Image for post
Image for post

We received a 4KB of a binary file that after running it, prints the following message:

Image for post
Image for post

When looking inside it with IDA, there was only one function (0x401160) that it calls in the entry point:

Image for post
Image for post

Inside this function we have a loop that prints the characters that were inside the message box:

Image for post
Image for post

Now notice the first compare:

Image for post
Image for post

When checking it with x32dbg, I saw that it compares ecx to 0x1C (28 in decimal):

The message box printed the message: “I never broke the encoding:”, which is 27 (0x1B) characters and it ends with “:” which usually doesn’t end of a sentence.

More than that, I already saw 0x1C in the beginning of the binary:

Image for post
Image for post

So, if the message box prints only 27 characters, why not to change 0x1C to more than only 27 characters ? I changed 0x1C to 0x6C (randomly):

Image for post
Image for post

After resuming the program, we received the flag:

Image for post
Image for post

Flag: I_a_M_t_h_e_e_n_C_o_D_i_n_g@flare-on.com

*This challenge can be solve in other ways, like removing the jump (jnb short loc_4011B2 at address 0x40117E) after the first compare.

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store