0x41haz

1 minute read

Published:

THM 0x41haz

The binary was equipped with anti reversing techniques. Running the files command gives the following output.

File command output

We need to fix that. If we check the hexdump of the binary, we can see the following:

Hexdump

Here, we see that the 6th byte is set to 0x01. If we check the ELF header signature, we see that, 6th byte needs to be set to 0x01 for the original and current version of ELF.

ELF signature

Updating the 6th byte from 02 to 01, we get the following output:

Fixed File command output

Now, the binary can be run and debugged.

Opening the binary in ghidra, we can see the following decompiled function which is interesting:

Ghidra decompilation

We can see that the password is 13 digits long. The byte checking inside the while loop checks the bytes of the input and the byte at address local_1e+local_c. The address local_1e contains the last byte that is allocated, i.e. the values are going to be checked in reverse order. The structure of the stack frame is like below:

Return Address8 bytes
local_c4 bytss
local_104 bytes
local_122 bytes
local_164 bytes
local_1e8 bytes
local_4842 bytes
sVar18 bytes

So, if we construct the correct input, the value we get is: 0x3240403235246766735426404c. (Concatenating local_1e,local_16and local_12). Converting this long value to bytes, we get the correct password: 2@@25$gfsT&@L. So. our flag is: THM{2@@25$gfsT&@L}