Challenge Overview
We're given a binary and asked to find the password it accepts.
Initial Reconnaissance
Running the binary reveals a simple password prompt:
$ ./Compiled.Compiled
Password: test
Try again!Since we don't know the password, the next step is static analysis.
Decompiling with Ghidra
Loading the binary into Ghidra and examining the main function gives us the following decompiled code:
undefined8 main(void) {
int iVar1;
char local_28 [32];
fwrite("Password: ", 1, 10, stdout);
__isoc99_scanf("DoYouEven%sCTF", local_28);
iVar1 = strcmp(local_28, "__dso_handle");
if ((-1 < iVar1) && (iVar1 = strcmp(local_28, "__dso_handle"), iVar1 < 1)) {
printf("Try again!");
return 0;
}
iVar1 = strcmp(local_28, "_init");
if (iVar1 == 0) {
printf("Correct!");
} else {
printf("Try again!");
}
return 0;
}Code Analysis
Breaking down the logic step by step:
Input parsing: The scanf format string "DoYouEven%sCTF" captures everything between the literal prefix DoYouEven and the suffix CTF, storing the middle portion into local_28. For example, entering DoYouEven_initCTF would store _init in local_28.
First check: The program compares local_28 against "__dso_handle". If they are equal (i.e. strcmp returns 0), it immediately prints "Try again!" and exits. This is essentially a guard to block one specific input.
Second check: The program then compares local_28 against "_init". If equal, it prints "Correct!" — meaning _init is the value we need in local_28.
Crafting the Password
Since scanf extracts the middle portion of the input, we need to wrap _init with the expected prefix and suffix:
DoYouEven_initCTFVerification
$ ./Compiled.Compiled
Password: DoYouEven_initCTF
Correct!The password is DoYouEven_initCTF.