PACTF_2018: Getting To Know GDB
Category: Lovelace Points: 50 Description:
A friend sent me a mysterious binary. It’s supposed to print out the flag, but it’s giving me a weird poem and some hex instead.
This challenge was lazily solved, where I dumped the stack rather than properly reverse engineer the challenge.
# r2 mysterious_elf.771c3c9447cd -d r_config_set: variable 'asm.cmtright' not found Process with PID 10096 started... = attach 10096 10096 bin.baddr 0x562d1d6e3000 Using 0x562d1d6e3000 asm.bits 64 -- In Soviet Russia, radare2 has documentation. [0x7f5a5a42ec30]> doo Wait event received by different pid 10096 Process with PID 10097 started... File dbg:///root/downloads/mysterious_elf.771c3c9447cd reopened in read-write mode = attach 10097 10097 WARNING: bin_strings buffer is too big (0xffffaa6df2c863c8). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2) WARNING: bin_strings buffer is too big (0xffffaa6df2c79138). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2) WARNING: bin_strings buffer is too big (0xffffaa6df2c76c98). Use -zzz or set bin.maxstrbuf (RABIN2_MAXSTRBUF) in r2 (rabin2) 10097 [0x7f38e52d1c30]> dc This is the string you're allowed to see... It is here for viewing, no matter what your intention may be... But something more interesting below this sea... Fortunately for you, there is such a thing as GDB! The solution is simple, but you have been baited... For the println that reveals the flag has been truncated! The flag was in there, all ready to go–but not anymore... Now all that remains is some random base 64! The flag is: --> Z2ZRZHkwTDVEMDFMQmdZWQ== <--^Cchild stopped with signal 2 [+] SIGNAL 2 errno=0 addr=0x00000000 code=128 ret=0 [0x7f38e4cb8c00]> e search.in=dbg.stack [0x7f38e4cb8c00]> / good 0x7ffe7e481320 0x000000000000003c <....... ascii 0x7ffe7e481328 0x0000003000000002 ....0... 0x7ffe7e481330 0x000055920d9b9870 p....U.. heap R W 0x67616c6620656854 (The flag is: why_use_breakpoints_if_you_have_good_timing ) --> ascii 0x7ffe7e481338 0x0000000000000039 9....... ascii 0x7ffe7e481340 0x0000000000000039 9....... ascii
Therefore, the flag is