990.md

Reykjavik

0. Running the executable file tells us that it requires the flag as cmd arg, which will then be compared with the flag nd printed out.

1. Start gdb and set a breakpoint at main():

   gdb ./Reykjavik 

   Reading symbols from ./Reykjavik...
   (No debugging symbols found in ./Reykjavik)
   (gdb) break main 
   Breakpoint 1 at 0x10a0
   (gdb) run some-random-string
   Starting program: /home/harshit/Downloads/Reykjavik some-random-string
   [Thread debugging using libthread_db enabled]
   Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
   
   Breakpoint 1, 0x00005555555550a0 in main ()

2. Disassemble main() and look for strcmp, that may have been used to compare the arg and flag:

   Breakpoint 1, 0x00005555555550a0 in main ()
   (gdb) set disassembly-flavor intel
   (gdb) disas main
   Dump of assembler code for function main:
   =>  0x00005555555550a0 <+0>: endbr64
       0x00005555555550a4 <+4>:    push   r13
       0x00005555555550a6 <+6>:    push   r12
       .
       .
       .
       0x0000555555555161 <+193>: xor    eax,0xffffffab
       0x0000555555555164 <+196>: mov    BYTE PTR [rsp+0x1a],al
       0x0000555555555168 <+200>: call   0x555555555080 <strcmp@plt>
       0x000055555555516d <+205>: mov    r12d,eax
       0x0000555555555170 <+208>: test   eax,eax
       0x0000555555555172 <+210>: jne    0x555555555197 <main+247>
       0x0000555555555174 <+212>: mov    rdx,r13
       .
       .
       .
   End of assembler dump.

3. If compared strings are equal, strcmp returns 0 (man 3 strcmp for more info), which is stored in eax.
   test eax, eax checks if eax is zero or not. Set a breakpoint at that instruction and print the values of registers:

   (gdb) break *0x0000555555555170
   Breakpoint 2 at 0x555555555170
   (gdb) c
   Continuing.
   Welcome to the CTFlearn Reversing Challenge Reykjavik v2: some-random-string
   Compile Options: ${CMAKE_CXX_FLAGS} -O0 -fno-stack-protector -mno-sse
   
   
   Breakpoint 2, 0x0000555555555170 in main ()
   (gdb) info registers
   rax            0xffffffd0          4294967248
   rbx            0x7fffffffdeb8      140737488346808
   rcx            0x73                115
   rdx            0x76304c5f6579457b  8516390867965658491
   .
   .
   .

   Observe rax (eax is the low 32 bits of rax), which is currently non-zero (obviously).

4. Set the value of the register as 0 and continue:

   (gdb) set $eax=0
   (gdb) info registers
   rax            0x0                 0
   rbx            0x7fffffffdeb8      140737488346808
   rcx            0x73                115
   rdx            0x76304c5f6579457b  8516390867965658491
   .
   .
   .
   
   (gdb) c
   Continuing.
   Congratulations, you found the flag!!: 'CTFlearn{Eye_L0ve_Iceland_}'
   
   [Inferior 1 (process 985301) exited with code 0320]