el-picasso Writeup
Analyze a 32-bit binary in IDA and find a QR code from the graph view.
Challenge Description
The challenge involves a binary that prints an ASCII cat. Our goal is to reverse engineer the binary to find the hidden flag.
Solution
Step 1: Checking the Binary
First, we use the file
command to inspect the binary:
1
file el-picasso
The output indicates that it is a 32-bit dynamically linked binary, not stripped:
1
el-picasso: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, not stripped
Running the binary prints an ASCII cat.
Step 2: Disassembling the Binary
Next, we disassemble the binary using Ghidra.
However, the output is mostly gibberish and the decompiler doesn’t work. Switching to IDA Free, we get a more readable disassembly, but with a warning that the graph won’t be shown because the limit is 1000.
Step 3: Investigating the Disassembly
Upon further investigation, we find that the code is messy. Googling ctf vfmaddsub132ps
leads us to a presentation from DEF CON 23, which mentions that this instruction, among others, can be used to “psychologically torment” reverse engineers by creating images in the graph view.
Step 4: Decoding the QR Code
By changing the maximum graph limit in IDA Free, we reveal a graph that resembles a QR code.
We screenshot the graph and adjust the colors in Photoshop to make it more visible.
Scanning it reveals the flag.
Flag
1
ctf{1ff757b6b99229db80a208563aa98dfb5e4a592b34551ba44b63038c7bd442af}