BreakerCTF 24 binaryshrink rev
Hello You, Today I’m going to show you how I solved binaryshrink reverse engineering challenge
Let’s start by analyzing the file
$file binary_shrink
binary_shrink: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), too many section (53385)using ls command you can see that the file is only 230 bytes, which is super wired.
$objdump -d -M intel binary_shrink
objdump: binary_shrink: file format not recognized- Ghidra didn’t work, IDA also didn’t work even gdb wasn’t recognizing the file, so I had to use my last weapon
radare2
- and it did work, let’s see:
[0x08048009]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Skipping type matching analysis in debugger mode (aaft)
[x] Propagate noreturn information (aanr)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x08048009]> ie
[Entrypoints]
vaddr=0x08048009 paddr=0x08048009 haddr=0x00000018 hvaddr=0x08048018 type=program
1 entrypointsNote I used radare2 -d ./binaryshrink to go to the debugging mode
As you can see the first instruction is a call to another address, use F7 key to step into the next instruction, after getting there you will see another jump, you will have to follow it and then you can see this code.
you can see from this code that it is doing 2 xorinstructions torax and rdx and then xoring them with 0x42, since the xored value is stored at the memory address of rdx, I sat a break point at the end of the loop and examined the data at the register rdx using these commands
# note you need to press : in order to execute commands in radare2
db 0x0804809f # to get to the address after all the xor operations
dc # to continue
px @0x804809f # which is the address of rdx at the start of the loop
and yeah you can see the flag starting with brck{... It is writing on itself >_< this is the magic of tiny elf
That’s it for today thanks for reading :3
