Cosmonaut
=========
## Challenge
This is a good rev challenge to start with. Use the help button to ask for a hint if you get stuck.

Cosmonauts run their programs everywhere and all at once. Assemble all the flag fragments to win.

## Included files
* cosmonaut.com

## Analysis

While analysing the strings of the binary, I found reference to a project called Cosmopolitan by jart, described as (from its [Github README](https://github.com/jart/cosmopolitan)):

Cosmopolitan Libc makes C/C++ a build-once run-anywhere language, like Java, except it doesn't need an interpreter or virtual machine. Instead, it reconfigures stock GCC and Clang to output a POSIX-approved polyglot format that runs natively on Linux + Mac + Windows + FreeBSD + OpenBSD 7.3 + NetBSD + BIOS with the best possible performance and the tiniest footprint imaginable.

The README then goes on to show information on debugging applications compiled with CosmopolitanCosmopolitan, logging of system calls, etc.

The hint from the challenge suggests that this would need to be run (or emulated as) various operating systems to reveal each part of the flag. I'll start by running the program as it stands to observe its behaviour

In [11]:
%%bash
sh ./cosmonaut.com

Cosmonauts run their programs everywhere and all at once.
Like on Linux!
bctf{4_7ru3_


Having now identified some useful strings, I opened the program up in Ghidra to find the important parts.
The code is very mangled and it is difficult to make heads or tails of these functions. I identified the following function that does most of the work:
```c
undefined8 FUN_00401960(undefined8 param_1,undefined8 param_2,undefined8 param_3,undefined8 param_4)
{
    print(param_1,param_2,param_3,param_4,
          "Cosmonauts run their programs everywhere and all at once.");
    if ((DAT_00438fc0 & 4) == 0) {
        if ((DAT_00438fc0 & 1) == 0) {
            if ((DAT_00438fc0 & 0x20) == 0) {
                print(param_1,param_2,param_3,param_4,"Except here...");
            }
            else {
                print(param_1,param_2,param_3,param_4,"Like on FreeBSD!");
                flag_FreeBSD(param_1,param_2,param_3,param_4);
            }
        }
        else {
            print(param_1,param_2,param_3,param_4,"Like on Linux!");
            flag_Linux(param_1,param_2,param_3,param_4);
        }
    }
    else {
        print(param_1,param_2,param_3,param_4,"Like on Windows!");
        flag_Windows(param_1,param_2,param_3,param_4);
    }
    return 0;
}
```
Using Ghidra, I patched the instructions to do the following (by replacing JMP with NOP in many instances, etc.)
```c
void FUN_00401960(undefined8 param_1,undefined8 param_2,undefined8 param_3,undefined8 param_4) {
    undefined8 unaff_GS_OFFSET;
    
    print(param_1,param_2,param_3,param_4,
          "Cosmonauts run their programs everywhere and all at once.",unaff_GS_OFFSET);
    print(param_1,param_2,param_3,param_4,"Like on FreeBSD!",unaff_GS_OFFSET);
    flag_FreeBSD(param_1,param_2,param_3,param_4);
    print(param_1,param_2,param_3,param_4,"Like on Linux!",unaff_GS_OFFSET);
    flag_Linux(param_1,param_2,param_3,param_4);
    print(param_1,param_2,param_3,param_4,"Like on Windows!",unaff_GS_OFFSET);
    flag_Windows(param_1,param_2,param_3,param_4);
    print(param_1,param_2,param_3,param_4,"Except here...",unaff_GS_OFFSET);
    return;
}
```

In [49]:
%%bash
./cosmonaut.patched.com || true

Cosmonauts run their programs everywhere and all at once.
Like on FreeBSD!
kn0w5_n0_b0und5}
Like on Linux!
bctf{4_7ru3_
Like on Windows!
c05m0p0l174n_c0nn353ur_
Except here...


Flag: bctf{4_7ru3_c05m0p0l174n_c0nn353ur_kn0w5_n0_b0und5}