binhex.ninja logo


./RE

CONNECT

𝕏

in

5th April, 2024

Zero Days CTF (2024) RE - 2

In this challenge, we'll explore binary analysis, focusing on binary file formats, executable packers, and static analysis techniques. We'll examine the structure of executables, how packers like UPX compress them, and how to unpack and analyze such binaries using tools like HxD, Detect-It-Easy, and Binary Ninja. Through this exploration, we'll uncover hidden information and potential flags within binary files.
ctf image
Download Challenge

The second challenge features the file ‘chall’.

2024 04 05_18h09_11

Figure 1: Displays the file ‘chall

Upon observation in HxD, it is evident that the file is an ELF file. The identification of the file as an ELF file is attributed to the observed magic bytes.

2024 04 05_18h21_21

Figure 2: Illustrates ELF bytes observed in HxD

An ELF (Executable and Linkable Format) file is a common binary file format used for executables, object code, shared libraries, and core dumps in Unix-like operating systems. It defines the structure for executable files, specifying how programs are laid out in memory and executed by the operating system loader or kernel. ELF files contain headers and sections that describe program information, such as code, data, symbols, and dynamic linking information. They are versatile and widely used across various Unix-based systems, including Linux and BSD.

Using Detect-It-Easy, it is observed that the file is utilizing the UPX packer.

2024 04 05_18h30_18

Figure 3: Displays Detect-It-Easy indicating that the binary is packed with UPX

UPX (Ultimate Packer for eXecutables) is a free and open-source executable packer. It compresses executable files and libraries, reducing their size and making them more challenging to analyze or reverse engineer. UPX achieves compression by rearranging code sections, removing redundant data, and applying various compression algorithms. It is commonly used by software developers to reduce the size of their executables without compromising functionality. However, it is also utilized by malware authors to obfuscate their code and evade detection by security software.

The UPX packer/unpacker can be downloaded to unpack the file. You can find it here.

The following command can be utilized to unpack the UPX packed file - 

upx.exe -d [Filename]
2024 04 05_18h21_21%20%281%29

Figure 4: Demonstrates the utilization of the UPX unpack command to generate the resulting unpacked binary

Upon reevaluation using Detect-It-Easy, it is observed that the file is now unpacked, resulting in a clean binary.

2024 04 05_18h21_21%20%287%29

Figure 5: Depicts the unpacked sample as identified in Detect-It-Easy

Upon opening the file in Binary Ninja and navigating to the main function, the flag string is observed.

2024 04 05_18h21_21%20%282%29

Figure 6: Illustrates the main function of the file in Binary Ninja, highlighting the flag string

The acquired flag is as follows - 

Flag - ZeroDays{upx_p4ck3d_4u_403ea9ab}
Support This Blog
contact
logo
COPYRIGHT
Custom HTML here.