Static analysis can be fun.

Note: len(team_name) = 4


Let’s look at the file information.

It is a 64-bit ELF executable file which is dynamically linked and stripped.

Let’s run it.

Before moving to static analysis, let’s use ltrace to understand the program further.

So, it expects environment variable team_name. Let’s set a team name and try again.

Now, it compares team_name we set with “bi0s”. Let’s set team_name to “bi0s” and try again.

It prints the usage which shows that we need to send an argument to the program. Alright, let’s try with an argument.

It calculates the length of our input and fails. We have collected quite amount of information using ltrace. Let’s disassemble the executable’s main function and analyze it.

Since we already know about team_name and argument stuff, we can skip the beginning and start the analysis at loc_A18.

At 0xA2D, it calls loc_7EC with parameters team_name and our input. If it returns 1, then loc_7A0 is called with our input. Let’s take a quick look at loc_7A0.

It prints our input in flag format. Now, let’s analyze loc_7EC to figure out the checking algorithm.

Since the function is pretty long, we will analyze it part by part.

It places 24 bytes into rbp-40h and checks if our input’s length is equal to 24. If so, it goes to loc_854.

It calculates the sum of the ascii values of team_name and stores it in rbp-18h. Then, it jumps to loc_89D.

Here, it multiplies the sum stored at rbp-18h with 0x88888889 and adds the result’s lower DWORD to the sum. Then, it divides the result by 16 and stores it back at rbp-18h. Notice that the multiplication is signed. Let’s continue.

Here, it iterates through the bytes of our input and if its index is even, it subtracts 4, then xors with the stored value at rbp-18h. If its index is odd, then it adds 4 and xors with the value at rbp-18h. It copies the final string to rbp-60h and jumps to loc_929.

In this loop, it simply checks (rbp-60h)[i] == (rbp-40h)[23 – i] for i from 0 to 23 and if none of them fails, it continues execution at 0x98F.

Finally, it returns 1 as expected. If the condition above fails, it sets eax to 0 and jumps to loc_9A3. As a result, returns 0.

Now, we are done with our static analysis. Let’s create a python script to find the flag.

Let’s run it and get our flag.

Here is flag{l34rn_7h3_b451c5_f1r57}.