Binary-only CTF challenge. The file is an ELF64 PIE named 12.
The binary validates a UDP response and then unpacks and runs a staged RWX blob. The 56-byte UDP response must have a fixed 8-byte header and a 48-byte payload. The payload is used as a per-stage key; each stage embeds a hash check that can be inverted to recover the next 32-bit word of the key. After 12 iterations, the correct 48-byte payload drops the flag.
Flag:
0xL4ugh{eNOUgh_OBFuscaT!On_For_tOD@y_I7S_Time_for_tH3_FLag!}
The program sends a 4-byte request to 127.0.0.1:1337 and expects a response. Logging the recvfrom buffer and tracing the validation function shows:
8ae1aff5.0x000c (12).len - 8 == val6 * 4.That forces:
len = 56 (0x0038),val6 = 12 (0x000c),Response format (hex):
8ae1aff50038000c + 48-byte payload.
After validation, the program:
mmap’s RWX memory.Dumping the exec map shows a self-decrypting stub. The stub has two XOR/ADD loops and then a “hash check” function that returns 1 only if a 32-bit input matches a hardcoded target.
When the payload is all zeros, the decrypted blob contains a function that:
Because the operations are all invertible modulo 2^64, you can invert the function to recover the required 32-bit input for that stage. That recovered 32-bit word is the next 4 bytes of the UDP payload.
Each new payload word changes the decrypted blob and therefore the next hardcoded target. Repeat the process 12 times to recover the full 48-byte payload.
I automated this in E:\ctf4\derive_key.py and executed the blob locally using E:\ctf4\run_exec_blob:
Key (48-byte payload) hex:
bb1f051b94fbb62e38aee6ebda3721e2c0e44323fa05bd58a771e7a6fcd1374ae2107871b8d688e8be021fe5b2cbc004
Final response (hex):
8ae1aff50038000c + key hex above.
Running the binary with this response prints the flag.
dlsym, recvfrom, memcmp, memcpy, and RWX mmap usage.