Bruteforce they said, it’ll be fun, they said…
We’re given only a binary and are told that we shouldn’t bruteforce the server. The binary, when started, only says “calculating…..” and not much else. Upon closer examination, I found that it does some calculations and checks a certain number before printing out the flag:
1 2 3 4 

If eax
matches the value at 0x601078
, then the code jumps here:
1 2 3 4 5 

So the calculates until a certain value is found and then dumps the flag. I found a couple of ratelimiting things, such as these syscalls:
1 2 3 4 5 6 7 

I didn’t want to slow it down so I nop’ed out three of those syscalls, along with the calls to putchar and printf. I ran the binary, occasionaly checking at which it was… but it still was very slow! Time for a different approach…
Running the binary and breaking at the comparison at 0x400708
, I compared the value at rsp+0x8
and rsp+0xc
(which is used to print out the flag eventually). I noticed these numbers:
1 2 3 4 5 6 7 

It didn’t take me long to realize we’re looking at prime numbers here. This binary bruteforces prime numbers and prints out the prime number when the comparison at 0x400708
is true. eax
contains the ordinal number of the last prime found and is compared to 0x989680
. That would be 10,000,000 in decimal. I quickly located a list of prime numbers and found the 10th million: 179,424,673.
Therefore, the flag was: ADCTF_179424673
.