h3rcul35 and starlord were having a heated conversation and to c00l down the furious starlord, h3rcul35 gave him a binary and said “The binary takes each ‘character’ byte of the flag as argument. Given this info, grab the flag. I hope you dont get angry :P”. Show h3rcul35 that you stayed c00l by finding the flag.

challange

First, I checked whether the binary is 32-bit or 64-bit .

It is a 64-bit ELF file. Then, I disassembled it with IDA to understand how it works.

The binary starts with assigning the number of arguments to [rbp+var_44] and the address of the argument array to [rbp+_var50]. Next, it checks whether the number of arguments is equal to 31. Since the first argument is the program’s file name, remaining 30 arguments are the characters of our flag. If the program doesn’t have exactly 31 arguments, then it terminates with exit code 1. Otherwise, it goes to 0x40081F. Let’s check what’s there.

We encounter a loop which iterates through the arguments and copy them into another array which starts at [rbp+var_30]. Let’s give a name to that array to make it easier to understand the following parts. I will call it as flag since it contains the bytes of the flag.

After exiting the loop, the binary checks if the equation flag[0] + flag[1] ‑ flag[2] = 0x51 holds. If so, it moves on to the next part. Otherwise, it terminates. Let’s continue following the right path.

Here, we have another equation as flag[0] ‑ flag[1] + flag[2] = 0x35. If the equation does not hold, it terminates. Keep following the right path.

Oh, there is another equation! This one is flag[1] ‑ flag[0] + flag[2] = 0x37. So far, we have 3 different variables and 3 different equations which is solvable. In other words, we know the first 3 characters of the flag already! Let’s look at the rest of the code.

We again have 3 equations as follows:

flag[4] + flag[5] ‑ flag[6] = 0x5A
flag[4] ‑ flag[5] + flag[6] = 0x9C
flag[5] ‑ flag[4] + flag[6] = 0x42

Which is exactly the same pattern and also solvable. The rest is similar. We can use angr or z3 to solve this challange, but I’m an oldschool guy who does his stuff manually(at least for now). Therefore, I created the following python script to solve the challange.

Let’s execute the script to get our flag.

It gives us the flag CTF{Now_th1s_1s_t0_g3t_ANGRyy}.