Forensics 350: core
Challenge
This program was about to print the flag when it died. Maybe the flag is still in this core file that it dumped?
Also available at /problems/core_0_28700fe29cea151d6a3350f244f342b2 on the shell server.
Solution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
(master) [hxr@mk:~/Personal/projects/ctf-writeups-galaxians/PicoCTF_2018/writeupfiles]148$ gdb print_flag core
warning: exec file is newer than core file.
[New LWP 59693]
Core was generated by `/opt/hacksports/staging/core_0_4983223896836212/problem_files/print_flag'.
Program terminated with signal SIGTRAP, Trace/breakpoint trap.
#0 print_flag () at ./print_flag.c:90
90 ./print_flag.c: Datei oder Verzeichnis nicht gefunden.
(gdb) disas
Dump of assembler code for function print_flag:
=> 0x080487c1 <+0>: push ebp
0x080487c2 <+1>: mov ebp,esp
0x080487c4 <+3>: sub esp,0x18
0x080487c7 <+6>: mov DWORD PTR [ebp-0xc],0x539
0x080487ce <+13>: mov eax,DWORD PTR [ebp-0xc]
0x080487d1 <+16>: mov eax,DWORD PTR [eax*4+0x804a080]
0x080487d8 <+23>: sub esp,0x8
0x080487db <+26>: push eax ; arg2: *eax
0x080487dc <+27>: push 0x804894c ; arg1: (x/s 0x804894c)
0x080487e1 <+32>: call 0x8048410 <printf@plt> ; printf
0x080487e6 <+37>: add esp,0x10
0x080487e9 <+40>: nop
0x080487ea <+41>: leave
0x080487eb <+42>: ret
End of assembler dump.
(gdb) x/s 0x804894c
0x804894c: "your flag is: picoCTF{\%s}\n"
(gdb) x/s *(0x539*4 + 0x804a080)
0x80610f0: "abb6a3b2603654804ed357322c760510"
We work backwards here, it will call printf with two arguments (the two
push
es before the call
). Printing out the second push
we see the format string. The first push just pushes eax, so whatever is in eax
is being passed to the format string.
We cannot print out eax
because it isn’t set yet (and trying to step/continue causes an immediate crash,) so we need to calculate what value will be in eax.
The relevant lines are:
1
2
3
mov DWORD PTR [ebp-0xc],0x539
mov eax,DWORD PTR [ebp-0xc]
mov eax,DWORD PTR [eax*4+0x804a080]
Which can be translated as
1
2
3
var1 = 0x539
eax = var1
eax = eax * 4 + 0x804a080
So whatever value is in the address 0x539 * 4 + 0x804a080
will be the string that’s printed out. We can do this with x/s *(0x539 * 4 + 0x804a080)
Flag
picoCTF{abb6a3b2603654804ed357322c760510}