RE5: packed movement
It was fun playing Alex CTF. Most of the challenges were simple yet very interesting.
As usual, first I checked what kind of a binary this was using the file command:
file move
ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
I then tried opening it in IDA, but it refused to open. So I asked the admin what the matter was.
He said that the binary was somehow packed and I need to unpack it.
Now I needed to find the type of packing and then unpack it.
So, I tried binwalk on the the binary. It showed the following:
1. ELF, 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux)
2. Copyright string: "Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $"
As you can see, this file was packed using UPX packer.
So I installed UPX and ran the following command on the file:
./upx -d move
Now the file is unpacked.
When I finally opened the file in IDA, I saw that it was movfuscated (obfuscation). Now I had to demovfuscate it to understand what the input should be.
So I google for demovfuscator and found the following link to be useful:
https://github.com/kirschju/demovfuscator
I installed it and deobfuscated the binary.
Now everything's set. We just need to find the flag... :p
For that I have the following script ready. I found it somewhere online, I don't remember where.
This is the script:
Perf is a Performance counter for Linux. What this script does is count the number of instructions executed for each input (where the input is a printable character). Then append that input to the string key, which made the compiler execute the maximum number of instructions. The same process is repeated until the closing bracket is encountered ( '}' ).
The string which we finally obtain is the flag.