Hurry up! Wait!
svchost.exe
- 1.First, I decompiled the binary using Ghidra. I then clicked though all of the functions until I came across this:void FUN_0010298a(void){ada__calendar__delays__delay_for(1000000000000000);FUN_00102616();FUN_001024aa();FUN_00102372();FUN_001025e2();FUN_00102852();FUN_00102886();FUN_001028ba();FUN_00102922();FUN_001023a6();FUN_00102136();FUN_00102206();FUN_0010230a();FUN_00102206();FUN_0010257a();FUN_001028ee();FUN_0010240e();FUN_001026e6();FUN_00102782();FUN_001028ee();FUN_001023da();FUN_0010230a();FUN_0010233e();FUN_0010226e();FUN_001022a2();FUN_001023da();FUN_001021d2();FUN_00102956();return;}
- 2.The first function that
FUN_0010298acalls isada__calendar__delays__delay_for, which seems to create a long delay that prevents us from being able to simply run the program. However, the next functions that are called all look basically the same:void FUN_00102616(void){ada__text_io__put__4(&DAT_00102cd8,&DAT_00102cb8,&DAT_00102cb8,&DAT_00102cd8);return;}void FUN_001024aa(void){ada__text_io__put__4(&DAT_00102cd1,&DAT_00102cb8,&DAT_00102cb8,&DAT_00102cd1);return;}void FUN_00102372(void){ada__text_io__put__4(&DAT_00102ccb,&DAT_00102cb8,&DAT_00102cb8,&DAT_00102ccb);return;} - 3.Each function calls
ada__text_io__put__4, but with different arguments. The first and last arguments differ each timeada__text_io__put__4is invoked, but they are equal within each call. - 4.Double click on
DAT_00102cd8inFUN_00102616to see that it isp. The next global value,DAT_00102cd1, inFUN_001024aaisi.DAT_00102ccb(fromFUN_00102372) iscandDAT_00102cd7(fromFUN_001025e2) iso. So, it seems that each function prints a character of the flag where each character is stored as a global variable. - 5.We can double-click through each function (and go back to the calling function using the back button in Ghidra) to get the flag or a Ghidra script could be written to extract the flag, but it is faster to manually extract it.
picoCTF{d15a5m_ftw_eab78e4}Last modified 9mo ago