Over the weekend, I took part in BDSEC CTF 2023, a CTF event designed for beginners. It was a fun and approachable competition where I managed to solve various challenges.
{ undefined local_54 [64]; code *local_14; undefined *puStack16; puStack16 = &stack0x00000004; local_14 = (code *)0x0; printDogArt(); fflush(stdout); puts("who let the dogs out:"); fflush(stdout); __isoc99_scanf(&DAT_08048a94,local_54); if (local_14 == (code *)0x0) { puts("I tell the fellas start the name calling!"); } else { printf("Well, the party was nice, the party was @ %p\n",local_14); fflush(stdout); (*local_14)(); } /* WARNING: Subroutine does not return */ exit(0); }
hmm same as prev but this instead of any particular value we have to call the callme function
{ long in_FS_OFFSET; long expected; long input; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); expected = 0; puts(" _ _ _ _ _ "); puts("| | | | | \\ | | | | "); puts("| | _ _ ___| | ___ _ | \\| |_ _ _ __ ___ | |__ ___ _ __ "); puts("| | | | | |/ __| |/ / | | | | . ` | | | | \'_ ` _ \\| \'_ \\ / _ \\ \'__| "); puts("| |___| |_| | (__| <| |_| | | |\\ | |_| | | | | | | |_) | __/ | "); puts("\\_____/\\__,_|\\___|_|\\_\\__, | \\_| \\_/\\__,_|_| |_| |_|_.__/ \\___|_| "); puts(" __/ | "); puts(" |___/ "); puts(" "); printf("Enter a number to check if its a lucky number: "); __isoc99_scanf(&DAT_00102280,&input); input = doSomething(input); luckyNumberGen(&expected); if (expected == input) { puts("Wow ! You guessed the lucky number."); puts("Now submit the lucky number to get your points"); } else { puts("Damn ! You are unlucky like me :( "); } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return0; }
user input is being stored in input variable
doSomething function being called with input as arg
1 2 3 4 5 6 7 8 9 10 11 12
longdoSomething(ulong param_1)
{ ulong i; long local_10; local_10 = 0; for (i = param_1; i != 0; i = i / 10) { local_10 = local_10 * 10 + i % 10; } return local_10; }
the purpose of this function is to reverse the digits of the input unsigned long integer param_1 and return the result as a long integer. For example, if the input is 123, the function will return 321.
then luckyNumberGen function with expected variable as a arg, lets see
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
voidluckyNumberGen(long *param_1)
{ long lVar1; long local_28; long local_20; ulong i; local_28 = 0; local_20 = 1; *param_1 = 0; for (i = 0; i < 50; i = i + 1) { *param_1 = *param_1 + local_28; lVar1 = local_20 + local_28; local_28 = local_20; local_20 = lVar1; } return; }
the purpose of this code is to generate the first 50 numbers of the Fibonacci sequence and store the sum of these numbers in the memory location pointed to by param_1.
okay, lets see the output of this function
hmm got it, now we know our input have to go through doSomething function that reverse the user input.
we can also see this in run time while debugging
it means we have to enter this number in reverse order
we don’t see any function that we should start reversing in main function as i ignored banner one thinking it should be used only for printing banner arts
but as we can see it being called with some local variable argument that holds some hex value, if we see banner function
initially parameter’s value being passed to local variables thinking that these all should be pieces of flag i run the debugger and start looking for any interesting string and indeed i got the flag