Post

FlagYard: LostFlag Write-up

Posted Updated
By Aisha
1 min read
FlagYard: LostFlag Write-up

Challenge Description

The flag got lost, can you retrieve it?

Challenge Link -> LostFlag

Looking at the decompiled code, we can see that the flag is lost after the function call loadingAnimation

Alt

In the main function, after the printfcall, the code loops from memory 140006000 to 0x1400060dc stored at _Argv and XOR every 8 bytes, then it calls the loadingAnimation(1000) function that will run the animation for 1000 iterations (with a 200 ms Sleep each). That means the data containing the flag has been decoded by the XOR loop before the heavy wait.

I will use GDB for debugging, and if you are running the executable on linux machine, start the program under Wine in the background and pass the running process id to GDB

1

wine64 <file> & sleep 0.3

Find the PID of the Wine process that has loaded load.exe

1

ps aux | grep "load"

Attach gdb to that PID

1

gdb -p <PID>

We will break after the XOR loop, but before the CALL loadingAnimation which is the address 0x140005b95of the MOV instruction that writes 0x3e8into _Argv then read the memory of the first loop till the end of the loop.

Alt

x/s in GDB, it shows strings at a memory address, and you can see the first char from the flag “F”, next try to print up to 512 bytes as C-strings (will show any ASCII sequences), keep printing the strings till you see the end of the flag format or the address 0x1400060dc which indicates the end of the loop.

Alt

Reconstruct the full flag string FlagY{...}

CTF
Reverse Engineer
This post is licensed under CC BY 4.0 by the author.