back to blog

HTB University CTF 2023 — BioBundle (medium)

December 1, 2023 ctfhtb-university-ctf-2023reverse-engineeringelfxormemfd-create

Overview

A binary that dynamically loads an encrypted shared library from memory to perform flag validation — without touching disk.

Analysis

The get_handle() function:

  1. Calls memfd_create to create an anonymous in-memory file descriptor
  2. Iterates through an array _, XORing each byte with 0x37
  3. Writes the decrypted bytes to the in-memory fd
  4. Opens it as a shared library via dlopen
  5. Resolves a function named "*" via dlsym — this is the actual validator

XORing the array’s first bytes with 0x37 yields \x7fELF — the ELF magic header.

Extraction Script

with open('exe.txt', 'rb') as f:
    data = f.read().split()

val = [int(h, 16) for h in data]
res = bytes(v ^ 0x37 for v in val)

with open('inside_bio', 'wb') as f:
    f.write(res)

Open inside_bio in IDA to find the validation logic and recover the flag.