This is a quick walk-through for Saycure Beginner CTF challenge (a.exe). There were two samples provided one was windows binary and other UNIX binary.

Lets get ahead and run the UNIX binary to see what the challenge is.

Running the script we get usage instructions which insists a key is required to run the binary. We run the script by providing “MASKOP9” as key and the program says Nope!!. We need a valid key in order to get the flag. Let’s load the binary in IDA to figure out what a valid key is.

Looking at the main function we can see at the end it checks if the command line arguments is less than one and prints the usage instructions as shown below.

If the command line arguments 1 or more than one the program jumps to loc_1228.

At loc_1228 is a loop which is represented by the blue lines. Lets see what this loop is used for. we see var_1C is initialized to zero and the program jumps to loc_124B. At loc_124B the program finds the length of the command line argument and saves it in EDX register. It then compares var_1C which was initialized to 0 with EDX which is the length of the command line argument. If var_1C is less than EDX the program jumps to loc_1231 where it adds each character in the command line argument to var_20. It then increments the value of var_1C by 1 and loops again until the value of var_1C is less than the length of the provided command line argument.

So we can see this loop is calculating the ASCII sum of each characters in the key. After calculating the sum the comparison of var_1C with length fails and the program checks if the calculated sum (var_20) is equal to 1337 as seen on the right part of the graph above. So we get to know the ASCII sum of each character in the key should be equals to 1337.

If the sum is not equals 1337 the program jumps to loc_12AF and prints Nope!!

Else if the sum is equal to 1337 the program then executes the following code.

This segment of the code checks if the first character of the command line argument is ‘S’ and the second character of the command line argument is ‘A’. If any of the condition fails it jumps to loc_12AF which again prints “Nope!!”.

So now we know 3 things

first character of the key should be ‘S’ second character of the key should be ‘A’



total ASCII sum of the key should be 1337

If all the three condition satisfies then the program executes the following code segment which prints “Enter [%s] at 35.231.253.101/hacked.php”.

So, now we know exactly what the program does we can write high level equivalent of the code for better understanding.

C Program :

int main(int argc, argv**) { int i; int sum; if(argc < 1) printf("

[+] Usage: script.exe [+]"); for(i=0;i<strlen(argv);i++) { sum+=argv[i]; } if(argv[0]=='S' && argv[1]=='A' && sum == 1337) printf("Enter [%s] at 35.231.253.101/hacked.php to continue."); else printf("Nope!!"); } return 0; }

Now we can generate a key whose first character is ‘S’ second character is ‘A’ and whose ASCII sum is 1337. We generated a string i.e “SAAAAAAAAAAAAAAAAAAT”. Let’s test it out. 😉

Done. Now you can open 35.231.253.101/hacked.php and insert the key there to get the actual flag. 🙂

Stay tuned for more analysis and other amazing stuff. If you love and support my work use the below link to buy me a coffee and help me with my research.

Buy me a coffee