x11c1
+ └─> 0x000011c8      c9             leave
+     0x000011c9      c3             ret
+
+actf{emhpaidmezerodollarstomakethischallenge_amogus}