Parcel
Packed binary file.
Last updated
Packed binary file.
Last updated
The binary is packed. Try to decompile it and you will find unreadable code. Find out how it is packed and unpack it to recover the original binary.
MD5 (parcel) = 903adf25f54687ef3d875b51442e20df
Author: daniellimws
We were given a file to download, named "parcel". The file had no extension, so we do not know what type of file it is. The description given by the challenge tells us that the file is . Our next move was to find what type of that the file was packed with.
Usually for any type of file challenges, we would use to see if there are any interesting characters in a file.
As we scrolled down further, it is pretty much confirmed that it is indeed packed by UPX.
Right before we were about to move on, we found more interesting strings!!
The next thing we did was to unpack the file using the upx command that is in-built in Kali Linux!
Important: For anyone using M1 MacBook Pro or ARM architecture, please read the next paragraphs carefully!
I then used my Intel machine which uses x86 architecture to run the file. As shown, we have to figure out what the memory addresses of the functions are and convert it to decimals.
Flag: grey{d1d_y0u_us3_nm_0r_objdump_0r_gdb_0r_ghidra_0r_rizin_0r_ida_0r_binja?}
Lo and behold, we found an interesting string called "UPX!". We then agreed that the file was probably packed with a packer.
Well well well, it looks like the challenge wants us to run the file and answer the 3 questions! The challenge wants us to find the of the functions and answer it in decimal. Let's put this on hold and we'll get back to it later!
Take note of the "Format" column. It tells us that this is an file, in other words, a Linux executable file. Therefore, the file can only be ran in Unix operating system.
I tried running the file and I was faced with a permission error. So what I did was to give permission to the file for it to be .
Afterwards, I ran the file and I faced another error!
I was really confused and I did some . After running the "file" command and it turns out that the "parcel" file was compiled and built on an architecture!!
For those who are wondering, if the binary file is built on an x86 architecture, it will not be able to run on an architecture, such as the M1 MacBook. Damn Apple, you did me dirty!!!
To be able to find the memory address, we have to use a disassembler tool. The common ones are & . I was too lazy to fire up the any of the disassemblers and so I used an tool. Afterwards, I filtered for the 3 function, e.g. h12, t80, g20.
The memory address are in hexadecimal format, so I it into decimals and entered the answer.
Hey guys, your Amazon Prime parcel is here!
