# BM02 ## **About The Challenge** | Type | Difficulty | | ------ | ---------- | | Binary | Medium | ‌ ## Solution ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MOMxAxuPsS5TFBGEva7%2FScreenshot_2020-12-12_20-46-32.png?alt=media\&token=7b5f75f0-3e5a-46ab-92b4-3a40439c3ce2) In this challenge a Linux binary were provided. It not easy in order to solve it we have to debug it and use some patching technique. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MOMxW6ui3lOzqNYLLr1%2FScreenshot_2020-12-12_20-46-03.png?alt=media\&token=d0f911cf-42d5-43ae-af78-2ecd076a08e8) I used here IDA to debug the binary. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MOMy12arDB6nvqUuc-H%2FScreenshot_2020-12-12_20-48-01.png?alt=media\&token=7c0ecceb-285d-4563-92e1-50f88544e907) First of all, I created breakpoints at the ending of each function to change the direction and point to any direction or function I want. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MOMyuR8ekg0-hSmRsAm%2FScreenshot_2020-12-12_20-51-38.png?alt=media\&token=d8fa66b8-31ad-4d18-8854-bf497b80a47d) As above figure shows that there is two paths that the function will follow after it completed. It is highlighted with red and green arrows, green arrow means the default path. So here we have to modify that path and make the function jump to red arrow. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MOMzqeFhw9ipl7sByJ8%2FScreenshot_2020-12-12_20-53-13.png?alt=media\&token=e9e5df1c-f2cd-4fb9-90ea-c5fb5621add2) There many ways to do that, but preferred to do the complicated way. Here I changed the value of register `ZF` to 1, after that the function pointed that will execute the false function (not the default). ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MON-lLV_oPjV5caq40T%2FScreenshot_2020-12-12_20-54-41.png?alt=media\&token=cd0e219e-93bd-42c2-adc1-5f765004b31d) After that, I moved to analysis the binary what it do while executing. I identified that their is function that having loop that print a letter every one time. That function is highlighted with red border in the figure below. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MON0PPuB8zX-omjOLfE%2FScreenshot_2020-12-12_20-56-56.png?alt=media\&token=93ebd167-afde-4ce1-9d42-bcbe0a2712bf) Then I made the binary execute and go through that function in order to print all letters. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MOMkhHDKbNa0T29i5e9%2F-MON0xDA6pM0DRFWzY3r%2FScreenshot_2020-12-12_21-07-07.png?alt=media\&token=253f3b48-29d4-4b67-a0bd-19b43a56899a) Finally, I did the final path and changed the register CF value to 1 in order to make the binary exit from the loop function and put the value of the printed loop letters into the heap. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MON1h3OOzx9lJly1bEX%2F-MON1yTUAze00ialj6b4%2FScreenshot_2020-12-12_21-07-07%20-%20Copy.png?alt=media\&token=9608870a-301a-4620-b410-ffb000dbe117) As shown in the above figure, the data are stored on the heap. Now we will check that that heap data contains. ![](https://3440279504-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MM4TVxXO_3L3IYJHc1e%2F-MON1h3OOzx9lJly1bEX%2F-MON2Kq75qgquq1cEZGa%2FScreenshot_2020-12-12_21-07-37.png?alt=media\&token=651d1c70-106c-4a02-90b8-2e76e0165e7b) After checking the heap we will discover that the loop function was printing every letter of the flag. **Flag:** n1CePatCHiNG010189