By: unvariant

Tags: pwn NBCTF-2023

Problem Description:


Reveal Hints none

Thumb mode or T32 is a separate execution mode for ARM (the normal execution mode is A32) where the instructions are 16 bits long[1] instead of the usual 32. The smaller 16 bit instructions limited to a smaller subset of the functionality of A32 but saves on code space. The challenge name implies that the solution has something to do with thumb.

After the main function there is a suspicious range of bytes that the decompiler has not assigned anything to, and it also contains the string “/bin/sh”.


If we disassemble it and force thumb mode, it yields this:


Which is a small assembly stub that executes execve("/bin/sh", NULL, NULL). All we have to do is overwrite the return address with the address of this stub, making sure to set the lsb to switch to thumb mode and we pop a shell.

[1]: T32 now also have Thumb instructions that are 32 bits long, known as Thumb-2.