CTFtime.org

Native

by nm111 / nanocomp

Rating:

native

You are given a very small (128 byte) ELF binary. Upon further investigation, the return code changes based on the input. GDB prints file format not recognized, leading me to assume that the header is corrupted in some way. Binary Ninja crashes when attemting to open it. readelf prints:

ELF Header:
  Magic:   7f 45 4c 46 58 3c 02 74 0b b3 01 31 c0 40 cd 80 
  Class:                             <unknown: 58>
  Data:                              <unknown: 3c>
  Version:                           2 <unknown: %lx>
  OS/ABI:                            <unknown: 74>
  ABI Version:                       11
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x16eb20b4
  Entry point address:               0x1002004
  Start of program headers:          33 (bytes into file)
  Start of section headers:          511 (bytes into file)
  Flags:                             0x0
  Size of this header:               0 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         1
  Size of section headers:           51505 (bytes)
  Number of section headers:         187
  Section header string table index: 32
readelf: Warning: The e_shentsize field in the ELF header is larger than the size of an ELF section header
readelf: Error: Reading 9631435 bytes extends past end of file for section headers
readelf: Error: Section headers are not available!

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x01002000 0xbbc93100 0x1002000 0x1eb5e5e RWE 0xce015356

There is no dynamic section in this file.

The ELF header is very strange. The entry point is 0x1002004, so I removed the ELF magic and opened it as a raw binary file and made a function at 0x4. This revealed the code. By analysing it, I found that the program calculated the sum of all the bytes at incrementing offsets. I wrote a script to do this:

#!/usr/bin/env python3

nbin = open("native", "rb").read()

def main():
    out = ""
    for i in range(0, 32):
        total = 0
        for j in range(i, 32*4, 32):
            total += nbin[j]
        total &= 255
        out += chr(total)
    print(out)

if __name__ == "__main__":
    main()

This prints the flag, but it doesn't work. It turns out the code is self-modified, so a byte is set to zero. After correcting this, I get the flag. FLAG{tiny_e1f_analysis_is__real}

Binary (base64):

f0VMRlg8AnQLswExwEDNgAIAAwC0IOsWBCAAASEAAAD/AQAAAAAAAAAAIAABADHJuwAgAAFeXusB
ByBLClZTAc4ByzHSMMACAwDjQoP6BHX2WzIGCEMKXkE44XXg66oA+gUq0FEIp/hrrGK+IiVfsK4R
JG2ssgwKLQBesVogb3w=

Comments