Reverse engineering lua bytecode inside an elf binary
writeup Gemastik12 CTF [decode-me]
this is a ctf competition challenge. in this blog post, i will explain how i solve this challenge. actually, i got this challenge when competing in gemastik 12 ctf telkom, in this challenge we was given a binary called mooncode you can download the ELF binary here
digging into it
this is the information of this binary
mooncode: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0,
BuildID[sha1]=c0e15ca22b562c60f5d4535eea61d26157ecdde7,
not stripped
it’s a 64bit elf binary and ‘not stripped’ binary. that can make our work easier. let’s open it on Ghidra, if you are not familiar with Ghidra you can check theier repository here
Ghidra section
let’s focus on main function , here’s the decompiled main function from Ghidra
as you can see there’s the lua_load(). since the binary linked with liblua5.3.so.0, so i assume this binary will run the lua bytecode from a memory. in this case the bytecode stored in a global variable called ‘code’.
here’s the value of code variable
as you can see there’s “Luas” string inside this memory , so we can just dump or export this code variable using Ghidra. and here’s the lua bytecode we successfully dump
┌─[tripoloski]──[~/code/ctf/gemastik2019/reversing/decode-me]──[pwn-box]: $
└────╼ >> file .data_\[00104060\,001046d5\]_1217343673003918772.tmp.bin
.data_[00104060,001046d5]_1217343673003918772.tmp.bin: Lua bytecode,
since this is a Lua bytecode file, so we can get the original source code by decompile it using unluac , and here’s the source code
this is a simple xor between two value , here’s my solver to get the flag:
and we got our flag
$ python mooncode.py
gemastik12{reversing_the_moon}