Pada challenge RE ShariftCTF 2016 diberikan file elf binnary bernama getit, yang informasi nya seperti dibawah ini

root@kali:~/Desktop/SU CTF/RE# file getit
getit: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), 
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, 
for GNU/Linux 2.6.24, 
BuildID[sha1]=e389cd7a4b9272ba80f85d7eb604176f6106c61e, not stripped

Proof Of Concept

Saya menggunakan gdb untuk melakukan debugging

root@kali:~/Desktop/SU CTF/RE# gdb -q getit
Reading symbols from getit...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) disass main
Dump of assembler code for function main:

--- snip ---  
   0x000000000040080d <+183>:	call   0x400620 <fprintf@plt>
   0x0000000000400812 <+188>:	mov    DWORD PTR [rbp-0x3c],0x0
   0x0000000000400819 <+195>:	mov    eax,DWORD PTR [rbp-0x3c]
   0x000000000040081c <+198>:	movsxd rbx,eax
   0x000000000040081f <+201>:	mov    edi,0x6010e0
   0x0000000000400824 <+206>:	call   0x4005e0 <strlen@plt>
   0x0000000000400829 <+211>:	cmp    rbx,rax
   0x000000000040082c <+214>:	jae    0x4008b5 <main+351>
--- snip ---

Ditemukan bagian menarik pada offset 0x000000000040081f at +201, dimana terdapat “sesuatu” yang disalin ke register edi.

Untuk melihat isi dari register edi, saya memasang breakpoint pada offset 0x0000000000400824 at +206

(gdb) b *0x0000000000400824
Breakpoint 1 at 0x400824
(gdb) r
Starting program: /root/Desktop/SU CTF/RE/getit 

Breakpoint 1, 0x0000000000400824 in main ()
(gdb) x/s $rdi
0x6010e0 <t>:	"SharifCTF{b70c59275fcfa8aebf2d5911223c6589}"

Flag : SharifCTF{b70c59275fcfa8aebf2d5911223c6589}

SharifCTF 2016 - Getit

Proof Of Concept