Initial Investigation
Upon running the application it asks us for ./challenge <password>
Let's run strings and see what we find:
The interesting parts are we can see it is expected the password to be in the format HTB{something}
Reversing
We can throw the binary into Ghidra and see what else we find. Within the main it looks to stop.
There is a UD2 instruction and then disassembly stops.
After some research I found this within the Ghidra github . User pjsoberoi's comment is the solution:
"IMHO that is the correct behavior. You can manually disassemble the
bytes after but that shouldn't change the decompilation. You can edit
your own x86 slaspec and replace ud2 instruction with a "nop" pcode
instruction. This should basically make the decompiler ignore the ud2
instruction. That seems like what you want."
With this information I disassembled the rest.
We then run through and replace all the UD2 instructions with a NOP and slowly the code is built out until we eventually get our password and flag!
