L3akCTF 2024 - [REV] Hidden

Difficulty : ⭐

LIBC function call tracing

The hidden binary is dynamically linked to LIBC :

I can use ltrace to trace each LIBC function call.

Hum… the program calls strlen() multiple time with “L3AK{b4by_sT3Ps” buffer. It seems that it is the start of the flag !

Decompilation with Ghidra

Using Ghidra, I can tell that the program has a main() function as entry point at FUN_001013e5 :

and asks for a password in argv[1]

because

undefined8 FUN_001013e5(undefined8 param_1,long param_2) /* int main(int argc, char*argv[]) */
...
strcmp(*(char **) (param_2 + 8),__s2) /* strcmp(argv[1],__s2) */

Flag

It should be useful if I use L3AK{b4by_sT3Ps as a password in argv[1] with ltrace :

Now the program compares the password using strcmp() function with… the flag !