Riyadh¶
- Start gdb,
breakat main,runwith some random flag, anddisasmain -
First of all, function _Z4Msg1Pc is called, after which there's a puts. Disassembling and observing (too complex) doesn't help much. Break after function:
```gdb (gdb) b *main+43 Breakpoint 2 at 0x55555555512b (gdb) c Continuing.
Breakpoint 2, 0x000055555555512b in main () (gdb) x/s $rbp 0x5555555581c0
: "Welcome to CTFlearn Riyadh Reversing Challenge!" ``` -
Function _Z18CTFLearnHiddenFlagv doesnt't do anything:
gdb (gdb) disas _Z18CTFLearnHiddenFlagv Dump of assembler code for function _Z18CTFLearnHiddenFlagv: 0x0000555555555d20 <+0>: endbr64 0x0000555555555d24 <+4>: ret End of assembler dump. -
Doing point-2 above with _Z4Msg3Pc:
```gdb (gdb) b *main+90 Breakpoint 5 at 0x55555555515a (gdb) c Continuing.
Breakpoint 5, 0x000055555555515a in main () (gdb) x/s $rbp 0x5555555581c0
: "CTFlearn{Reversing_Is_Easy}" ``` Trying this tells this isn't the actual flag :cry: \ The strcmp after this _Z4Msg3Pc probably takes the program to instructions which print "You found the false flag! It's not that easy dude!". So running with some other flag would bypass this jump.
-
To reach _Z4Msg5Pc, we have to pass strlen test:
```gdb (gdb) b main+117 Breakpoint 9 at 0x555555555175 (gdb) bmain+151 Breakpoint 10 at 0x555555555197 (gdb) c Continuing.
Breakpoint 9, 0x0000555555555175 in main () (gdb) set $rax=0x1e (gdb) c Continuing.
Breakpoint 10, 0x0000555555555197 in main () (gdb) x/s $rbp 0x55555556b6c0: "CTFlearn{Masmak_Fortress_1865}" ```