Easy As GDB PicoCTF Challenge
Reverse engineering and bruteforcing linux binaries
Easy As GDB PicoCTF Challenge
Static Analysis
You Know Whats Next, Binja Time!
sub_565558c4 :
- This checks our flag hence the reason it is in an
ifstatement comparing it to 1truein themainfunction.
Comparing the lowest 8 bits of rax to the lowest 8 bits of rdx
Python Script For Bruteforcing The Flag In GDB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import gdb
import string
from queue import Queue, Empty
MAX_FLAG_LEN = 0x200
class Checkpoint(gdb.Breakpoint):
def __init__(self, queue, target_hitcount, *args):
super().__init__(*args)
self.silent = True
self.queue = queue
self.target_hitcount = target_hitcount
self.hit = 0
def stop(self):
res = []
self.hit += 1
#print(f"\nhit {self.hit}/{self.target_hitcount}")
if self.hit == self.target_hitcount:
al = gdb.parse_and_eval("$al")
dl = gdb.parse_and_eval("$dl")
self.queue.put(al == dl)
return False
class Solvepoint(gdb.Breakpoint):
def __init__(self, *args):
super().__init__(*args)
self.silent = True
self.hit = 0
def stop(self):
#gdb.execute("q")
self.hit += 1
return False
gdb.execute("set disable-randomization on")
gdb.execute("delete")
sp = Solvepoint("*0x56555a71")
queue = Queue()
flag = ""
ALPHABET = string.ascii_letters + string.digits + "{}_"
for i in range(len(flag), MAX_FLAG_LEN):
for c in ALPHABET:
bp = Checkpoint(queue, len(flag) + 1, '*0x5655598e')
gdb.execute("run <<< {}{}".format(flag, c))
try:
result = queue.get(timeout = 1)
bp.delete()
if result:
flag += c
print("\n\n{}\n\n".format(flag))
break
except Empty:
print("Error: Empty queue!")
gdb.execute("q")
if sp.hit > 0:
print("Found flag: {}".format(flag))
gdb.execute("q")
This is where the Solvepoint is being set
I dont have binja paid version 😢
The script is done!
This post is licensed under CC BY 4.0 by the author.