Skip to content

Reykjavik

  1. Running the executable file tells us that it requires the flag as cmd arg, which will then be compared with the flag nd printed out.

  2. Start gdb and set a breakpoint at main():

    bash gdb ./Reykjavik

    ```gdb Reading symbols from ./Reykjavik... (No debugging symbols found in ./Reykjavik) (gdb) break main Breakpoint 1 at 0x10a0 (gdb) run some-random-string Starting program: /home/harshit/Downloads/Reykjavik some-random-string [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

    Breakpoint 1, 0x00005555555550a0 in main () ```

  3. Disassemble main() and look for strcmp, that may have been used to compare the arg and flag:

    gdb Breakpoint 1, 0x00005555555550a0 in main () (gdb) set disassembly-flavor intel (gdb) disas main Dump of assembler code for function main: => 0x00005555555550a0 <+0>: endbr64 0x00005555555550a4 <+4>: push r13 0x00005555555550a6 <+6>: push r12 . . . 0x0000555555555161 <+193>: xor eax,0xffffffab 0x0000555555555164 <+196>: mov BYTE PTR [rsp+0x1a],al 0x0000555555555168 <+200>: call 0x555555555080 <strcmp@plt> 0x000055555555516d <+205>: mov r12d,eax 0x0000555555555170 <+208>: test eax,eax 0x0000555555555172 <+210>: jne 0x555555555197 <main+247> 0x0000555555555174 <+212>: mov rdx,r13 . . . End of assembler dump.

  4. If compared strings are equal, strcmp returns 0 (man 3 strcmp for more info), which is stored in eax. \ test eax, eax checks if eax is zero or not. Set a breakpoint at that instruction and print the values of registers:

    ```gdb (gdb) break *0x0000555555555170 Breakpoint 2 at 0x555555555170 (gdb) c Continuing. Welcome to the CTFlearn Reversing Challenge Reykjavik v2: some-random-string Compile Options: ${CMAKE_CXX_FLAGS} -O0 -fno-stack-protector -mno-sse

    Breakpoint 2, 0x0000555555555170 in main () (gdb) info registers rax 0xffffffd0 4294967248 rbx 0x7fffffffdeb8 140737488346808 rcx 0x73 115 rdx 0x76304c5f6579457b 8516390867965658491 . . . ```

    Observe rax (eax is the low 32 bits of rax), which is currently non-zero (obviously).

  5. Set the value of the register as 0 and continue:

    ```gdb (gdb) set $eax=0 (gdb) info registers rax 0x0 0 rbx 0x7fffffffdeb8 140737488346808 rcx 0x73 115 rdx 0x76304c5f6579457b 8516390867965658491 . . .

    (gdb) c Continuing. Congratulations, you found the flag!!: 'CTFlearn{Eye_L0ve_Iceland_}'

    [Inferior 1 (process 985301) exited with code 0320] ```