Skip to content

Instantly share code, notes, and snippets.

@ovkulkarni

ovkulkarni/sorcery.md

Last active May 15, 2016 14:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ovkulkarni/a7229db691122ffd881fdb5a42250f4f to your computer and use it in GitHub Desktop.
Save ovkulkarni/a7229db691122ffd881fdb5a42250f4f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sorcery.md

Sorcery

What is this magic? My file is here, but where are my hardcoded strings?

Solution

We are given a Mach-O 64-bit executable x86_64 which can be run on Mac OSX devices.

First, we can run strings on the file to see what strings are hardcoded into the file. This gives no output.

Next, we can decompile the executable by using this, which was given in the hint. Then we run sorcery through gdb.

  1. Add a breakpoint at the end of main (break *0x10000250b)
  2. Go through the entire stack with x/2400s $rbp-0x900
  3. Find the flag in the stack
$ sudo gdb sorcery
GNU gdb (GDB) 7.10.1
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin15.2.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sorcery...(no debugging symbols found)...done.
(gdb) break *0x10000250b
Breakpoint 1 at 0x10000250b
(gdb) run
Starting program: /Users/okulkarni/ctfs/pactf/binary/sorcery

Breakpoint 1, 0x000000010000250b in main ()
(gdb) x/2400s $rbp-0x900
0x7fff5fbff4f5:	""
0x7fff5fbff4f6:	""
0x7fff5fbff4f7:	""
0x7fff5fbff4f8:	"\030{1_dun_ducke"
0x7fff5fbff506:	""
0x7fff5fbff507:	""
0x7fff5fbff508:	""
0x7fff5fbff509:	""
0x7fff5fbff50a:	""
0x7fff5fbff50b:	""
0x7fff5fbff50c:	""
0x7fff5fbff50d:	""
0x7fff5fbff50e:	""
0x7fff5fbff50f:	""
0x7fff5fbff510:	"\032{1_dun_ducked"
0x7fff5fbff51f:	""
0x7fff5fbff520:	""
0x7fff5fbff521:	""
0x7fff5fbff522:	""
0x7fff5fbff523:	""
0x7fff5fbff524:	""
0x7fff5fbff525:	""
0x7fff5fbff526:	""
0x7fff5fbff527:	""
0x7fff5fbff528:	"\034{1_dun_ducked_"
0x7fff5fbff538:	""
0x7fff5fbff539:	""
0x7fff5fbff53a:	""
0x7fff5fbff53b:	""
0x7fff5fbff53c:	""
0x7fff5fbff53d:	""
0x7fff5fbff53e:	""
0x7fff5fbff53f:	""
0x7fff5fbff540:	"\036{1_dun_ducked_u"
0x7fff5fbff551:	""
0x7fff5fbff552:	""
0x7fff5fbff553:	""
0x7fff5fbff554:	""
---Type <return> to continue, or q <return> to quit---
0x7fff5fbff555:	""
0x7fff5fbff556:	""
0x7fff5fbff557:	""
0x7fff5fbff558:	" {1_dun_ducked_up"
0x7fff5fbff56a:	""
0x7fff5fbff56b:	""
0x7fff5fbff56c:	""
0x7fff5fbff56d:	""
0x7fff5fbff56e:	""
0x7fff5fbff56f:	""
0x7fff5fbff570:	"\"{1_dun_ducked_up!"
0x7fff5fbff583:	""
0x7fff5fbff584:	""
0x7fff5fbff585:	""
0x7fff5fbff586:	""
0x7fff5fbff587:	""
0x7fff5fbff588:	"${1_dun_ducked_up!}"
0x7fff5fbff59c:	""
0x7fff5fbff59d:	""
0x7fff5fbff59e:	""
0x7fff5fbff59f:	""
0x7fff5fbff5a0:	""
0x7fff5fbff5a1:	""
0x7fff5fbff5a2:	""
0x7fff5fbff5a3:	""
0x7fff5fbff5a4:	""
0x7fff5fbff5a5:	"}!pu_dekcud_nud_1{-_fa4738294}05935261polikujmy{hgntbrvdfecwxaszq!{\001"
0x7fff5fbff5ea:	""
0x7fff5fbff5eb:	""
0x7fff5fbff5ec:	""
0x7fff5fbff5ed:	""
0x7fff5fbff5ee:	""
0x7fff5fbff5ef:	""
0x7fff5fbff5f0:	"\360\363\277_\377\177"
0x7fff5fbff5f7:	""
0x7fff5fbff5f8:	""
0x7fff5fbff5f9:	""
0x7fff5fbff5fa:	""
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)

We can see the flag at 0x7fff5fbff588: "${1_dun_ducked_up!}".

Flag

${1_dun_ducked_up!}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment