Forensics - Bbbbloat - writeup
description
Can you get the flag?
Reverse engineer this binary.
writeup
After loading the binary into Ghidra and browsing the decompiled
code I noticed this function:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| undefined8 FUN_00101307(void)
{
char *__s;
long in_FS_OFFSET;
int local_48;
undefined8 local_38;
undefined8 local_30;
undefined8 local_28;
undefined8 local_20;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_38 = 0x4c75257240343a41;
local_30 = 0x3062396630664634;
local_28 = 0x33343066635f3d33;
local_20 = 0x4e5f3463665f34;
printf("What\'s my favorite number? ");
__isoc99_scanf();
if (local_48 == 0x86187) {
__s = (char *)FUN_00101249(0,&local_38);
fputs(__s,stdout);
putchar(10);
free(__s);
}
else {
puts("Sorry, that\'s not it!");
}
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return 0;
}
|
The interesting lines here are those:
1
2
3
4
5
6
7
8
9
| if (local_48 == 0x86187) {
__s = (char *)FUN_00101249(0,&local_38);
fputs(__s,stdout);
putchar(10);
free(__s);
}
else {
puts("Sorry, that\'s not it!");
}
|
Here the program compares the user input with a string.
’local_48’ is the user input.
‘0x86187’ is a hex string / number.
If we convert 86187 from hex to decimal we get 549255.
If I now try to supply 549255 as the input I get the following:
1
2
| What's my favorite number? 549255
picoCTF{cu7_7h3_bl047_cbc074c0}
|
That was the correct number.
The flag is:
1
| picoCTF{cu7_7h3_bl047_cbc074c0}
|
