# giftwrapping

## Flag

HTB{upx_41nt_50_h4rd!!}

## How to solve

- The binary is packed using the upx packer
- It first needs to be unpacked in order to reverse engineer its contents
- Fortunately `upx` is open source and rather well documented
  - unpack using: `upx -d gitfwrap`
- Fire up radare2/cutter and disassemble the binary

![programm logic](images/passwordcheck.png "Disassembly")

- The program logic is a bit confusing due to the unpacker doing weird stuff
- After the call to `scanf` the programm enters a loop where some data from `rbp+rax-0x110` gets loaded into `eax`
- Then the data gets xored bytewise with `0xffffff3`
- Once this is done for all bytes the program moves to a check section
- There a function call to `fcn.00401080` is made.
- Don't bother, this is no password check, it's just an implementation of memcompare `memcmp` from the c++ lib
- If the data matches the welcome message is shown
- So the flag needs to be somewhere in the data that gets xored.

![ghidra decompilation](images/ghidra.png "Ghidras decompilation")

- Once I was able to install the ghidra decompilation plugin for radare2 the process gets clearer. 
- Ghidra does a great job decompiling the xor mechanism
- Don't be confused about the loop condition `i < 0x100`
  - Yes, the code should loop over `0xff bytes`.
  - But since there is a `<` it's all okay ;)

- Time to grab the data using `gdb` and convert it to a string
1. don't forget to set you disassembly flavor to intel
2. load the program `gdb ./giftwrap`
3. set a breakpoint at the desired movzx instruction `break *0x004019bb`
4. run until break `r`
5. get the start address which is being loaded using `print $rbp + $rax - 0x110` which is `0x004cc0f0`
6. print the bytes at this address or simply navigate to it using the hexdump tool

![ghidra decompilation](images/hexdump.png "hexdump of the memory section containing the flag")

- Now copy all this data and convert it to ascii using some python

```buf =
b'\xbb\xa7\xb1\x88\x86\x83\x8b\xac\xc7\xc2\x9d\x87\xac\xc6\xc3\xac\x9b\xc7\x81\x97\xd2\xd2\x8e'
out = []
for i in range(len(buf)):
  out.append(chr(buf[i] ^ 0xf3))

  print(''.join(out))
```