Post

el-picasso Writeup

Analyze a 32-bit binary in IDA and find a QR code from the graph view.


Challenge Description

The challenge involves a binary that prints an ASCII cat. Our goal is to reverse engineer the binary to find the hidden flag.

ASCII Cat

Solution

Step 1: Checking the Binary

First, we use the file command to inspect the binary:

1
file el-picasso

The output indicates that it is a 32-bit dynamically linked binary, not stripped:

1
el-picasso: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, not stripped

Running the binary prints an ASCII cat.

Step 2: Disassembling the Binary

Next, we disassemble the binary using Ghidra.

Ghidra

However, the output is mostly gibberish and the decompiler doesn’t work. Switching to IDA Free, we get a more readable disassembly, but with a warning that the graph won’t be shown because the limit is 1000.

IDA Free Warning

Step 3: Investigating the Disassembly

Upon further investigation, we find that the code is messy. Googling ctf vfmaddsub132ps leads us to a presentation from DEF CON 23, which mentions that this instruction, among others, can be used to “psychologically torment” reverse engineers by creating images in the graph view.

Step 4: Decoding the QR Code

By changing the maximum graph limit in IDA Free, we reveal a graph that resembles a QR code.

QR Code

We screenshot the graph and adjust the colors in Photoshop to make it more visible.

Adjusted QR Code

Scanning it reveals the flag.

Flag

Flag

1
ctf{1ff757b6b99229db80a208563aa98dfb5e4a592b34551ba44b63038c7bd442af}
This post is licensed under CC BY 4.0 by the author.