Again Buy Flag - CTF 17
CTF No: 17
CTF Name: Again Buy Flag
Topic: Reverse Engineering
Flag Format: IHC_CTF{}
CTF Link: https://t.me/ctf_invisiblehc/31
Description:
Download this file run it in terminal.
Run command: ./ctf17
Before run it, give permission.
Permission command: chmod +x ctf17
Now buy the flag. Insufficient balance?
Try to buy and sell chocolate and then buy flag.
Solve:
Open up the source, and we see that the service is a simple store. It offers us 4 options, but we're interested in is the second one.
The second one offers real flag. But the real flag costs 500 dollars, and we only start with 100. So how do we get more money?
✳️ if we choose 2, it will say Flag Price is 500 dollars, and Insufficient Balance. Earn money for buy the flag.
✳️ if we choose 1,it will say Avaiable Chocolate 5 Every Chocolate Price is 75 How many pant do you want to buy?
if we choose 1, it will say Your Balance 25
✳️ if we choose 3,it will say Avaiable Chocolate 1 Every Chocolate Price is 75 How many pant do you want to Sell?
If we choose 1 , it will say Your Balance: 100
Nothing Interesting Till now . Let’s checkout if we create a buffer overflow here or not .But there I didn’t
find any buffer-overflow problem . So I decided open this binary into IDA PRO
I find a portion of flow chart which are related to flag
in first box we see that
Cmp: Here a comparision occurring based on our current amount and flag cost
Jg: It means jump if greater than, If our current amout is greater than flag cost it jumps to location _14FB . Otherwise it jumps to the other function
Now let’s little bit fun with the JG instruction. I modified the jump instruction with JLE which means if current amount is less or equal to flag value moved me into the loc_14FB function
After saved this we run again the binary and choose 2 for flag
Our Flag is given in Decimal form so we need to convert it into ascii character. After converting this
decimal values we will find our required flag
Flag:
IHC_CTF{Y0U_D1D_17_sdkfja}
~ Writeup By mum1n
Join Our CTF Channel: