Talk to Me Please – Reverse Engineering Challenge Writeup | BUP CTF Powered by Knight Squad - Final Round

Talk to Me Please

Category – Reverse Engineering Challenge – talk_to_me_please (a Rust binary, PIE, NX, full RELRO)

1. What the binary does

Running the program gives the following,

./talk_to_me_please

Talk to me… say the magic words: Hello
GoogleCTF{222222_222222_222222_222222}

It gives a fake flag. We need to dig deeper and unravel the real flag. Letsgoooo...

2. First look‑and‑feel

$ checksec --file=talk_to_me_please
RELRO           STACK CANARY      NX            PIE
Full RELRO      No canary found   NX enabled    PIE enabled

The binary is a Rust program compiled with the default security hardening. No obvious format string / buffer overflow bugs exist, and the stack canary is missing.

3. De‑compiling main

The decompiler (I'm using Ghidra, you can use IDA, r2 etc) shows the following (heavily stripped) logic inside talk_to_me_please::main:

/* allocate a 0x40‑byte buffer (puVar17) */
puVar17 = alloc(0x40,1);

/* fill it with a bunch of literal stores */
*(u16*)puVar17 = 0x5542;                         // "BU"
*(u8*)(puVar17+2) = 0x50;                        // 'P'
*(u32*)(puVar17+3) = 0x7b465443;                // "CTF{"
*(u64*)(puVar17+7) = 0x5530795f476d305f;
*(u64*)(puVar17+0xd) = 0x5f57306e4b5f5530;
*(u64*)(puVar17+0x15) = 0x375f30745f573068;
*(u64*)(puVar17+0x1d) = 0x443030675f4b6c61;
*(u8*)(puVar17+0x25) = 0x5f;
*(u32*)(puVar17+0x26) = 0x5f62306a;
*(u8*)(puVar17+0x2a) = 0x7d;                     // '}'

We need to decode and concatenate correctly.

Aaaand...we get our flag. Upon entering the correct flag, we get this,

./talk_to_me_please

Talk to me… say the magic words: BUPCTF{[REDACTED]}
nice to talk to you — I loved your magic words.