CSCAMP CTF Quals 2014: PE 3 write-up

Created:2014.11.24, last modified: 2014.11.24 by xorpse
Status: Complete

Attempting to run the challenge presents us with the following error (under Windows 7):

Similarly, attempting to load the file using IDA Pro, indicates that the file does not appear to be a standard PE file. Performing a hex dump of the file header reveals the problem:

$ xxd -l 64 /tmp/bin.exe 
0000000: 4e5a 9000 0300 0000 0400 0000 ffff 0000  NZ..............
0000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 8000 0000  ................

PE files use a magic number MZ as their first and second bytes, in the case of this executable, however the magic number has been changed; reverting it to the correct value allows the executable to run as expected:

Using IDA, we see that there is no flow within the main function that leads to anything that takes input or produces output relating to a flag. However, upon inspection of the executables functions, we see one called flag():

.text:00401491                 push    ebp
.text:00401492                 mov     ebp, esp
.text:00401494                 push    ebx
.text:00401495                 sub     esp, 24h
.text:00401498                 lea     eax, [ebp+var_11]
.text:0040149B                 mov     ecx, eax
.text:0040149D                 call    __ZNSaIcEC1Ev   ; std::allocator<char>::allocator(void)
.text:004014A2                 lea     eax, [ebp+var_18]
.text:004014A5                 lea     edx, [ebp+var_11]
.text:004014A8                 mov     [esp+4], edx    ; std::string *
.text:004014AC                 mov     dword ptr [esp], offset aFlagflag ; "flagflag"
.text:004014B3                 mov     ecx, eax
.text:004014B5                 call    __ZNSsC1EPKcRKSaIcE
.text:004014BA                 sub     esp, 8
.text:004014BD                 lea     eax, [ebp+var_11]
.text:004014C0                 mov     ecx, eax
.text:004014C2                 call    __ZNSaIcED1Ev   ; std::allocator<char>::~allocator()
.text:004014C7                 lea     eax, [ebp+var_C]
.text:004014CA                 lea     edx, [ebp+var_18]
.text:004014CD                 mov     [esp], edx      ; this
.text:004014D0                 mov     ecx, eax
.text:004014D2                 call    __ZNSsC1ERKSs   ; std::string::string(std::string const&)
.text:004014D7                 sub     esp, 4
.text:004014DA                 lea     eax, [ebp+var_10]
.text:004014DD                 lea     edx, [ebp+var_C]
.text:004014E0                 mov     [esp+4], edx
.text:004014E4                 mov     [esp], eax
.text:004014E7                 call    __Z7reverseSs   ; reverse(std::string)
.text:004014EC                 lea     eax, [ebp+var_18]
.text:004014EF                 lea     edx, [ebp+var_10]
.text:004014F2                 mov     [esp], edx      ; this
.text:004014F5                 mov     ecx, eax
.text:004014F7                 call    __ZNSsaSERKSs   ; std::string::operator=(std::string const&)
.text:004014FC                 sub     esp, 4
.text:004014FF                 lea     eax, [ebp+var_10]
.text:00401502                 mov     ecx, eax
.text:00401504                 call    __ZNSsD1Ev      ; std::string::~string()
.text:00401509                 lea     eax, [ebp+var_C]
.text:0040150C                 mov     ecx, eax
.text:0040150E                 call    __ZNSsD1Ev      ; std::string::~string()
.text:00401513                 mov     dword ptr [esp+4], offset aFlag ; "Flag: "
.text:0040151B                 mov     dword ptr [esp], offset __ZSt4cout ; std::cout
.text:00401522                 call    __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
.text:00401527                 lea     edx, [ebp+var_18]
.text:0040152A                 mov     [esp+4], edx
.text:0040152E                 mov     [esp], eax
.text:00401531                 call    __ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKSbIS4_S5_T1_E
.text:00401536                 mov     dword ptr [esp+4], offset asc_474075 ; "\n"

Which computes the string reversal of the hard-coded value “flagflag” and outputs it (as the flag).

Flag: ‘galfgalf’.