2024 Cyber Apocalypse: PackedAway

#htb #ctf #reverse #upx #packing #strings

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryReverse Engineering
ChallengePackedAway
DifficultyVery Easy

Summary

PackedAway is a reverse engineering challenge involving a UPX-packed executable. The binary appears to be a simple GUI application that validates input against a hidden flag. By unpacking the executable using UPX, the original binary is restored and strings, including the flag, become visible.

Analysis

Understanding UPX

UPX (Ultimate Packer for eXecutables) is a legitimate compression tool that:

  • Reduces executable size significantly
  • Decompresses in memory at runtime
  • Leaves fingerprints in the packed binary (“UPX!” magic bytes)

Challenge Setup

The packed binary:

  1. Presents a text input interface
  2. Accepts user input as a potential flag
  3. Displays invalid entries in red
  4. Contains embedded strings that are obfuscated by packing

The Solution Strategy

Instead of reverse engineering the decompression algorithm:

  1. Use UPX’s own decompression tool to unpack the binary
  2. Extract strings from the unpacked binary
  3. Identify the flag

Solution

Step 1: Verify the Binary is UPX-Packed

Check for UPX signatures:

Terminal window
strings ./challenge_binary | grep "UPX"

Output will show “UPX!” magic bytes confirming the packing.

Step 2: Unpack the Binary

Use the UPX tool to decompress:

Terminal window
upx -d challenge_binary -o unpacked_binary

This creates unpacked_binary with the original code restored.

Step 3: Extract Strings from Unpacked Binary

Now strings are readable in the unpacked version:

Terminal window
strings unpacked_binary | grep "HTB{"

Or search for recognizable patterns:

Terminal window
strings unpacked_binary | grep -E "(HTB|flag|password)"

Step 4: Retrieve the Flag

The flag appears in the strings output as it’s stored in the binary’s data section.

Complete Exploitation Script

#!/bin/bash


TARGET_BINARY="${1:-challenge_binary}"
UNPACKED_BINARY="unpacked_${TARGET_BINARY}"


echo "[+] Checking if binary is UPX-packed..."
if strings "$TARGET_BINARY" | grep -q "UPX"; then
    echo "[+] Binary is UPX-packed, unpacking..."


    upx -d "$TARGET_BINARY" -o "$UNPACKED_BINARY"


    if [ $? -eq 0 ]; then
        echo "[+] Successfully unpacked to: $UNPACKED_BINARY"
        echo "[+] Extracting strings..."


        echo "=== All Strings ==="
        strings "$UNPACKED_BINARY"


        echo ""
        echo "=== Flag Candidates ==="
        strings "$UNPACKED_BINARY" | grep -i -E "(HTB|flag|password|secret)"
    else
        echo "[-] Failed to unpack binary"
        exit 1
    fi
else
    echo "[-] Binary does not appear to be UPX-packed"
    exit 1
fi

Alternative Approach: Reverse Engineering with Debugger

If UPX is not available:

  1. Load binary in GDB
  2. Set breakpoint at main
  3. Examine memory as the binary decompresses
  4. Extract strings from memory dump
Terminal window
gdb ./challenge_binary
(gdb) break main
(gdb) run
(gdb) x/200s 0x[memory_address]

Key Takeaways

  • UPX is a common packing tool that obfuscates strings and code
  • Packed binaries can be unpacked using their own tools
  • String extraction from unpacked binaries is straightforward
  • Magic bytes (“UPX!”) identify UPX-packed files
  • Packing is often used for code obfuscation, not security
  • Multiple tools exist for unpacking different executable formats
  • This challenge teaches the importance of recognizing packing and applying appropriate tools

Flag: HTB{n0t_s0_p4ck3d}