⚙️ Characteristics
| Characteristic | Value |
|---|---|
| Language | C / C++ |
| Arch | x86-64 |
| Platform | Unix / Linux |
🗒️ Writeup
When trying to run the binary in different ways, it only returns the message “Bingus exploded”.
What we’ll do is open the binary in Ghidra to inspect the code and find the function that checks the input.
We find the function that decides whether it has been exploited or not. We’ll analyze the function to understand the program’s logic and figure out how to make it print “Bingus survived”.
Before we start, we need to make it clear that param_1 is the number of arguments and param_2 is the list of program arguments.
First condition:
The conditional is triggered if any of these conditions are true:
There isn’t exactly one argument besides the program name.
The two characters of the argument are not the same.
The argument does not have exactly 2 characters.
In any of these cases, it prints “Bingus exploded”.
Therefore, the hint to move forward is:
Pass exactly 1 argument.
The argument must be 2 identical characters.
đź“ť NOTE:
param_2+ 8 points to argv[1], the first argument of the program, because in memory each pointer takes up 8 bytes in 64-bit systems.
Loop:
For this part, I’ll rename the variables to make it simpler and easier to read.
What this loop does is add each character of the string “This is a red herring” to num, summing their ASCII values since in C a character is treated as an integer in arithmetic operations.
To see the result after the loop finishes, we recreate the code:
#include <stdio.h>
#include <string.h>
int main() {
int num = 0x66; /* num = 102 */
int i;
size_t x;
const char *str = "This is a red herring";
x = strlen(str); /* x = 21 */
for (i = 0; i < x; i++) {
num = num + str[i];
}
printf("%d", num);
return 0;
}
And we get num = 2021.
Final condition:
This last condition adds num and the ASCII values of the first two characters of the parameter string. If the total is 2245 (0x8c5), it prints “Bingus survived”.
$$ \begin{align*} 2021 + 2x &= 2245 \\ 2x &= 224 \\ x &= 112 \end{align*} $$
Therefore, the resulting character in ASCII is 112, which corresponds to the letter p, and since the program expects two identical characters, the correct result is pp.
