Learning RE Day 1: Unpackme

2024-07-23

New Series, Who dis?

Today marks my beginning of learning RE, I won't be posting daily but I will be posting often. As of today, I am not fully familar with C and I am still learning much about the language. Today I wanted to complete a PicoGym RE challenge called unpackme, so let's get into it!

Initial Impressions.

  • Let's start off by running the program
vipin@instance-20240722-150326:/home/pwn$ ./unpackme-upx
What's my favorite number? 8903
Sorry, that's not it!
  • I see, so we need to find the number and input it to get the flag.

Strings & Things

  • A simple step people start with is strings and when we run it we get a bunch of junk except this
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $
  • We might be able to get a lot more information if we unpack it and it will be easier to understand when it's decompiled!

Unpacking, Decompiling, and Solving

  • We can use the upx command to unpack the executable.
vipin@instance-20240722-150326:/home/pwn$ sudo upx -d unpackme-upx
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2024
UPX 4.2.2       Markus Oberhumer, Laszlo Molnar & John Reiser    Jan 3rd 2024
 
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1006445 <-    440252   43.74%   linux/amd64   unpackme-upx
 
Unpacked 1 file.
vipin@instance-20240722-150326:/home/pwn$
  • Running strings on it seems so gives a lot more readable data! Our next step would be to decompile it, I will be using Ghidra, a common favorite among the RE community.

N/A

Fig.1 Main
  • Looking at the main function here is what I understand:
  1. It asks printf("What\'s my favorite number? ");
  2. It then check if (local_44 == 0xb83cb) {
  • We can actually do something real quick...
python3
Python 3.12.4 (v3.12.4:8e8a4baf65, Jun  6 2024, 17:33:18) [Clang 13.0.0 (clang-1300.0.29.30)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> 0xb83cb
754635
  • Aha! It's the program's favorite number!!! Let's input it for the flag!
vipin@instance-20240722-150326:/home/pwn$ ./unpackme-upx
What's my favorite number? 754635
picoCTF{up><_m3_f7w_77ad107e}

Flag: picoCTF{up><_m3_f7w_77ad107e}

That's a wrap!

I enjoyed this CTF challenge. It taught me about packing/unpacking, I got more familiar with Ghidra, and the best part is I didn't even use a writeup! Thank you for reading the first part of the series, it means a lot!

For any work-related inquiries, please email me at vipin@vipin.xyz. If you want to chat with me, feel free to drop me a message on Discord