Flare-On 2019 WriteUp: Overlong (#2)

2 min readMar 28, 2020

--

We received a 4KB of a binary file that after running it, prints the following message:

When looking inside it with IDA, there was only one function (0x401160) that it calls in the entry point:

Inside this function we have a loop that prints the characters that were inside the message box:

Now notice the first compare:

When checking it with x32dbg, I saw that it compares ecx to 0x1C (28 in decimal):

The message box printed the message: “I never broke the encoding:”, which is 27 (0x1B) characters and it ends with “:” which usually doesn’t end of a sentence.

More than that, I already saw 0x1C in the beginning of the binary:

So, if the message box prints only 27 characters, why not to change 0x1C to more than only 27 characters ? I changed 0x1C to 0x6C (randomly):

After resuming the program, we received the flag:

Flag: I_a_M_t_h_e_e_n_C_o_D_i_n_g@flare-on.com

*This challenge can be solve in other ways, like removing the jump (jnb short loc_4011B2 at address 0x40117E) after the first compare.

Written by Eviatar Gerzi

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

No responses yet

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams