@((%/(%%.#..&@&(****@(****//*,,
@((%/(%%.#//((((#(@.@((**%(%@**
@((%##((((((((((((((@((%.(((%&(
****#%#((((((((((((((((((((((%%((((%&
....((((((((((((#. ,,,#((((%(((%%*
**((((((((((((( .,%((((((%%%.......%.%
*((((((((((((( #@@ ,((((((%%%%%((#,#%.%
@(((((((((((((& /((((((((((%%%@,#%.%
@(@*,,,*@((((((@ @((((((((((((((%%%@.%
/, ,&((((((((@@@@(((((((((((((((((((((%%%%....
@ @@ ,@(@*,/@%@((((((((((((((((((((((((((%%%...
* ,((@% @@@(%((((((((((((((((((((((((((%%%@,
..%. #((((((((((((((((((((((((((((((((((((((%%%/
\$$&%((((((((((((((((((((((((((((((((((((((((%%%@
&%.@&*@(((((((((((((((((((((((((((((((((((%%%*
&%.@&*#/*((((((((((((((((((((((((((((((((%%%@(
#########((((((((((((((((((((((((((((((#%%%@,,
*********(((%@((((((((((((((((((((((((((%&....
.........#*.*,,@((((((((((((((((((%&(((%&(((((
.........#*.*,,%.&@(((((((((((%%%%@@((%@......
.........#*.*,,%.&#..@#/@@@@#%@
@((%@
This was a reversing challenge from the DefCamp CTF 2020 rated with 50 points. The description said:
The password is so clear that it is the flag itself.
Flag format: CTF{sha256}
First step was to execute the binary:
It checks if the flag we are providing is right or wrong. So, let’s move to the disassemble the binary! I’m using Cutter to perform the task.
As the name implies, it’s a Go binary. We can know it because of the amount of functions and their names, for example: ‘runtime.gogo’, ‘sym.gosave’, the fmt functions, etc. By searching that names we can find that they relate to Golang:
Let’s find the main, in our case, it’s called sym.main.main. I used the filter function to find all the functions which contained main in their names (this is how golang name the main function).
Let’s take a look. In the first block we can find:
It creates a new object (runtime.newobject), then prints something (fmt.Print) and finally reads something else (fmt.Scanln). Then it checks if the length (fmt.Scanln return sthe number of bytes read in the rax register) is equal to 69 (0x45). Well, know we know that’s the flag because len(ctf{}) = 5 and the hash must be 64 bytes so 69 total bytes.
Let’s move to the next block of code.
After checking the length, it makes a comparison and prints one thing or the other depending on the result.
This workflow matches the one we saw on our first run. It prints the ‘Enter password:’ string, then reads our password and prints ‘The flag is wrong!’ if it doesn’t match and I guess something like ‘The flag was right!’ if it is right.
Let’s dive inside the instructions. Well, we know it’s comparing our input with something so let’s check what it’s comparing our input with.
We can check the contents of the address (0x004c55f2) which are used in the comparison. We copy the address and access the contents in the hexdump window.
And there is the flag! Plaintext. Let’s check if it works:
Yeah! Solved!