# Revioli, Revioli, give me the formeoli ## Analysis In ***Revioli, Revioli, give me the formeoli***, we are provided with a single file called `revioli`. Running the command `file` on `revioli` reveals that it is an 64-bit ELF. That means the program is written for a Unix-like system (in this case, Linux). ``` $ file revioli revioli: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=779286f1278a23eeb1c727e7bfb8804993ef4b81, for GNU/Linux 3.2.0, not stripped ``` Next, let's examine what the program does. This time, I use *IDA Freeware 8.4* on a Linux machine to reverse engineer this executable. After locating the `main` function in the *Functions* window, I press `Tab` on my keyboard to decompile the function. Here's the decompiled C code that IDA generated:  In the last few lines, we see the winning condition: ```c if ( !strcmp(s, s2) ) printf("Congratulations! The flag is: %s\n", v6); else puts("No toucha my spaget!"); ``` The program compares the contents of strings `s` and `s2`. If they are equal, the message `Congratulations! The flag is:` is printed alongside the value of `v6`. Otherwise, `No toucha my spaget!` is printed out. This means `v6` holds the content of the flag. Looking further up, we find the snippet where `s`'s value is read from the user's input: ```c printf("Enter-a the password-a: "); fgets(s, 256, _bss_start); s[strcspn(s, "\n")] = 0; ``` Meanwhile, `s2`'s value is generated by the program: ```c gen_correct_flag(s2, argv, envp); assemble_flag(s2, v6); ``` `v6` is also last referenced here, before any user input. This means `v6` is determined regardless of what we enter. ## Debugging We set a breakpoint right after `assemble_flag(s2, v6);` and debug the program to inspect the value of `v6`:   To view `main`'s local variables, we open the *Locals* window:  And the *formeoli* is now in our *handeoli*! We've successfully recovered the content of the flag:  Flag: `PCTF{ITALY_01123581321345589144233377}`.