> For the complete documentation index, see [llms.txt](https://jedi.gitbook.io/jedi/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jedi.gitbook.io/jedi/ctf-archive/publish-your-docs/biobundle-medium.md). # BioBundle (medium) Here's the challenge's details: ![Challenge description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yb3apskdtdqw89n32lun.png) As before, we received a zip file containing a binary file. We attempted to run it and examined its functionality. ![Flag checker?](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3xz63rfw8x0cr6034ln4.png) Another password or flag checker. But the interesting part is when we open the file with IDA ![](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/txol9vgfy3xsx9yc2ef1.png) We can see that this program is a simple console program that dynamically loads a function from a shared library and then uses that function on user input. dlsym(handle, "*") is used to load a function named "*" from the shared library. The function `get_handle()` is used to obtain a handle to a shared library, so we have to open that function to find out more about it ![Image description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/o7k7lfospsj92ar2onyb.png) This function appears to create an in-memory file, write encrypted content to it, and then load it as a shared library using `dlopen`. First, the `memfd_create` function will create an anonymous file descriptor, or 'fd' in the memory. Then, a for loop will write the result of each element from the array `_` with the value `0x37` to the memory. The `s` string will contain the path to the in-memory file using `sprintf` function. And then, `dlopen` is used to dynamically load the content of the in-memory file as a shared library. We now have to find out the value inside `_` array and xor it with 0x37. ![There is something hmmmm](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sbh8ogk7jnvoahufoorw.png) This one is pretty long array, so we have to suspect that there something with it. So we xor first 10 element with 0x37 ![We check the header](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7kvhw9g1rnjqm0lpaost.png) We find out that this is the file signature for linux executable file ![ELF : Linux Executable File](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5b36r2x1ic71sijg4kgv.png) So, we have to export it, write it as an executable file, and try to open it with IDA ```py with open('exe.txt', 'rb') as f: data = f.read().split() val = [int(hex_data, 16) for hex_data in data] res = [value ^ 0x37 for value in val] res = bytes(res) with open('inside_bio', 'wb') as f: f.write(res) ``` ![File Description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fbr6hbs9f9cgak40hcix.png) When we open the file, we will get the flag ![Flag?](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zb311lkvlptx64mithuz.png) We can verify that this is the flag by running the biobundle program again ![The Flag!](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yv6np3rxxr88rv7if8td.png) ![We got the point!](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3yliu1a7432h73ccy0b5.png) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jedi.gitbook.io/jedi/ctf-archive/publish-your-docs/biobundle-medium.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.