PicoCTF-2022 Writeup
  • README
  • Binary Exploitation
    • buffer overflow 1
    • buffer overflow 2
    • buffer overflow 3
    • flag leak
    • function overwrite
    • ropfu
    • stack cache
    • x-sixty-what
  • Cryptography
    • basic-mod1
    • basic-mod2
    • diffie-hellman
    • morse-code
    • NSA Backdoor
    • Sequences
    • substitution
    • Sum-O-Primes
    • Very Smooth
  • Forensics
    • Operation Oni
    • Operation Orchid
    • SideChannel
    • St3g0
    • Torrent Analyze
  • Reverse Engineering
    • Bbbbloat
    • Keygenme
    • unpackme
    • Wizardlike
  • Web Exploitation
    • Forbidden Paths
    • noted
    • Roboto Sans
    • SQLiLite
Powered by GitBook
On this page
  • Challenge
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Reverse Engineering

Bbbbloat

PreviousTorrent AnalyzeNextKeygenme

Last updated 3 years ago

Was this helpful?

Challenge

Can you get the flag? Reverse engineer this .

Solution

Reverse the program using . We see FUN_00101307 contains most of the code:

undefined8 FUN_00101307(void)

{
  char *__s;
  long in_FS_OFFSET;
  int local_48;
  undefined8 local_38;
  undefined8 local_30;
  undefined8 local_28;
  undefined8 local_20;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_38 = 0x4c75257240343a41;
  local_30 = 0x3062396630664634;
  local_28 = 0x65623066635f3d33;
  local_20 = 0x4e326560623535;
  printf("What\'s my favorite number? ");
  __isoc99_scanf();
  if (local_48 == 0x86187) {
    __s = (char *)FUN_00101249(0,&local_38);
    fputs(__s,stdout);
    putchar(10);
    free(__s);
  }
  else {
    puts("Sorry, that\'s not it!");
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

Our input local_48 is compared against 0x86187, which is 549255 in decimal. Running the program and entering 549255 prints the flag:

./bbbbloat
What's my favorite number? 549255
picoCTF{cu7_7h3_bl047_36dd316a}

Flag

picoCTF{cu7_7h3_bl047_36dd316a}

binary
Ghidra