search

BEEF

hashtag
Description

Waiter, I ordered BEEF and this is ~̡͆Q͍̓̆͟q̨̖͖̎̽̃͜͝x͍̕n̨̞̼̻̯̾͋̈́̏̓

Find flag.

BEEFarrow-up-right

hashtag
Solution

Using ghidra_autoarrow-up-right I opened the project to view the pseudo source code:

/* WARNING: Function: __i686.get_pc_thunk.bx replaced with injection: get_pc_thunk_bx */

int main(void) {
  int cmp_result;
  undefined4 enc;
  undefined4 enc2;
  undefined2 enc3;
  undefined local_2d;
  char input [16];
  char input2 [4];
  int enc_char;
  uint i;
  undefined *stack;
  
  stack = &stack0x00000004;
  puts("Input:");
  gets(input);
  cmp_result = strncmp(input2,"BEEF",4);
  if (cmp_result == 0) {
    enc = 0x66303361;
    enc2 = 0x62637165;
    enc3 = 0x783a;
    local_2d = 0xf5;
    enc_char = 0;
    for (i = 0; i < 11; i = i + 1) {
      enc_char = (*(byte *)((int)&enc + i) ^ i) + 1;
      *(char *)((int)&enc + i) = (char)enc_char;
    }
    printf("Good BEEF! grodno{%s}\n",&enc);
  }
  else {
    printf("Try again, %s not BEEF\n",input2);
  }
  return 0;
}
circle-info

Variables have been renamed. Use L to rename.

There's 2 ways of solving the challenge:

  1. Buffer Overflow

  2. XOR Yourself

hashtag
Buffer Overflow

First gets is used, which is a dangerous function prone to buffer overflows and second input2 gets checked that its equal to BEEF, thats impossible due to it never being set. Using gets we can overflow into the input2 array and overwrite whatever is there.

XOR:

circle-check

Flag: grodno{b33fbuff3r}

PreviousSPCS_CTFNextBeginner

Last updated