Parcel
Packed binary file.
The binary is packed. Try to decompile it and you will find unreadable code. Find out how it is packed and unpack it to recover the original binary.
MD5 (parcel) = 903adf25f54687ef3d875b51442e20df
Author: daniellimws
We were given a file to download, named "parcel". The file had no extension, so we do not know what type of file it is. The description given by the challenge tells us that the file is packed. Our next move was to find what type of packer that the file was packed with.
Usually for any type of file challenges, we would use strings to see if there are any interesting characters in a file.

Lo and behold, we found an interesting string called "UPX!". We then agreed that the file was probably packed with a UPX packer.
As we scrolled down further, it is pretty much confirmed that it is indeed packed by UPX.

Right before we were about to move on, we found more interesting strings!!

Well well well, it looks like the challenge wants us to run the file and answer the 3 questions! The challenge wants us to find the Memory Addresses of the functions and answer it in decimal. Let's put this on hold and we'll get back to it later!
The next thing we did was to unpack the file using the upx command that is in-built in Kali Linux!
upx -d parcel

Take note of the "Format" column. It tells us that this is an ELF file, in other words, a Linux executable file. Therefore, the file can only be ran in Unix operating system.
I tried running the file and I was faced with a permission error. So what I did was to give permission to the file for it to be executable.
chmod +x parcel
Important: For anyone using M1 MacBook Pro or ARM architecture, please read the next paragraphs carefully!
Afterwards, I ran the file and I faced another error! 😭

I was really confused and I did some Googling. After running the "file" command and it turns out that the "parcel" file was compiled and built on an x86 architecture!!
For those who are wondering, if the binary file is built on an x86 architecture, it will not be able to run on an ARM architecture, such as the M1 MacBook. Damn Apple, you did me dirty!!! 😿

I then used my Intel machine which uses x86 architecture to run the file. As shown, we have to figure out what the memory addresses of the functions are and convert it to decimals.

To be able to find the memory address, we have to use a disassembler tool. The common ones are IDA Pro & Ghidra. I was too lazy to fire up the any of the disassemblers and so I used an online tool. Afterwards, I filtered for the 3 function, e.g. h12, t80, g20.

The memory address are in hexadecimal format, so I converted it into decimals and entered the answer.

Flag: grey{d1d_y0u_us3_nm_0r_objdump_0r_gdb_0r_ghidra_0r_rizin_0r_ida_0r_binja?}
Hey guys, your Amazon Prime parcel is here! 🚚

Last updated