DEV Community


Posted on

PicoCTF 2024: packer

This challenge's description is asking: "Reverse this linux executable?". I answer: "Challenge accepted!"

challenge accepted

Right after downloading the binary, I checked what type of file it was.


The next step was to verify the strings (strings out). It was an endless output, from which something caught my eye. πŸ‘οΈπŸ€”

It was the πŸ₯‡st time I saw something like this. In consequence, I decided to activate my research skills πŸ”.πŸ”Ž

According to this source:

UPX is an advanced executable file compressor. UPX will typically reduce the file size of programs and DLLs by around 50%-70%, thus reducing disk space, network load times, download times and other distribution and storage costs.

All right, seems it works like an archiver. If something was compressed, then it can be also decompressed, right? πŸ€“πŸ™Œ

To my curiosity, I looked for ways to decompress a UPX file.

If you don't have it already, you can install according to this documentation.

With that being said, let's see what we got.

It seems that we obtained more details after decompressing the file.
We can look for the flag either by:
πŸ•› using strings and look carefully after some hints
πŸ• using strings and search for the text pattern
πŸ•‘ summoning Ghidra
πŸ•’ using debuggers...

Honestly, the easiest way is using strings and grepping for flags

Then we take the encrypted text and use CyberChef to decrypt it.

Thanks to the magic wand πŸͺ„, we get the flag!!


On Ghidra we also obtain the same result, but it will take a bit longer until the function "main" will appear and it will not be so obvious: you should search for it.


Aand using the debuggers. I used pwndbg. I put a break on the puts instruction raised


and found this out:

Wait, we also have another encrypted text. Curious what's there?


And that was it! A binary challenge can be solved multiple ways, there will be times when strings function will not reveal the answer, so we need to use other tools 😺.

Congrats! πŸ‘ What are your thoughts?πŸ€”

Top comments (2)

steeve profile image

Interesting investigation, bravo!

yowise profile image

Thanks a lot! πŸ˜„