1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
This program doesn't do anything.
Category: re (40 points)
Chall author: preterite
Writeup author: malfurious
As described, this challenge offers an ELF binary that has no observable effect
when run. However, disassembly of its main function shows the flag string
being constructed in memory via several mov instructions. Of course, the flag
is not read before returning.
0x00001139 55 push rbp
0x0000113a 4889e5 mov rbp, rsp
0x0000113d 4883ec40 sub rsp, 0x40
0x00001141 64488b042528. mov rax, qword fs:[0x28]
0x0000114a 488945f8 mov qword [canary], rax
0x0000114e 31c0 xor eax, eax
0x00001150 48b861637466. movabs rax, 0x686d657b66746361 ; 'actf{emh'
0x0000115a 48ba70616964. movabs rdx, 0x657a656d64696170 ; 'paidmeze'
0x00001164 488945c0 mov qword [var_40h], rax
0x00001168 488955c8 mov qword [var_38h], rdx
0x0000116c 48b8726f646f. movabs rax, 0x72616c6c6f646f72 ; 'rodollar'
0x00001176 48ba73746f6d. movabs rdx, 0x74656b616d6f7473 ; 'stomaket'
0x00001180 488945d0 mov qword [var_30h], rax
0x00001184 488955d8 mov qword [var_28h], rdx
0x00001188 48b868697363. movabs rax, 0x6c6c616863736968 ; 'hischall'
0x00001192 48ba656e6765. movabs rdx, 0x6f6d615f65676e65 ; 'enge_amo'
0x0000119c 488945e0 mov qword [var_20h], rax
0x000011a0 488955e8 mov qword [var_18h], rdx
0x000011a4 c745f0677573. mov dword [var_10h], 0x7d737567 ; 'gus}'
0x000011ab c645f400 mov byte [var_ch], 0
0x000011af b800000000 mov eax, 0
0x000011b4 488b55f8 mov rdx, qword [canary]
0x000011b8 64482b142528. sub rdx, qword fs:[0x28]
┌─< 0x000011c1 7405 je 0x11c8
│ 0x000011c3 e868feffff call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│ ; CODE XREF from main @ 0x11c1
└─> 0x000011c8 c9 leave
0x000011c9 c3 ret
actf{emhpaidmezerodollarstomakethischallenge_amogus}
|
