Behind The Scenes
The first thing I did was to open up Ghidra and decompile the binary then look
around. I usually start by looking at the main function and that's what I
did here. I noticed something a little odd, there was a function called
invalidInstructionException. I wanted to look at this closer so I clicked
onit to see the intruction. What I saw was UD2. I had not encountered this
before so I Googled it and saw this:
Generates an invalid opcode. This instruction is provided for software
testing to explicitly generate an invalid opcode. The opcode for this
instruction is reserved for this purpose. Other than raising the invalid
opcode exception, this instruction is the same as the NOP instruction.
https://mudongliang.github.io/x86/html/file_module_x86_id_318.html
This tells me that it is for testing and is the same as a NOP instruction. One
of the other. The next thing I saw was an issue that was opened in Ghidra's
github. As I read this I realised that it was the exact same thing I was working
on and there was a clue provieded there. First of all I didn't realise that
below the UD2 was not decompiled. I also learned that I can change the UD2
to the NOP and then the code below could be decompiled.
You can edit your own x86 slaspec and replace ud2 instruction with a "nop" pcode instruction.
and
You can edit your own x86 slaspec and replace ud2 instruction with a "nop" pcode instruction.
https://github.com/NationalSecurityAgency/ghidra/issues/4113
To replace the UD2 with NOP right click on it and scroll down and find
Patch Instruction for click on the UD2 and use the Crtl-Shift-g keyboard
shortcut. Do this everywhere you see a UD2 instruction.
With all the UD2 instructions pached with NOP instructions and the code
disassembled we can now look at what is going on. We can see there are several
if statements and each one is a string compirison. If we take each of those strings
and combine it we get the password or in this case the flag.