CyberKavach QuestCon Series: The Upside Down

-

 

The Upside Down

Welcome to the CyberKavach QuestCon reverse engineering series! This post will walk you through solving “The Upside Down,” a CTF challenge that will test your static analysis, binary patching, and code understanding skills.

Author: Sarthak Warale

Challenge Details

  • Category: Reverse Engineering

  • Difficulty: Medium

  • Description: The true prize is buried in the binary's Upside Down. Your objective is to reverse engineer and patch a stripped Linux ELF binary that mimics the classic 2048 game. Simply reaching the 2048 tile doesn't provide the real flag—the binary is hiding it behind an impossible win condition.

  • Flag Format: questCON{…}


Overview

The challenge provides a stripped Linux binary named easygame. Running it feels like playing 2048, but reaching 2048 prints only a bait message. The actual flag logic exists but can never trigger through normal gameplay.


Tools Used

  • Ghidra (for decompilation and patching)

  • Python 3 (for optional static flag extraction script)

  • Bash


Step-by-Step Walkthrough

1. Initial Reconnaissance

Start by granting execution permissions and running the game.


2. Analyzing the Binary in Ghidra

  • Create a new project and import easygame.

  • Use default analysis options.

  • Open the main function from the Functions tree and inspect the decompiler output.

A key segment is found: a guarded flag-printing block only runs when score meets a specific threshold and certain anti-debug logic is not tripped.


3. Locating the Win Condition

The comparison checks if the score is a nearly impossible value. In assembly, this appears as cmp edi, 0x5f5e0ff.


4. Patching Method 1: Lower the Required Score

  • In Ghidra, right-click the cmp edi, 0x5f5e0ff instruction and select "Patch Instruction."

  • Change the immediate value (e.g., 0x5f5e0ff) to 0x1. Now just one move is required.

  • Export the modified program: File > Export Program > Format: Binary (tick "Export User Byte Modifications"), save as easygame_patched.


5. Patching Method 2: Remove the Conditional Jump

  • Identify the conditional jump (jl failpath) after the comparison.

  • In Ghidra listing, right-click the instruction, patch it to NOP NOP to always fall through.


6. Test the Patch

Make the file executable again and run it.

chmod +x easygame_patched

./easygame_patched


After the first move, the patched flag logic triggers and the true flag is revealed:

questCON{yoursecretflaghere}

You didn’t just play—you hacked your way to the flag!


7. Alternative: Static Flag Extraction

Don't want to patch or run the binary? Extract the encflag and keybytes arrays from the binary via Ghidra, then re-implement their decryption routine in Python:


encflag = [...]

key = [...]

flagbytes = []

for i, b in enumerate(encflag):

    decrypted = b ^ key[i % len(key)] ^ 0xFF

    flagbytes.append(decrypted)

print(bytes(flagbytes).decode())


Running the script outputs the flag, bypassing the binary entirely.


Lessons Learned

  • Reverse engineering binaries often requires analyzing both logic and data.

  • Impossible in-game conditions can be bypassed with patching.

  • Static extraction can save time when dynamic analysis is hard or risky.


Congratulations if you navigated the Upside Down and emerged with the flag!

Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more