Here’s an easy one for you all.

Update: 25th October, 13:15 UTC- binary for the challenge is updated. Please download the binary again. Sorry for the inconvenience caused.


Let’s start with checking the file information.

It is a 64-bit ELF executable which is dynamically linked and not stripped.

Let’s run it.

We got a segmentation fault.

Let’s try it again but with an argument this time.

Let’s disassemble its main function.

It places some bytes to rbp+var_40 and compares our input string with those bytes using strcmp function. However, those bytes are not the real flag. The challenge tells us to dig deeper. Let’s look at the _start function instead of main.

Here is the decompilation of _start.

Look at the line 0x40056D. Instead of placing the address of main function into rdi, it places another address which is the address of check function. Therefore, the program starts at check function, not main.

Let’s investigate the check function.

It converts the argument given to integer lets call it x.Then, it checks if x * (x – 14) is equal to -49. If so, it assigns x to key. If not, then key is set to -1. Finally, it calls main(argc, argv, envp). How about the key? If our argument is 7, then the condition holds and key is set to 7.

Let’s look for references of key.

There is a reference to key from strcmp_ function.

Let’s look at the disassembly of strcmp_.

It has a loop located at 0x400667 which simply does the following.

Since var_14 is never used, this loop is just a junk code.

However, there is another loop at 0x400682. It iterates through each byte of the first string and xors them with key. Finally, it calls strncmp to compare them. Thus, we just need to xor the bytes we found in main with 7 to get the flag.

Here is a python script for it.

Let’s run it and get the flag.

Here is flag{4s_e45y_4s_1t_g3ts}.