Just run GDB and set a "catch syscall write" breakpoint, then run it, you will have something like this:
gdb ./main
GNU gdb (Debian 16.3-5) 16.3
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./main...
(No debugging symbols found in ./main)
(gdb) catch syscall write
Catchpoint 1 (syscall 'write' [1])
(gdb) run
Starting program: /home/kali/Downloads/main
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Catchpoint 1 (call to syscall write), 0x00007ffff7ce3687 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) x/s $rsi
0x55555570505e: "Enter decryption password: \n$argon2id$v=19$m=19456,t=2,p=1$c29tZXNhbHQ$J0rSD83Z7W69F5yZ3UZz6LlpzR8ykdPpMynDMUaugXI-"
(gdb) Excellent,we have the first string,but we need the string that appear when failing:
Catchpoint 1 (call to syscall write), 0x00007ffff7ce3687 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) x/s $rsi
0x55555570505e: "Enter decryption password: \n$argon2id$v=19$m=19456,t=2,p=1$c29tZXNhbHQ$J0rSD83Z7W69F5yZ3UZz6LlpzR8ykdPpMynDMUaugXI-"
(gdb) c
Continuing.
Enter decryption password:
Catchpoint 1 (returned from syscall write), 0x00007ffff7ce3687 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) c
Continuing.
example
Catchpoint 1 (call to syscall write), 0x00007ffff7ce3687 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) x/s $rsi
0x5555557067cf: "Invalid decryption password\ndeno convert: cargo 1.89.0 (c24e10642 2025-06-23)pe"
(gdb) This is what we need,now we can calculate the actual adress in the binary file itself,but we need the base adress:
(gdb) info proc mappings
process 10024
Mapped address spaces:
Start Addr End Addr Size Offset Perms File
0x0000555555554000 0x000055555557e000 0x2a000 0x0 r--p /home/kali/Downloads/main
0x000055555557e000 0x00005555556ff000 0x181000 0x2a000 r-xp /home/kali/Downloads/main
0x00005555556ff000 0x0000555555743000 0x44000 0x1ab000 r--p /home/kali/Downloads/main
0x0000555555743000 0x000055555575c000 0x19000 0x1ef000 r--p /home/kali/Downloads/main
0x000055555575c000 0x000055555575e000 0x2000 0x208000 rw-p /home/kali/Downloads/main
0x000055555575e000 0x000055555577f000 0x21000 0x0 rw-p [heap]
0x00007ffff7c50000 0x00007ffff7c54000 0x4000 0x0 rw-p
0x00007ffff7c54000 0x00007ffff7c7c000 0x28000 0x0 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7c7c000 0x00007ffff7de1000 0x165000 0x28000 r-xp /usr/lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7de1000 0x00007ffff7e37000 0x56000 0x18d000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7e37000 0x00007ffff7e3b000 0x4000 0x1e2000 r--p /usr/lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7e3b000 0x00007ffff7e3d000 0x2000 0x1e6000 rw-p /usr/lib/x86_64-linux-gnu/libc.so.6
0x00007ffff7e3d000 0x00007ffff7e4a000 0xd000 0x0 rw-p
0x00007ffff7e4a000 0x00007ffff7e4e000 0x4000 0x0 r--p /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff7e4e000 0x00007ffff7e71000 0x23000 0x4000 r-xp /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff7e71000 0x00007ffff7e75000 0x4000 0x27000 r--p /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff7e75000 0x00007ffff7e76000 0x1000 0x2a000 r--p /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff7e76000 0x00007ffff7e77000 0x1000 0x2b000 rw-p /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff7e77000 0x00007ffff7e83000 0xc000 0x0 r--p /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
0x00007ffff7e83000 0x00007ffff7ee8000 0x65000 0xc000 r-xp /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
0x00007ffff7ee8000 0x00007ffff7eff000 0x17000 0x71000 r--p /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
0x00007ffff7eff000 0x00007ffff7f00000 0x1000 0x88000 r--p /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
0x00007ffff7f00000 0x00007ffff7f01000 0x1000 0x89000 rw-p /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
0x00007ffff7f01000 0x00007ffff7f0a000 0x9000 0x0 r--p /usr/lib/x86_64-linux-gnu/libhogweed.so.6.10
0x00007ffff7f0a000 0x00007ffff7f1f000 0x15000 0x9000 r-xp /usr/lib/x86_64-linux-gnu/libhogweed.so.6.10
0x00007ffff7f1f000 0x00007ffff7f49000 0x2a000 0x1e000 r--p /usr/lib/x86_64-linux-gnu/libhogweed.so.6.10
0x00007ffff7f49000 0x00007ffff7f4b000 0x2000 0x48000 r--p /usr/lib/x86_64-linux-gnu/libhogweed.so.6.10
0x00007ffff7f4b000 0x00007ffff7f4c000 0x1000 0x4a000 rw-p /usr/lib/x86_64-linux-gnu/libhogweed.so.6.10
0x00007ffff7f4c000 0x00007ffff7f5a000 0xe000 0x0 r--p /usr/lib/x86_64-linux-gnu/libnettle.so.8.10
0x00007ffff7f5a000 0x00007ffff7f86000 0x2c000 0xe000 r-xp /usr/lib/x86_64-linux-gnu/libnettle.so.8.10
0x00007ffff7f86000 0x00007ffff7f9e000 0x18000 0x3a000 r--p /usr/lib/x86_64-linux-gnu/libnettle.so.8.10
0x00007ffff7f9e000 0x00007ffff7fa1000 0x3000 0x51000 r--p /usr/lib/x86_64-linux-gnu/libnettle.so.8.10
0x00007ffff7fa1000 0x00007ffff7fa2000 0x1000 0x54000 rw-p /usr/lib/x86_64-linux-gnu/libnettle.so.8.10
0x00007ffff7fbc000 0x00007ffff7fbd000 0x1000 0x0 ---p
0x00007ffff7fbd000 0x00007ffff7fbf000 0x2000 0x0 rw-p
0x00007ffff7fbf000 0x00007ffff7fc1000 0x2000 0x0 rw-p
0x00007ffff7fc1000 0x00007ffff7fc5000 0x4000 0x0 r--p [vvar]
0x00007ffff7fc5000 0x00007ffff7fc7000 0x2000 0x0 r-xp [vdso]
0x00007ffff7fc7000 0x00007ffff7fc8000 0x1000 0x0 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x00007ffff7fc8000 0x00007ffff7ff0000 0x28000 0x1000 r-xp /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x00007ffff7ff0000 0x00007ffff7ffb000 0xb000 0x29000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x00007ffff7ffb000 0x00007ffff7ffd000 0x2000 0x34000 r--p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x00007ffff7ffd000 0x00007ffff7ffe000 0x1000 0x36000 rw-p /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
0x00007ffff7ffe000 0x00007ffff7fff000 0x1000 0x0 rw-p
0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 rw-p [stack] Now we can calculate the adress of this string : 0x00005555557067cf - 0x0000555555554000 = 0x1B27CF + 0x100000 = 0x2B27CF
Now we can switch to ghidra:
s_Invalid_decryption_password_002b27cf XREF[1]: 002f0708(*)
002b27cf 49 6e 76 ds "Invalid decryption password\n"
61 6c 69
64 20 64 Now we have the XREF, navigate to it.
There is a massive function with a lot of garbage code,we are interested in this line: FUN_00283290(&local_1288,"./flag.enc",10); so we need somehow get up there.
The main patch candidate is sitting here:
0014156b ff 15 1f CALL qword ptr [->FUN_00284800] undefined FUN_00284800()
56 1c 00 = 00284800
00141571 48 89 84 MOV qword ptr [RSP + local_ea8[0]],RAX
24 30 05
00 00
00141579 48 8d bc LEA RDI=>local_ea8,[RSP + 0x530]
24 30 05
00 00
00141581 48 8d 74 LEA RSI=>local_13b8,[RSP + 0x20]
24 20
00141586 ff 15 ec CALL qword ptr [->FUN_00284830] undefined FUN_00284830()
4f 1c 00 = 00284830
0014158c a8 01 TEST AL,0x1
0014158e 0f 85 5d JNZ LAB_00141ff1
0a 00 00
00141594 48 8d 35 LEA RSI,[s_$argon2id$v=19$m=19456,t=2,p=1$c_002b10 = "$argon2id$v=19$m=19456,t=2,p= <- We can see the hash related thing, so we can assume that here is the pass check (you can ensure with gdb :) )
df fa 16 00
0014159b 48 8d bc LEA RDI=>local_1288,[RSP + 0x150]
24 50 01
00 00
001415a3 ba 56 00 MOV EDX,0x56
00 00
001415a8 ff 15 7a CALL qword ptr [->FUN_00264210] undefined FUN_00264210()
54 1c 00 = 00264210
001415ae 83 bc 24 CMP dword ptr [RSP + local_1288[0]],0x2
50 01 00
00 02
00141610 0f 85 e3 JNZ LAB_001420f9 <- THIS CHECK IS CRUCIAL,IF OUR PASS INS'T THE ONE, THE PROGRAM ENTER ERROR HANDLING CODE,WE NEED TO PATCH IT
0a 00 00
Now we patch this instruction to NOP,now we can search simmilar instructions which lead to error handling things and we came across this jnz:
001415f5 48 8d bc LEA RDI=>local_ea8,[RSP + 0x530]
24 30 05
00 00
001415fd 4c 89 f6 MOV RSI,R14
00141600 49 89 d8 MOV R8,RBX
00141603 e8 88 40 CALL FUN_00145690 undefined FUN_00145690()
00 00
00141608 80 bc 24 CMP byte ptr [RSP + local_ea8[0]],0xd
30 05 00
00 0d
00141610 0f 85 e3 JNZ LAB_001420f9
0a 00 00
00141616 48 8d 05 LEA RAX,[s_-_002b10d0] = "-"
b3 fa 16 00
0014161d 48 89 84 MOV qword ptr [RSP + local_ea8[0]],RAX=>s_-_002b10d0 = "-"
24 30 05
00 00This jump leads to "Invalid decryption password" so we need to NOP this JNZ call.Now we can test our patch
┌──(kali㉿kali)-[~]
└─$ ./main_patched
Enter decryption password:
d
The decrypted message is: KTMTY{63318479-76a4-4be2-a086-09c8716d7451}