Geanu was a simple RE challenge from MidnightsunCTF.
The task starts by print the following ASCII-art of Keanu and awaits our input.
After getting user input it finishes.
Let's fire up Ghidra and load the binary. Since the binary is written in Go, we can apply 'golang_renamer.py` to demagle function names, but it's not really needed to solve this challenge.
We could start from main (
main_main in golang) and see an interesting comparison there
Why this would be interesting? Constant that the comparison is done with is 1337 and that screams "important" in CTFs ;). Another clou would be that it guards a function call and after the call, binary just finishes. Similar behavior we could observe from running the binary.
Another approach could be to look at function list to see if we could spot anything interesting. Depending on the sort column (almost always it's good to sort by function size - the bigger function, more chance there's something interesting) we can spot some function that contains AES in the name. We can pick one (I've picked
crypto_aes_expandKeyAsm_482760) and work our way back using XREFs.
After few steps up the call-chain we will end up in the function named
main_aamlojljmpmgmemeifmp_495010 and it contains quite an interesting code.
One, it does put series of bytes on the stack
Two, it does create AES cipher object (GCM mode) and does some printing. Assumption - this code decrypts the flag from the above data and prints it on screen.
Also, if you have been paying attention, we are in the same method that is guarded by the
if statement from
main. So if we add 2 from analysis of the
main, and 2 from the analysis of what this metod does, for sure we should pay a bit more closer attention to it.
My approach to this task, during CTF was to break into the method that uses AES, extract all the necessary info for AES-GCM and then externally use it to extract the flag. But that was not even needed since we assumed that the binary prints the flag.
So to solve, it is enough to break in
gdb at offset
0x94fedD with the use of
breakrva 0x94fed. After hitting the breakpoint, we can set the
rip to a jump destination by issuing
set $rip = 0x4944ff9 and simply continuing.
Binary will print the flag for us -