leon3321.is-a.dev Open in urlscan Pro
185.199.109.153  Public Scan

Form analysis
0 forms found in the DOM

Text Content

leon332157

 * Home
 * About
 * Blogs
 * Writeups


HI, I’M LEON

I’m Junior in Computer Science/Data Science at UMass Amherst

My interests are in DevOps, Infrastructure, Reverse Engineering, Vulnerability
Analysis, Computer Networking and Operating Systems

Here, I will be sharing my blogs, writeups for CTF, and projects

To learn more about me navigate to the About page




MAGIC CONCH (REV)

Magic Conch is a rev challange. Downloading and opening the binary file in
Ghidra: We can find an entry point, I have renamed the main function to main.
Here is the main function in Ghidra, edited for clarity: 1 2 3 4 5 6 7 8 9 10 11
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
39 40 41 42 43 44 int main(void) { char buf [64]; uint outlen; int length; code
*entry_point_function; void *shared_obj_ptr; int memfd; void *dec_data; void
*input_data; input_data = (void *)gen1(&enc_bin_start,&length); if (input_data
== NULL) { exit(1); } dec_data = (void *)gen2(input_data,length,&outlen); if
(dec_data == NULL) { exit(1); } free(input_data); memfd =
memfd_create("payload_file",0); if (memfd == 0) { exit(1); }
write(memfd,dec_data,outlen);
sprintf(buf,"/proc/self/fd/%d",(ulong)(uint)memfd); shared_obj_ptr = (void
*)dlopen(buf,1); if (shared_obj_ptr == NULL) { free(input_data); exit(1); }
entry_point_function = (code *)dlsym(shared_obj_ptr,"EntryPoint"); if
(entry_point_function == NULL) { free(input_data); dlclose(shared_obj_ptr);
exit(1); } (*entry_point_function)(); dlclose(shared_obj_ptr); close(memfd);
free(dec_data); return 0; } Looking at the main function, we can see that it
uses syscalls such as dlopen as well as dlsym....

April 21, 2024
Kushagra Srivastava <- UMass Ring -> Rose Porta
Powered by PaperMod & Hugo
Hugo version: 0.125.3