Bypassbin

First, download the binary from the remote host: scp -P 57999 [email protected]:/home/ctf-player/bypassme.bin ./

When the program runs, it prompts for a password and sanitizes the user input before validating it. Testing inputs such as pass1, pass2, and pass3 shows that numeric characters are stripped, leaving only pass. This suggests the program compares a cleaned version of the input against an internally generated password.

In Binary Ninja, the main function calls decode_password() before entering the authentication loop and stores the result in a local buffer named password[0x80]. This indicates that the real password is not stored directly as plaintext in the binary, but is instead reconstructed at runtime.

Looking at decode_password(), we can see an encoded byte array that is decoded with an XOR operation using 0xaa, then written into the output buffer followed by a null terminator. Rather than reversing the bytes manually, the easiest approach is to inspect the decoded buffer during execution with a debugger.

Using GDB, I set a breakpoint immediately after the call to decode_password() and examined the contents of the password buffer in memory. The decoded password was:

Entering SuperSecure into the program successfully passes authentication and reveals the flag.