WRITE-UP

Challenge:

I think the flag might be decrypted and left in memory. Maybe a debugger will help?

Check out the CTF @ ForeverCTF

Steps to do:

1. Open file in Ghidra. Change name on the values. Find out what we know for certain.

2. Run gdb -q ./gdb in order to debug it.

3. Start debug-session with start and mark breakpoint with break *main
4. Type run to run
5. We find out from Ghidra that the length have to be 36 bytes (not 37, because of \n appended)
6. At what point are we certain that the flag excists in the memory? Hower over the function in Ghidra at that point and note the "Function offset" which in this case is main +240h. the 240hstands for hex 0x240
7. open gdbagain, start debug and set breakpoint at break *main + 0x240
8. Run the file and type in a string with length of 36. Watch the outcome that is the flag

Finish

Thanks to langemyh