Intro
Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Compiled". This CTF-Challenge can be found at the platform TryHackMe. You have to reverse engineer a binary to find out the correct password
OK, lets go! First we have this binary Compiled.Compiled
. The first what we can do is to run the command strings to extract all strings from that binary.
Well, we see some interesting strings which can be the password.
To ensure how the binary works, we can use ghidra to disassemble it.
The disassembled main function of that binary looks pretty simple. We see that the password will be stored into the char array local_28
. Line 9 sound interesting because the string DoYouEven%sCTF
gets stored into this array local_28
. We see the after the substring DoYouEven
, the operator %s
followed by CTF
. This operator requires arbitrary char sequences, which will be placed between the first part and the last part of the password. Therefore, we can create the following rule for that password:
- The password start with
DoYouEven
- The password contains an arbitrary char sequence
- The password ends with
CTF
- The password has a max. length of 32 characters
If we look closer to the disassembled main function we see there 2 strings which are used as parameter for the function strcmp
. I copied the disassembled main function and created my password.c file below to test if which one of both completes the password.
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
int n;
char password [32];
fwrite("Password: ",1,10,stdout);
__isoc99_scanf("DoYouEven%sCTF",password);
printf("Password is: %s", password);
n = strcmp(password,"__dso_handle");
if ((-1 < n) && (n = strcmp(password,"__dso_handle"), n < 1)) {
printf("Try again! 1");
return 0;
}
n = strcmp(password,"_init");
if (n == 0) {
printf("Correct!");
}
else {
printf("Try again! 2");
}
return 0;
}
Next what we can do is to print the stored password after input, and numbered the error messages.
The we have to compile this code to an binary and test the strings __dso_handle
and _init
Viola, we have our password DoYouEven_init
.
Well it was a very quick challenge but I hope you enjoyed this writeup 😄