Given two binaries emu and mips_bin.

mips_bin is a MIPS binary, and emu is a qemu emulator. Using ghidra, we can decode mips_bin. To dynamically debug it, use a normal qemu-mips emulator would be better.

mips_bin performs an annoying fork. To get rid of that, change the fork function to a return 0; helps us debug the binary. The flag turns to be flag{dynamic_reverse} which is a fake one.

So the problem is at emu binary. By searching 0×23000, we found something suspicious. The emulator performs a check of the address of a call. By changing the binary’s jump address to 0×23000+ofs, the emulator no longer checks the second condition, which indicates that the check is against jalr, after inputting the flag.

Following the disassembled code after the check, it turns out to be a rc4 encryption.

Doing a brute force through the input characters, we get the flag.

Takeaways

1. XREF and search for specific bytes.

2. Do things smart to avoid annoying behavior, such as debugging fork. If cannot debug it, just delete it.

3. Make more assumption on the algorithm, spend more time on reversing binary.