Rating:
# native
You are given a very small (128 byte) ELF binary. Upon further investigation, the return code changes based on the input.
GDB prints `file format not recognized`, leading me to assume that the header is corrupted in some way. Binary Ninja crashes when attemting to open it. readelf prints:
```
ELF Header:
Magic: 7f 45 4c 46 58 3c 02 74 0b b3 01 31 c0 40 cd 80
Class: <unknown: 58>
Data: <unknown: 3c>
Version: 2 <unknown: %lx>
OS/ABI: <unknown: 74>
ABI Version: 11
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x16eb20b4
Entry point address: 0x1002004
Start of program headers: 33 (bytes into file)
Start of section headers: 511 (bytes into file)
Flags: 0x0
Size of this header: 0 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 51505 (bytes)
Number of section headers: 187
Section header string table index: 32
readelf: Warning: The e_shentsize field in the ELF header is larger than the size of an ELF section header
readelf: Error: Reading 9631435 bytes extends past end of file for section headers
readelf: Error: Section headers are not available!
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x01002000 0xbbc93100 0x1002000 0x1eb5e5e RWE 0xce015356
There is no dynamic section in this file.
```
The ELF header is very strange. The entry point is 0x1002004, so I removed the ELF magic and opened it as a raw binary file and made a function at 0x4. This revealed the code. By analysing it, I found that the program calculated the sum of all the bytes at incrementing offsets. I wrote a script to do this:
```
#!/usr/bin/env python3
nbin = open("native", "rb").read()
def main():
out = ""
for i in range(0, 32):
total = 0
for j in range(i, 32*4, 32):
total += nbin[j]
total &= 255
out += chr(total)
print(out)
if __name__ == "__main__":
main()
```
This prints the flag, but it doesn't work. It turns out the code is self-modified, so a byte is set to zero. After correcting this, I get the flag.
`FLAG{tiny_e1f_analysis_is__real}`
Binary (base64):
```
f0VMRlg8AnQLswExwEDNgAIAAwC0IOsWBCAAASEAAAD/AQAAAAAAAAAAIAABADHJuwAgAAFeXusB
ByBLClZTAc4ByzHSMMACAwDjQoP6BHX2WzIGCEMKXkE44XXg66oA+gUq0FEIp/hrrGK+IiVfsK4R
JG2ssgwKLQBesVogb3w=
```
