Find The Secret Flag

Is it expected for the binary not to work properly?
When using a debugger (let’s say GDB), and stepping in, I get this message:

“_IO_new_fopen (filename=0x400c76 “/DIR/FILENAME”, mode=0x400c73 “rb”) at iofopen.c:88
88 iofopen.c: No such file or directory.”

p.s. Of course the file in the expected location :slight_smile:

just solved. i spent 6 hours :smiley: . Some tips: 1. radare2 use “aaaa”, find main and calls from main. 2. search for strings. 3. think about some strings (string) u found, where they are called from? good look, and try harder.
Ty, @BananaPr1nc3, your comment is pretty helpfull! :slight_smile:

Is correct add a function to call the piece of the code where there is the string “–hit any key” ? I had a lot of output string but the converted hex and xor doesn’t really mean nothing. I saw the strings inside the binary but no one captured my attention. Some helps

Type your comment> @Arkango said:

Is correct add a function to call the piece of the code where there is the string “–hit any key” ? I had a lot of output string but the converted hex and xor doesn’t really mean nothing. I saw the strings inside the binary but no one captured my attention. Some helps

You are on the correct path. When your program prints “useless” stuff, try to backtrack where your operands come from and ask yourself if that makes any sense. At multiple points in the binary, things remain unused which should be used. Radare2 hints at what you could try, can’t tell how it looks like in other disassemblers.

Hint: Find the right byte and profit. No reversing required. Having said that, I did spent time reversing to arrive at this hint. :smile:

This challenge made me want to end it all… And nobody in this thread mentions the issue that confused me the most.

If you get the string with the names of the creators but with a bunch of “unwanted” characters, then do some research about the bell character.

Alternatively, you do not need to know anything about what I mentioned above if you just patch the binary in the right places which, in my opinion, is a bit painful to work out.

new to HTB (and infosec in general), took me a full day!
boy that was challenging, but i learned alot from it.
i made it with 2 binary patches, as well as python script (that did more than just the filecheck).

tips:

  1. strings- take a close look at them. to which function each string belongs to?
  2. the program has few requirements to run properly. find those in the code
  3. identify the important zone that needs to run, as well as its required registers values.

Hello everyone, I’m a beginner. can someone help me ? .
I already found the hidden function , but I didn’t understand the input meaning of the main function,
if the file creation is necessary in the future of the program for the state of the variables ,
and the xor printed how to reverse it

@ydrah i think you finished this challenge already i’m stuck on the hidden function to get the flag can you PM me or if someone can, please?

FInally

Solved this just by looking at the disassembled code, no debugger necessary (though it’d help I guess). Found the function and quickly brute forced the key with cyberchef. I feel this one was easier than “Debug Me”.

I was wondering why I can’t debug this, and now I think it might be stripped.
Even with that knowledge, still not getting very far!

Finally got it! Took over a week, and a little help. This may the most difficult challenge I’ve ever completed on HTB. I’ve done a couple reversing challenges with higher difficulty ratings (e.g. cake); but for me they were easier. I think it might be because I have an easier time when I can use graphical debuggers.

Done, take care when you let IDA to propose you a decoded string
eg. db “xyz” look at the hexadecimal, it will avoid me to spend time to search for some string characters

Just done this one. It seriously took me more time to figure out what to do with the flag than to patch the binary. So my main hint is - beware of deep rabbit holes! :slight_smile:

Quite a nice challenge for people keen on RE. Thank you @decoder and @stefano118 for making this available.

Hi guys, I found the flag but HTB doesn’t accept it. Can anyone help me ?

I struggled with this for many hours, but ultimately I wrote perl code to do what that one function does. Didn’t need to do binary altering or debugging or cyberchef, just need to understand the assembly.

Note that static analysis and dynamic (running) analysis can give you different info, and ptrace hack can make debugging difficult.

I have been trying to solve this challenge for hours now. I have found the name of the creators and the correct input to be given when you execute the program. I did all this by just analysing the code and bruteforcing it.

However, I am still not able to find the flag. Earlier challenges which I solved had the flag in the format HTB{sometext}. Does this challenge also have the flag in the same format? if not, do I have to combine the correct string and the authors name? I tried a few combination but they didn’t work.

Please help me with this.

Im really stuck with this one, got the creators names (from 2 places), got the argument, done different patches to the binary but cannot make it spit the correct flag :frowning:

edit: nvm got it

solved it. The biggest issue I had was to find a decent debugger to work with in Linux. I am spoiled in Windows land with X64dbg and the likes. Combining GDB with Peda helped a bit but I still struggle with all-terminal debuggers. My hint on this one would be find the secret routine, find the info you need to reverse the secret code and most important, use a hexdump of the encrypted secret for reversing, the string representation gave me a false decrypted result.

All in all a nice challenge, thanks to the creator!