Can’t seem to print out the flag :( Can you figure how to get the flag with this binary?
An innocent looking binary is given that asks for a string:
./test.out
Enter the String: rptuainadui
that isn't correct, im sorry!
This is part of the rev category (which I think is for reverse engineering). You could bruteforce this yes, but I found it easier to put this into a decompiler like the ones on DogBolt (Decompiler Explorer) to see what it’s doing.
Decompiled main function (via angr):
int main()
{
char v0; // [bp-0x448]
unsigned int v1; // [bp-0x41c]
char v2; // [bp-0x418]
char v3; // [bp-0x408]
unsigned long long v4; // [bp-0x18]
unsigned int v5; // [bp-0x10]
unsigned int v6; // [bp-0xc]
unsigned long long v8; // rax
printf("Enter the String: ");
__isoc99_scanf("%s", (unsigned int)&v3);
for (v6 = 0; (&v3)[v6]; v6 += 1);
if (v6 == 12)
{
puts("that's correct!");
v4 = EVP_MD_CTX_new();
(unsigned int)v8 = EVP_md5();
EVP_DigestInit_ex(v4, v8, 0x0, v8);
EVP_DigestUpdate(v4, "12", 0x2, "12");
v1 = 16;
EVP_DigestFinal_ex(v4, &v2, &v1, &v2);
EVP_MD_CTX_free(v4);
for (v5 = 0; v5 <= 15; v5 += 1)
{
sprintf(&(&v0)[2 * v5], "%02x", (&v2)[v5]);
}
printf("csawctf{%s}\n", (unsigned int)&v0);
return 0;
}
printf("that isn't correct, im sorry!");
return 0;
}
This along with the rest of the decompiled binary can’t be simply compiled again as-is because there are a few issues, like the OpenSSL functions being called having an extra argument added to the end.
When looking at the functions being called, it seems that the flag is just an md5 of the number 12. The program also seems to give the flag itself if you give it the character with the ASCII value of 12 (form feed).
The line that that has the data being checksummed is this:
EVP_DigestUpdate(v4, "12", 0x2, "12");
I did try piping the form feed character via printf to the binary, but it did not like that, so it seems that the only way to get the flag is through another way.
While you could just create a very simplified version of the decompiled source with OpenSSL’s crypto library (which is what I did originally), it’s much easier to just pass the number 12 to a pre-installed md5 command (md5 on OpenBSD, md5sum on Linux).
$ echo -n 12 | md5
c20ad4d76fe97759aa27a0c99bff6710
This CTF’s flags were in the format of csawctf{somethinghere}, as also seen in the decompiled source, so the actual flag was this:
csawctf{c20ad4d76fe97759aa27a0c99bff6710}
This was my first time doing any decompilation of a program, and I think this was a good start to learn reverse engineering.