I’m Junior in Computer Science/Data Science at UMass Amherst
My interests are in DevOps, Infrastructure, Reverse Engineering, Vulnerability Analysis, Computer Networking and Operating Systems
Here, I will be sharing my writeups for CTFs and projects as well as my thoughts on various topics
To learn more about me navigate to the About page
Super CPP Calculator is a pwn challenge from Deadsec ctf 2024 There’s one binary given, let’s examine the binary first: OK, looks promising for an easy pwn, let’s open the binary in Ghidra. Looking at the main function in Ghidra (cleaned up for clarity) There are a few things to note here, we can see that a Calculator class is used here, and it appears to be allocated on the stack, so let’s look at the class....
Magic Conch is a rev challange. Downloading and opening the binary file in Ghidra: We can find an entry point, I have renamed the main function to main. Here is the main function in Ghidra, edited for clarity: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 int main(void) { char buf [64]; uint outlen; int length; code *entry_point_function; void *shared_obj_ptr; int memfd; void *dec_data; void *input_data; input_data = (void *)gen1(&enc_bin_start,&length); if (input_data == NULL) { exit(1); } dec_data = (void *)gen2(input_data,length,&outlen); if (dec_data == NULL) { exit(1); } free(input_data); memfd = memfd_create("payload_file",0); if (memfd == 0) { exit(1); } write(memfd,dec_data,outlen); sprintf(buf,"/proc/self/fd/%d",(ulong)(uint)memfd); shared_obj_ptr = (void *)dlopen(buf,1); if (shared_obj_ptr == NULL) { free(input_data); exit(1); } entry_point_function = (code *)dlsym(shared_obj_ptr,"EntryPoint"); if (entry_point_function == NULL) { free(input_data); dlclose(shared_obj_ptr); exit(1); } (*entry_point_function)(); dlclose(shared_obj_ptr); close(memfd); free(dec_data); return 0; } Looking at the main function, we can see that it uses syscalls such as dlopen as well as dlsym....