End14n_X0R

Downloading Challenge Files

here is the executable file to download

3KB

End14n_X0R.rar

Basic EXE Reconnaissance

the executable is 64 bit that means that addresses will be 8 bytes and the exe is stripped that means we can view the function names

Reverse Engineering

as we have done in the S31r14l_Br34k3r challenge open ghidra and import the R3v_m3 binary into ghidra to analyze it after doing this open the functions and take a look at the exe functions

let's open the main function and this function takes the password from the user input and passes it into the check_password() function and if it meets the checks and the password is correct then the secret flag will be revealed

to be honest i have found a lazy win which is patching the binary and removing the check_password() function so any password will be correct and that will lead into printing the secret flag

to do this we will use pwntools to overwrite the check_password() function assembly code with the instruction of ret => return

and that will make the check_password() return as soon it's called and it will not affect the password

from pwn import * 
exe = 'END14n_XOR'
elf = context.binary = ELF(exe, checksec=False)

elf.asm(elf.symbols.check_password, 'ret')

elf.save('END14n_XOR_Patched')

so now the patched executable will be saved into the END14n_XOR_Patched executable

let's run this python script to generate this patched exe

now let's make it executable

and now let's run the normal executable and the patched executable

Flag

DEFENSYS{R3v3rs1ng_4nd_X0r1ng_M4k3s_4_r34lly_G00d_M4tch_:)}

Greetings from Sayonara