# flag - 7 pt

{% hint style="info" %}
Papa brought me a packed present! let's open it.

Download : <http://pwnable.kr/bin/flag>

This is reversing task. all you need is binary
{% endhint %}

아래와 같이 flag 파일을 실행했다.

```bash
kali@kali:~$ ls -l flag
-rw-r--r-- 1 kali kali 335288 Mar 14 10:55 flag
kali@kali:~$ chmod u+x flag
kali@kali:~$ ./flag
I will malloc() and strcpy the flag there. take it.
```

flag 파일을 다운받아 Exeinfo PE로 확인해보니 UPX 패킹이 되어 있음을 알 수 있다.

![](/files/-M0Wlhd-HMHLgfQc77bN)

언패킹한다.

```bash
kali@kali:~$ upx -d flag
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    883745 <-    335288   37.94%   linux/amd64   flag

Unpacked 1 file.
```

flag 파일을 Exeinfo PE로 다시 확인하면 아래와 같이 언패킹 된 것을 볼 수 있다.

![](/files/-M2OboESn_elEiipMFP5)

GDB로 main을 살펴보면 아래와 같다.

```bash
(gdb) disas main
Dump of assembler code for function main:
   0x0000000000401164 <+0>:     push   %rbp
   0x0000000000401165 <+1>:     mov    %rsp,%rbp
   0x0000000000401168 <+4>:     sub    $0x10,%rsp
   0x000000000040116c <+8>:     mov    $0x496658,%edi
   0x0000000000401171 <+13>:    callq  0x402080 <puts>
   0x0000000000401176 <+18>:    mov    $0x64,%edi
   0x000000000040117b <+23>:    callq  0x4099d0 <malloc>
   0x0000000000401180 <+28>:    mov    %rax,-0x8(%rbp)
   0x0000000000401184 <+32>:    mov    0x2c0ee5(%rip),%rdx        # 0x6c2070 <flag>
   0x000000000040118b <+39>:    mov    -0x8(%rbp),%rax
   0x000000000040118f <+43>:    mov    %rdx,%rsi
   0x0000000000401192 <+46>:    mov    %rax,%rdi
   0x0000000000401195 <+49>:    callq  0x400320
   0x000000000040119a <+54>:    mov    $0x0,%eax
   0x000000000040119f <+59>:    leaveq 
   0x00000000004011a0 <+60>:    retq                                                                                                                                           
End of assembler dump.     
```

`0x6c2070`이 플래그가 있는 주소 값인 것으로 유추하였다.

아래와 같디 해당 주소의 값을 출력한다.

```bash
(gdb) x/s *0x6c2070
0x496628:       "UPX...? sounds like a delivery service :)"
```

플래그가 나온다.

{% hint style="success" %}
Flag? : UPX...? sounds like a delivery service :)
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/pwnable.kr/toddlers-bottle/flag-7-pt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.