Giam v0.01 Writeup
Use IDA to find the function responsible for displaying the flag and jump to it for an unintended solve.
Challenge Description
A giam you must hax
Solution
Step 1: Analyzing the Binary
We start by loading the binary into IDA and analyzing the code, which, unfortunately, is compiled from Rust. Looking at the rdata binary, we can see an interesting string:
Step 2: Identifying the flag function
By scrolling back up to the start of the diassembly and searching for “Congratz” (Ctrl + F), it will take us to the function that interacts with it:
Switching to decompiler view, we can see that it’s part of a switch:
Looking at the full function, it has a beautiful number of 1488 lines, which indicates that it’s the main loop or FrameHandler
.
Step 3: Setting breakpoints and jumping
Going to the start of the function, we can find the switch instruction and we set a breakpoint to it:
Running the binary and hitting the breakpoint, I pressed F9 a few times to let the menu fully initialize. Afterwards, we go to the case that displays the flag and Set IP
to jump to it:
We can synchronize the decompiler view with the disassembly view (as we can only set IP from disassembly view) by right-clicking on the decompiler view and selecting
Synchronize with
->IDA View-RIP
.
We right click the first instruction, Set IP
and, by pressing F9, we can see the flag being displayed:
Conclusion
To summarize the steps we took:
- We loaded the binary into IDA and analyzed the code to find a string that contains Hero{}.
- We identified the function responsible for displaying the flag by searching for the string “Congratz” in the disassembly.
- We set breakpoints at the start of the function and ran the binary to hit the breakpoint.
- We synchronized the decompiler view with the disassembly view and set the instruction pointer to the case displaying the flag.
- By pressing F9, we were able to see the flag being displayed.
By carefully following these steps, we were able to use IDA to find the function responsible for displaying the flag and jump to it for an unintended solve.
Flag
Hero{&1Kb,6Kb08Lb-3Jb}