I briefly participated in a CTF hosted by WolvSec here: https://ctf.wolvseccon.org/. This post is going to be looking at a “Medium” level difficulty Reverse Engineering problem!

n33dl3

When we run the file, it prints a single statement, before terminating

Firing this binary in Ghidra, we see a deep level of nested function calls, however, they would all not be triggered because the boolean logic is always “false”. In some of those functions (like in the second picture), it prints out a single character, whereas most of them print out (0).

If we patch the binary and change the first boolean check to be if true, the string with a ‘w’ appended is printed out.

Since the flag is in the format ‘wsc{…}’, my hypothesis is that if we print out all the characters, it should print out the flag.

My initial approach was to fire the binary up in IDA, step through the execution and Set IP to bypass the boolean check so that it prints out the char… until I remembered that I had to do this a thousand times. Clearly not the right approach.

Clearly then we had to patch the binary to to remove the Jumps., or changing the opcode from 7514 to 9090, which is a NOP.

My approach was to dump out the hex content of the binary using xxd, using a text editor (vim) to replace 7514 with 9090, and reconstruct the binary

Now when we run the file, it prints out everything. Looking at it in IDA, this is what the functions become

The JNZ become nops, and all the functions are now unconditional calls.

We run the file and save the outputs, then use vim to clean it up to get the flag

Closing notes

I’ve recently join a CTF team called Social Engineering Experts, so i’ll be participating more in CTFs. It’s definitely something new and refreshing compared to HTB where the approaches are kind of similar (recon -> foothold -> priv esc), and i’ve been so brain damaged by some of the challenges. This serves as a humbling beginning to learn something new again!