Reykjavic
4 min readMar 22, 2023
--
CTFlearn Reverse Engineering Writeup
Today I’ll share the writeups of CTFlearn RE Challenge
This challenge can be solved with many technique & tools, but in this tutorials i only use GDB(GNU Debugger) to solve this challenge
STEPS
1. Download & Extract the file
┌──(root💀tempur)-[/home/kecoakterbang/reyjkavic]
└─# unzip Reykjavik.zip
Archive: Reykjavik.zip
inflating: readme
inflating: Reykjavik
extracting: sources.zip.enc
2. Analyze those files
┌──(root💀tempur)-[/home/kecoakterbang/reyjkavic]
└─# file *
readme: ASCII text
Reykjavik: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9bc04368dbcefb4491573ac8feea3a32e31ed59f, for GNU/Linux 3.2.0, not stripped
Reykjavik.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
sources.zip.enc: openssl enc'd data with salted password
we can conclude that Reykjavik is the binary file then readme is the reference to solve this challenge and we can ignore the sources.zip.enc 'cause to extract that we must have password
3. run the binary
┌──(root💀tempur)-[/home/kecoakterbang/reyjkavic]
└─# ./Reykjavik
Usage: Reykjavik CTFlearn{flag}
#to run those binary me should use use flag format
#try again with that format
┌──(root💀tempur)-[/home/kecoakterbang/reyjkavic]
└─# ./Reykjavik CTFlearn{flag} 1 ⨯
Welcome to the CTFlearn Reversing Challenge Reykjavik v2: CTFlearn{flag}
Compile Options: ${CMAKE_CXX_FLAGS} -O0 -fno-stack-protector -mno-sse
Sorry Dude, 'CTFlearn{flag}' is not the flag :-(
4. run gdb
┌──(root💀tempur)-[/home/kecoakterbang/reyjkavic]
└─# gdb Reykjavik 4 ⨯
GNU gdb (Debian 12.1-4) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from Reykjavik...
(No debugging symbols found in Reykjavik)
gdb-peda$ r CTFlearn{
gdb-peda$ set disassembly-flavor intel
gdb-peda$ disas main
Dump of assembler code for function main:
0x00005555555550a0 <+0>: endbr64
0x00005555555550a4 <+4>: push r13
0x00005555555550a6 <+6>: push r12
0x00005555555550a8 <+8>: push rbp
0x00005555555550a9 <+9>: sub rsp,0x20
0x00005555555550ad <+13>: cmp edi,0x1
0x00005555555550b0 <+16>: je 0x5555555551b5 <main+277>
0x00005555555550b6 <+22>: mov rbp,QWORD PTR [rsi+0x8]
0x00005555555550ba <+26>: mov edi,0x1
0x00005555555550bf <+31>: xor eax,eax
0x00005555555550c1 <+33>: lea rsi,[rip+0xf60] # 0x555555556028
0x00005555555550c8 <+40>: mov rdx,rbp
0x00005555555550cb <+43>: call 0x555555555090 <__printf_chk@plt>
0x00005555555550d0 <+48>: lea rdi,[rip+0xf91] # 0x555555556068
0x00005555555550d7 <+55>: call 0x555555555070 <puts@plt>
0x00005555555550dc <+60>: lea rdx,[rip+0xfcd] # 0x5555555560b0
0x00005555555550e3 <+67>: mov ecx,0x20
0x00005555555550e8 <+72>: mov rsi,rbp
0x00005555555550eb <+75>: mov rdi,rdx
0x00005555555550ee <+78>: repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi]
0x00005555555550f0 <+80>: seta al
0x00005555555550f3 <+83>: sbb al,0x0
0x00005555555550f5 <+85>: test al,al
0x00005555555550f7 <+87>: je 0x5555555551c9 <main+297>
0x00005555555550fd <+93>: mov rdx,QWORD PTR [rip+0x2f0c] # 0x555555558010 <data>
0x0000555555555104 <+100>: mov r13,rsp
0x0000555555555107 <+103>: mov rsi,rbp
0x000055555555510a <+106>: mov BYTE PTR [rsp+0x1b],0x0
0x000055555555510f <+111>: movabs rax,0xabababababababab
0x0000555555555119 <+121>: mov rdi,r13
0x000055555555511c <+124>: xor rdx,rax
0x000055555555511f <+127>: mov QWORD PTR [rsp],rdx
0x0000555555555123 <+131>: mov rdx,QWORD PTR [rip+0x2eee] # 0x555555558018 <data+8>
0x000055555555512a <+138>: xor rdx,rax
0x000055555555512d <+141>: xor rax,QWORD PTR [rip+0x2eec] # 0x555555558020 <data+16>
0x0000555555555134 <+148>: mov QWORD PTR [rsp+0x10],rax
0x0000555555555139 <+153>: movzx eax,BYTE PTR [rip+0x2ee8] # 0x555555558028 <data+24>
0x0000555555555140 <+160>: mov QWORD PTR [rsp+0x8],rdx
0x0000555555555145 <+165>: xor eax,0xffffffab
0x0000555555555148 <+168>: mov BYTE PTR [rsp+0x18],al
0x000055555555514c <+172>: movzx eax,BYTE PTR [rip+0x2ed6] # 0x555555558029 <data+25>
0x0000555555555153 <+179>: xor eax,0xffffffab
0x0000555555555156 <+182>: mov BYTE PTR [rsp+0x19],al
0x000055555555515a <+186>: movzx eax,BYTE PTR [rip+0x2ec9] # 0x55555555802a <data+26>
0x0000555555555161 <+193>: xor eax,0xffffffab
0x0000555555555164 <+196>: mov BYTE PTR [rsp+0x1a],al
0x0000555555555168 <+200>: call 0x555555555080 <strcmp@plt>
0x000055555555516d <+205>: mov r12d,eax
0x0000555555555170 <+208>: test eax,eax
0x0000555555555172 <+210>: jne 0x555555555197 <main+247>
0x0000555555555174 <+212>: mov rdx,r13
0x0000555555555177 <+215>: lea rsi,[rip+0xf7a] # 0x5555555560f8
0x000055555555517e <+222>: mov edi,0x1
0x0000555555555183 <+227>: xor eax,eax
0x0000555555555185 <+229>: call 0x555555555090 <__printf_chk@plt>
0x000055555555518a <+234>: add rsp,0x20
0x000055555555518e <+238>: mov eax,r12d
0x0000555555555191 <+241>: pop rbp
0x0000555555555192 <+242>: pop r12
0x0000555555555194 <+244>: pop r13
0x0000555555555196 <+246>: ret
0x0000555555555197 <+247>: mov rdx,rbp
0x000055555555519a <+250>: mov edi,0x1
0x000055555555519f <+255>: xor eax,eax
0x00005555555551a1 <+257>: mov r12d,0x4
0x00005555555551a7 <+263>: lea rsi,[rip+0xf7a] # 0x555555556128
0x00005555555551ae <+270>: call 0x555555555090 <__printf_chk@plt>
0x00005555555551b3 <+275>: jmp 0x55555555518a <main+234>
0x00005555555551b5 <+277>: lea rdi,[rip+0xe4c] # 0x555555556008
0x00005555555551bc <+284>: mov r12d,0x1
0x00005555555551c2 <+290>: call 0x555555555070 <puts@plt>
0x00005555555551c7 <+295>: jmp 0x55555555518a <main+234>
0x00005555555551c9 <+297>: lea rsi,[rip+0xf00] # 0x5555555560d0
0x00005555555551d0 <+304>: mov edi,0x1
0x00005555555551d5 <+309>: mov r12d,0x2
0x00005555555551db <+315>: call 0x555555555090 <__printf_chk@plt>
0x00005555555551e0 <+320>: jmp 0x55555555518a <main+234>
End of assembler dump.
gdb-peda$ b*0x0000555555555168
Breakpoint 1 at 0x555555555168
#why break at 0x555555555168? because there function strcmp which can let us to reveal the flag
#reference about strcmp = https://www.programiz.com/c-programming/library-function/string.h/strcmp
gdb-peda$ r
Starting program: /home/kecoakterbang/reyjkavic/Reykjavik CTFlearn{
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Welcome to the CTFlearn Reversing Challenge Reykjavik v2: CTFlearn{
Compile Options: ${CMAKE_CXX_FLAGS} -O0 -fno-stack-protector -mno-sse
[----------------------------------registers-----------------------------------]
RAX: 0xffffff7d
RBX: 0x7fffffffe2d8 --> 0x7fffffffe58d ("/home/kecoakterbang/reyjkavic/Reykjavik")
RCX: 0x16
RDX: 0x76304c5f6579457b ('{Eye_L0v')
RSI: 0x7fffffffe5b5 ("CTFlearn{")
RDI: 0x7fffffffe190 ("CTFlearn{Eye_L0ve_Iceland_}")
RBP: 0x7fffffffe5b5 ("CTFlearn{")
RSP: 0x7fffffffe190 ("CTFlearn{Eye_L0ve_Iceland_}")
RIP: 0x555555555168 (<main+200>: call 0x555555555080 <strcmp@plt>)
R8 : 0x5555555592a6 ("e Options: ${CMAKE_CXX_FLAGS} -O0 -fno-stack-protector -mno-sse\n")
R9 : 0x7ffff7f315c0 (<__memcpy_ssse3+320>: movaps xmm1,XMMWORD PTR [rsi+0x10])
R10: 0x0
R11: 0x202
R12: 0x0
R13: 0x7fffffffe190 ("CTFlearn{Eye_L0ve_Iceland_}")
R14: 0x0
R15: 0x7ffff7ffd020 --> 0x7ffff7ffe2e0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x55555555515a <main+186>: movzx eax,BYTE PTR [rip+0x2ec9] # 0x55555555802a <data+26>
0x555555555161 <main+193>: xor eax,0xffffffab
0x555555555164 <main+196>: mov BYTE PTR [rsp+0x1a],al
=> 0x555555555168 <main+200>: call 0x555555555080 <strcmp@plt>
0x55555555516d <main+205>: mov r12d,eax
0x555555555170 <main+208>: test eax,eax
0x555555555172 <main+210>: jne 0x555555555197 <main+247>
0x555555555174 <main+212>: mov rdx,r13
No argument
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe190 ("CTFlearn{Eye_L0ve_Iceland_}")
0008| 0x7fffffffe198 ("{Eye_L0ve_Iceland_}")
0016| 0x7fffffffe1a0 ("e_Iceland_}")
0024| 0x7fffffffe1a8 --> 0x7d5f64 ('d_}')
0032| 0x7fffffffe1b0 --> 0x2
0040| 0x7fffffffe1b8 --> 0x0
0048| 0x7fffffffe1c0 --> 0x7fffffffe2f0 --> 0x7fffffffe5bf ("COLORTERM=truecolor")
0056| 0x7fffffffe1c8 --> 0x7ffff7dea18a (<__libc_start_call_main+122>: mov edi,eax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x0000555555555168 in main ()
5. copy and submit the flag CTFlearn{Eye_L0ve_Iceland_}
