This is a CTF built by my good friend Colin that consists of five stages, each progressively more difficult. Here are the guidelines and rules.

Taking a look at Stage1 the first interesting call I see is _stat64i32 which takes a path to a file and gets the status information of that file.

The path given to _stat64i32 is C:\temp\defuse.log. If defuse.log can’t be found then this function is going to return early. The first step to completing Stage1 is to create defuse.log in the expected directory.

Once the CTF can successfully get the status of defuse.log it will try to open it and read from it.

Once it’s read from defuse.log it will loop through the first three bytes and compare them to the values of 0xDE, 0xF0, and 0x5E. To pass this portion of Stage1 I opened defuse.log in a hex editor and added in those three bytes.

And now when I run the binary I get a message that Stage1 was defused. Now on to Stage2!

Last modified: June 7, 2019