picoCTF - ‘unpackme-upx’ Reverse Engineering

Introduction

This article will discuss a picoCTF’s CTF called ‘unpackme-upx’, which relates to the Reverse Engineering section.

PicoCTF is a popular cybersecurity competition for beginners and intermediate-level players. It aims to teach participants various aspects of cybersecurity, including web exploitation, reverse engineering, binary exploitation, cryptography, and more.

Solving the ‘unpackme-upx’

First, we should download the binary from the picoCTF site.
https://picoctf.org/
Now, we’re ready to solve the challenge!

Before reverse engineering the binary, we should gather as much information from the particular binary.
We start with executing the binary and see the functionalities.
The binary only asks the user what is his favorite number.
When you’re wrong about the number, it throws you away to the terminal.

Now, we use the ‘strings’ tool to see any valuable strings from the binary.
We could notice gibberish strings, but useful strings might help us solve the challenge.

UPX is a Packer tool that can take a binary, compress, and obfuscate the binary’s data.
While executing the packed binary, it performs a decompression, which extracts the original binary in memory during runtime and triggers the execution.

Now we know why we didn’t get valuable strings from the binary – the binary was compressed with UPX.
Now, we’ll decompress the binary with the same tool.

Then, we can see more data from the ‘strings’ tool than earlier.

Let’s open this binary with the ‘ghidra’ tool to reverse engineer.
The Symbol Tree section shows the binary’s imports, exports, functions, labels, classes, and namespaces.

After reviewing the files in each section, I noticed the ‘main’ file inside the ‘m’ folder in the ‘functions’ section.

The tool decompiled the ‘main’, and we can read the C code there.
We can notice the string we got earlier when we executed the binary: “What’s my favorite number?” including the ‘scanf’ to take the input from the user.
The binary takes the input and puts it into a condition, ‘if’.
If the ‘local_44’ equals the ‘0xb83cb’ value, the code inside the block enclosed by curly braces {} will be executed; if the user input is false, it prints “Sorry, that’s not it!”.

We can run Python, paste the ‘0xb83cb’, and get the value.

Execute the binary again, paste the ‘754635’ value, and get the flag!

Summary

It was the challenge of picoCTF in the ‘Reverse Engineering’ section.
The challenge was at the beginner level, but learning the ‘UPX’ packer tool, decompressing strings and information, and reverse engineer with the ‘ghidra’ tool to get the favorite number was worth solving.

Keep Posted with the Latest Research Articles