isitdtu-2022 | BKISC Blogshttps://bkisc-blog.netlify.app/tag/isitdtu-2022/isitdtu-2022Wowchemy (https://wowchemy.com)en-usFri, 13 Jan 2023 15:44:54 +0000https://bkisc-blog.netlify.app/media/logo_huc55a0313517dd04bda48a4ace4db28bc_511389_300x300_fit_lanczos_3.pngisitdtu-2022https://bkisc-blog.netlify.app/tag/isitdtu-2022/ISITDTU CTF 2022 Finals - Slowhttps://bkisc-blog.netlify.app/blog/fazect/isitdtu-2022-slow/Fri, 13 Jan 2023 15:44:54 +0000https://bkisc-blog.netlify.app/blog/fazect/isitdtu-2022-slow/<p> <ul class="tags-list"> <a href="https://bkisc-blog.netlify.app/tag/ctf/">ctf</a> <a href="https://bkisc-blog.netlify.app/tag/writeup/">writeup</a> <a href="https://bkisc-blog.netlify.app/tag/re/">re</a> <a href="https://bkisc-blog.netlify.app/tag/isitdtu-2022/">isitdtu-2022</a> </ul> <details class="toc-inpage d-print-none " open> <summary class="font-weight-bold">Table of Contents</summary> <nav id="TableOfContents"> <ul> <li><a href="#introduction">Introduction</a></li> <li><a href="#static-analysis">Static Analysis</a></li> <li><a href="#reaching-case-14">Reaching case 14</a></li> <li><a href="#reaching-case-1">Reaching case 1</a></li> <li><a href="#patch-the-binary">Patch the binary</a></li> <li><a href="#result">Result</a></li> </ul> </nav> </details> </p> <h2 id="introduction">Introduction</h2> <p><strong>Given binary:</strong> <a href="https://drive.google.com/file/d/1K2NjzRQadtL9CkbTINYDvrH7HRgSfDc1/view?usp=share_link" target="_blank" rel="noopener">Get it here!</a></p> <p><strong>Description:</strong> If you can make the program runs faster, you&rsquo;ll get the flag!</p> <p><strong>Category:</strong> Reverse Engineering</p> <h2 id="static-analysis">Static Analysis</h2> <p>The challenge provides us with a single binary, named <strong>slow.exe</strong>. By using <strong>IDA Pro</strong> or <strong>Ghidra</strong> or any other kinds of decompiler, we will get the decompiled code.</p> <p>Analyze the <strong>main</strong> function, we claim that the program initiates an array whose size is <strong>45</strong>, then modifies it through some more functions, as shown below.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">envp</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="n">Block</span><span class="p">;</span> <span class="c1">// [esp+4h] [ebp-BCh] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">int</span> <span class="n">v5</span><span class="p">[</span><span class="mi">45</span><span class="p">];</span> <span class="c1">// [esp+8h] [ebp-B8h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="o">-</span><span class="mi">3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">43</span><span class="p">]</span> <span class="o">=</span> <span class="mi">14</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">44</span><span class="p">]</span> <span class="o">=</span> <span class="mi">16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">Block</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span><span class="n">sub_401AC0</span><span class="p">(</span><span class="n">v5</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">sub_4013B0</span><span class="p">(</span><span class="n">Block</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">sub_401B40</span><span class="p">(</span><span class="n">Block</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The function <strong>sub_401AC0(v5, 38, 0)</strong> allocates dynamic memory using <strong>malloc</strong> based on <strong>v5</strong> then assigns it into variable <strong>Block</strong>. That variable is then being passed into function <strong>sub_4013B0(Block)</strong>, which will produce our flag once we have fixed it.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">sub_4013B0</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">result</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">int</span> <span class="n">v2</span><span class="p">;</span> <span class="c1">// eax </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [esp+4h] [ebp-64h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v37</span><span class="p">;</span> <span class="c1">// [esp+64h] [ebp-4h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">int</span> <span class="n">v38</span><span class="p">;</span> <span class="c1">// [esp+64h] [ebp-4h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">v6</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">*</span> <span class="n">a1</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span><span class="o">++</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">v6</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">switch</span> <span class="p">(</span> <span class="n">v6</span> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">1</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="n">v22</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">*</span> <span class="n">a1</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span><span class="o">--</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v26</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">*</span> <span class="n">a1</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span><span class="o">--</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v2</span> <span class="o">=</span> <span class="n">sub_401110</span><span class="p">(</span><span class="n">v26</span><span class="p">,</span> <span class="n">v22</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v16</span> <span class="o">=</span> <span class="n">a1</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">a1</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">=</span> <span class="n">v16</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">*</span> <span class="n">v16</span><span class="p">)</span> <span class="o">=</span> <span class="n">v2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">2</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">4</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">5</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">6</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">7</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">8</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">9</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">10</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">11</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">12</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">13</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">14</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="n">v38</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">_DWORD</span> <span class="o">*</span><span class="p">)(</span><span class="n">a1</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">+</span> <span class="mi">4</span> <span class="o">*</span> <span class="n">a1</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span><span class="o">--</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">sub_401040</span><span class="p">(</span><span class="s">&#34;RESULT: %d</span><span class="se">\n</span><span class="s">&#34;</span><span class="p">,</span> <span class="n">v38</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">sub_401260</span><span class="p">(</span><span class="n">v38</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">break</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">15</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">16</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">17</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="mi">18</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="k">default</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>It is easy to observe that only case 1 and case 14 involve calling other functions.</p> <p>To be more precise, if the program reaches <strong>case 1</strong>, the function <strong>sub_401110(v26, v22)</strong> will be called, and on the other hand, if the program reaches <strong>case 14</strong>, the function <strong>sub_401260(v38)</strong> will be called. We will talk more about these two functions in the next parts of this blog.</p> <h2 id="reaching-case-14">Reaching case 14</h2> <p>As stated earlier, the function <strong>sub_401260(v38)</strong> will be called if the program reaches <strong>case 14</strong>, which will be the last part of our code flow.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">sub_401260</span><span class="p">(</span><span class="kt">char</span> <span class="n">a1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="n">v2</span><span class="p">[</span><span class="mi">256</span><span class="p">];</span> <span class="c1">// [esp+10h] [ebp-224h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">char</span> <span class="n">Buffer</span><span class="p">;</span> <span class="c1">// [esp+110h] [ebp-124h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="n">_BYTE</span> <span class="n">v4</span><span class="p">[</span><span class="mi">3</span><span class="p">];</span> <span class="c1">// [esp+111h] [ebp-123h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> <span class="kt">char</span> <span class="n">v5</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="c1">// [esp+210h] [ebp-24h] BYREF </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="n">qmemcpy</span><span class="p">(</span><span class="n">v5</span><span class="p">,</span> <span class="s">&#34;Áõ&#34;</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">=</span> <span class="o">-</span><span class="mi">77</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="o">=</span> <span class="mi">26</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">...</span> <span class="n">snip</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">28</span><span class="p">]</span> <span class="o">=</span> <span class="o">-</span><span class="mi">66</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">v5</span><span class="p">[</span><span class="mi">29</span><span class="p">]</span> <span class="o">=</span> <span class="mi">63</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">memset</span><span class="p">(</span><span class="n">v2</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">v2</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">sub_401D50</span><span class="p">(</span><span class="o">&amp;</span><span class="n">Buffer</span><span class="p">,</span> <span class="s">&#34;%d&#34;</span><span class="p">,</span> <span class="mi">55</span> <span class="o">*</span> <span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">sub_401160</span><span class="p">(</span><span class="n">v5</span><span class="p">,</span> <span class="n">v2</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">Buffer</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">v4</span><span class="p">[</span><span class="n">strlen</span><span class="p">(</span><span class="o">&amp;</span><span class="n">Buffer</span><span class="p">)]</span> <span class="o">-</span> <span class="n">v4</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">sub_401040</span><span class="p">(</span><span class="s">&#34;flag is: %s&#34;</span><span class="p">,</span> <span class="p">(</span><span class="kt">char</span><span class="p">)</span><span class="n">v2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The function receives our modified variable <strong>Block</strong>, then uses it to produce our flag.</p> <h2 id="reaching-case-1">Reaching case 1</h2> <p>Here is where things get interesting. Take a look at the function <strong>sub_401110(v26, v22)</strong>, we can conclude that this is why our program runs slowly. The fact that it makes our program sleeps plus it is possibly called many times throughout the process makes our executable runs without any output for a very long time.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">sub_401110</span><span class="p">(</span><span class="kt">int</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">int</span> <span class="n">a2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">v3</span><span class="p">;</span> <span class="c1">// [esp+0h] [ebp-4h] </span></span></span><span class="line"><span class="cl"><span class="c1"></span> </span></span><span class="line"><span class="cl"> <span class="n">v3</span> <span class="o">=</span> <span class="n">sub_4010F0</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Sleep</span><span class="p">(</span><span class="mi">1000</span> <span class="o">*</span> <span class="n">a1</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="n">Sleep</span><span class="p">(</span><span class="mi">1000</span> <span class="o">*</span> <span class="n">a2</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">sub_4010F0</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">-</span> <span class="n">v3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The algorithm here is very simple, however this is author&rsquo;s idea to let the program sleeps for a total of <strong>(a1 + a2) seconds</strong> each time this function is called. The intended result of this function is to <strong>return a1 + a2</strong>. We will have to patch the binary to get our flag.</p> <h2 id="patch-the-binary">Patch the binary</h2> <p>So we know what makes our program runs slowly, it is time to fix that. Below is the decompiled assembly code of that part.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">mov ecx, [ebp+arg_0] </span></span><span class="line"><span class="cl">mov edx, [ecx+10h] </span></span><span class="line"><span class="cl">sub edx, 1 </span></span><span class="line"><span class="cl">mov eax, [ebp+arg_0] </span></span><span class="line"><span class="cl">mov [eax+10h], edx </span></span><span class="line"><span class="cl">mov ecx, [ebp+var_10] </span></span><span class="line"><span class="cl">push ecx </span></span><span class="line"><span class="cl">mov edx, [ebp+var_C] </span></span><span class="line"><span class="cl">push edx </span></span><span class="line"><span class="cl">call sub_401110 </span></span><span class="line"><span class="cl">add esp, 8 </span></span><span class="line"><span class="cl">mov [ebp+var_58], eax </span></span><span class="line"><span class="cl">mov eax, [ebp+arg_0] </span></span></code></pre></div><p>Instead of calling <strong>sub_401110</strong>, we should patch the program to directly calculates <strong>ecx + edx</strong> then assigns it into <strong>eax</strong>. We find out that the opcode of <strong>call sub_401110</strong> is <strong>E8 77 FC FF FF</strong>.</p> <p>Using <strong>IDA Pro</strong> integrated settings, which can be found at <strong>Options &gt; Generals &gt; Number of Opcode bytes (non-graph) set to a large enough number</strong>, we can view each instruction&rsquo;s opcode.</p> <p>With <a href="https://github.com/Gallopsled/pwntools" target="_blank" rel="noopener">pwntools</a> library, we also find out the opcode for <strong>add ecx, edx</strong> and <strong>move eax, ecx</strong> is <strong>01 D1</strong> and <strong>89 C8</strong> using this script written in <strong>Python</strong> below.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="s1">&#39;add ecx, edx&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="n">asm</span><span class="p">(</span><span class="s1">&#39;mov eax, ecx&#39;</span><span class="p">))</span> </span></span></code></pre></div><p>It is now time to patch the binary. Use any hex editor of your choice to patch the binary, here I use <strong>IDA Pro</strong>&rsquo;s integrated <strong>hex view</strong> to patch the binary.</p> <p>Change <strong>E8 77 FC FF FF</strong> to <strong>01 D1 89 C8 90</strong> using any hex editor of your choice (here <strong>90</strong> corresponds to the <strong>NOP</strong> instruction).</p> <h2 id="result">Result</h2> <p>After patching the binary, run it again to get our flag.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">fazect@LAPTOP-CQA118DI:/mnt/d/Downloads$ ./slow.exe </span></span><span class="line"><span class="cl">RESULT: 75025 </span></span><span class="line"><span class="cl">flag is: Pr4ct1c3_VMc0d3_w1th_F1b0n4cc1 </span></span></code></pre></div><p>Wrap the flag with <strong>ISITDTU{}</strong>, we have our flag for the challenge: <strong>ISITDTU{Pr4ct1c3_VMc0d3_w1th_F1b0n4cc1}</strong>.</p>