gnireengine 1:policebox
In this problem, we got two files, one executable named policebox and a core dump file of policebox.As we observe the core dump, we found that this core dump file is generated when few instructions after main function. While we need to get some information of getchar(), it seem no clue to continue.
Then we use readelf to check what is inside the core file.
We noticed the section named precord exists, which indicate the core dump contain a program execution record logged by gdb's Process Record feature.
Therefore we first replay this record with gdb, and disassemble the program. Function getchar() is located at 0x08048690, where we can set the break point latter.
After setting break point, we continue the replay. Then program will halt in getchar() and we can print value of eax, which is the user's input.
Collecting all the input value, the key will showed.
The key is : w0rlds.w0rst.k3yl0gger!
沒有留言:
張貼留言