Long time no see! It has been a while since the last time I posted basically anything in my blog, lol. For the last 3 months or so, I have been extremely busy with life in general, and it may sound like an excuse, but as a result, I didn't come up with time to take on any of the challenges. However, for the first time in a while, life finally allowed me some free time to enjoy spending some time doing what I love to do, and here I am, back with another walkthrough of one of the challenges in picoCTF. Unlike the last time I completed the challenge MATRIX, they no longer award a user with points for completing a challenge, and instead, opted to go with marking each challenge with their level of difficulty. The challenge I completed this time is called "Breadth", and I was surprised by how simple this challenge was, even though it was marked as Hard. Just with any other RE challenges, this involves decompiling binaries using Ghidra, comparing and going through the code to ultimately find the flag that we need for the completion of the challenge. Without further ado, let's go pwn this challenge!
1. Examining the Binaries
Unlike the previous challenges we have completed so far, this challenge has two binaries that a user is tasked with analyzing. Let's decompile these two binaries using Ghidra.
One of the first steps I always take when it comes to RE is to go through a list of function calls at face value, as in, trying to see if there are any interesting functions, including the function "main."
As you can see, there are a lot of randomly named functions without giving any clue to their functionalities? Randomly clicking one of those functions and checking out its content show that there is only one line, which is "return"; however, in the viewer that shows both hexadecimal values and their translations in Assembly language, we are able to see some interesting strings.
It basically loads the address of the string starting with picoCTF{TjVxTcVux2adLBDDDFJ6FMs to the register EDI, which is going to be used as the first argument for the function "puts." Every flag needed to complete a challenge in picoCTF starts with picoCTF{ followed by a series of random characters and a closed curly bracket. It's not just this function that that has a potential flag; basically, there are tens of thousands of the randomly named functions that have a string starting with picoCTF. This led to believe that what we are trying to do is to sort of comparing and ascertaining the differences between these two binaries, in order to ultimately find the function that was changed between two versions. So, let's try to compare them and find out what has been changed!
Before moving on, I had to check out the function main, to cover all the bases to make sure that I didn't miss out on anything that might give a clue to solving this challenge. Upon inspection, I realized that there was basically nothing interesting inside the main function, besides calling itself "Dead code".
2. Comparing the Binaries
To compare the binaries, I decided to opt for the program called radiff2, which is part of the CLI-based RE tool, radare2. I later found out that Ghidra has a function for comparing two binaries, but at the time of tackling this challenge, I wasn't aware of its existence.
Running the tool made me realize that there aren't as many differences between the binaries as I had initially expected. Providing no option to the tool, as you can see, doesn't yield the information on which line is added to and removed from the version 2 of the binary. To do so, we provide the option -u.
We can confirm that the changes in binaries took place in the following addresses:
- 0x000002d4
- 0x0009504e
The lines in the red show the hexadecimal values that are removed from the version 2 of the binary, and the green lines show the hex values that have replaced their removed counterparts. Let's go back to Ghidra and search for the series of hexadecimal values of 43 52 e5 d7 4f 75 9f f9 9c 57 06 0c 2b c2 df 27 51 a7 dd a9 located at the address 0x000002d4 to see if it is anything interesting.
Searching for the series of hexadecimal values results in the following section of the code. We are basically at the very beginning of the binary, and the viewer seems to show the metadata of the binary, and doesn't seem to yield anything that has to do what we need at the moment. Let's move on to the next candidate, which is the address 0x0009504e, with the series of hexadecimal values of 48 3d 3e c7 1b 04 74 0a c3 66 0f 1f 84 00.
Okay, searching for those hexadecimal values leads to the following function of the code, with the code viewer showing the potential flag, picoCTF{VnDB2LUf1VFJkdfDJtdYtFlMexPxXS6X}. At this point, I am kind of thinking that there is no way this is a flag we need to complete the challenge. Regardless, let's proceed with submitting this to check if this is indeed the right flag.
It was the right flag, and we completed the challenge. It was really simple compared to other challenges that we did, and I personally think this should be marked either Easy and Medium. Thank you for reading another walkthrough, and I will make sure to come back with something both interesting and challenging for the next walkthrough!
Top comments (0)