You can calculate almost everything, why not calculate names?

nc 5678


Let’s check the given file first.

It is a 32-bit ELF file which is dynamically linked and not stripped.

Let’s check the protections of it.

The binary’s stack is not executable and it has stack protection.

Let’s run the binary to see how it works.

This looks strange. Let’s decompile its main function to understand it better.

It looks there is a secret function that gets called only if v4 == 0x6A4B825. Therefore, we need to set it using buffer overflow.

Let’s set a breakpoint on read call.

It reads up to 32 characters into the buffer which is located at 0xffffd24c.

Let’s put a breakpoint on the condition and find the v4‘s address at the stack.

It is located at 0xffffd268.

We need 28 characters of padding and 4 bytes to modify the variable which is 32 bytes at total and equal to the size parameter of read. Now, we know that we can modify it, let’s disassemble the secretFunc function.

It asks for an input and reads it with read again. This time the size parameter is 27 and the buffer’s size is 28.

After reading the input, it puts a null byte at the end of it. Then, it iterates through the buffer and reads chunks of 4 bytes except the last chunk and convert them 32-bit integers. Next, it xors them with 0x5F7B4153 and overwrite the original chunk with the result. Finally, it prints this new string using printf. Since it uses xor to encrypt the string, if we give an encrypted string to it, it will decrypt it correctly. We can prepare a format string exploit and send its encrypted version to the server and it will get decrypted. However, before returning from the function, it also verifies the return address. Instead of overwriting the return address of this function, we can overwrite the [email protected] since the main functions calls exit(0) at the end.

There exists another function named superSecretFunc at 0x08048596. Here is the decompilation of it.

This function prints the flag from the server. Therefore, we need to call this function by overwriting the [email protected].

Let’s find the address of [email protected].

It is 0x804a024 and it points to 0x08048476. We don’t even have to overwrite all bytes of it. Overwriting just the lower WORD of it from 0x8476 to 0x8596 is enough to redirect exit to superSecretFunc.

Here is the python exploit that I created for this challenge.

Let’s run the script to receive our flag.

Here is the flag noxCTF{M1nd_7he_Input}.