Overlong was a challenge that could lead to complex rabbit holes, or, with some intelligent guess work, be solved quite quickly. From the start, with the title and the way that the word overlong was bolded in the prompt, I was looking for an integer to overflow or change in some way. That, plus additional clues, made this one pretty quick work.
The secret of this next challenge is cleverly hidden. However, with the right approach, finding the solution will not take an overlong amount of time.
The file is an x86 executable:
$ file Overlong.exe Overlong.exe: PE32 executable (GUI) Intel 80386, for MS Windows
It just prints a message box:
It’s worth noting that it ends with a
:, suggesting there might be more message to come.
There are only three functions:
start function is quite simple. It gets pointers to two buffers, pushes them onto the stack (along with an integer, 0x1c), and calls
sub_401160, which populates one of the buffers with the message I saw in the box above, and returns the length of that buffer. It then uses the length to null terminal the string, and passes it to
If I load it in
x32dbg, I’ll follow the second buffer (I’ve named it
Text above) in the dump. I can see how it updates over the function call:
Without going any further, I took a shot. My hypothesis is that
sub_401000 takes an input buffer, and output buffer, and a length. It then decodes byte from the input buffer into the output buffer, up to length bytes. This explains why the message ends prematurely, if the length is wrong.
I started the program, but when it hit a breakpoint at start, I changed the integer value from 0x1c to 0x5c (which felt arbitrarily large enough to get a flag). When I then hit to continue, the message box popped with the solution: