This is a writeup for the Endless Christmas challenge, md5 hash 866c92038d6e9fc47db4424f71f6167a. It appeared in the X-MAS CTF, and it’s a Reverse challenge.
afl with Radare we can see there are calls to
execve, both happening in
main, a sign that this program creates (and maybe executes?) something else.
Putting a breakpoint just before the
execve happens will reveal what file is being loaded (looking into the rax register).
I went down 60 rabbit holes disassembling this binary further, but the best thing we can do at this point is change point of view, step out of Radare, and launch the binary by itself – it certainly doesn’t seem to be doing anything nasty up to this point.
It takes some time before any output is shown, so this may be a sign that some decoding happens. The program creates a good number of other binaries which all look identical, albeit different from the original one (as their size shows), but that are actually different upon closer inspection with their md5 hashes.