No comment... again...

writeup.txt

# No comment... again...

Playing around with gdb attached to the binary running under wine on Linux, we
search for some of the strings that are printed when running the binary. Near
those, we find a string that looks much like ascii art and ends with a '}', so
this must be the flag. Unfortunately, the string only contains the last few
characters, the start seems to have been overwritten. It appears like the
string has been freed, and the front parts reclaimed by the heap allocator.

Switching to Windows, we set a conditional breakpoint on msvcrt!free which
triggers if the freed chunk contains 4 consecutive '-' (0x2d2d2d2d) with the
following command:

    bp msvcrt!free "j (poi(poi(@esp+4)+16)==0x2d2d2d2d) ''; 'gc'"

Once this breakpoint triggers, we can inspect the freed buffer. Unfortunately,
it doesn't contain the (whole) flag. However, we can search memory again for
ascii art sequences using

    s -a 0 L?80000000 "----------------"

This time it finds multiple matches, most of them in one large contigous
region.  Since windbg doesn't seem capable of printing c strings (without
inserting line breaks), we dump the data to a file:

    .writemem C:\Users\xxx\Desktop\flag.txt start_addr start_addr + 0x100000

flag.txt now contains

#|----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |  _________   | | |   _____      | | |      __      | | |    ______    | |
#| | |_   ___  |  | | |  |_   _|     | | |     /  \     | | |  .' ___  |   | |
#| |   | |_  \_|  | | |    | |       | | |    / /\ \    | | | / .'   \_|   | |
#| |   |  _|      | | |    | |   _   | | |   / ____ \   | | | | |    ____  | |
#| |  _| |_       | | |   _| |__/ |  | | | _/ /    \ \_ | | | \ `.___]  _| | |
#| | |_____|      | | |  |________|  | | ||____|  |____|| | |  `._____.'   | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |       __     | | |     ____     | | |    ______    | | |     ____     | |
#| |     .' _/    | | |   .'    '.   | | |  .' ____ '.  | | |   .' __ '.   | |
#| |     | |      | | |  |  .--.  |  | | |  | (____) |  | | |   | (__) |   | |
#| |    < <       | | |  | |    | |  | | |  '_.____. |  | | |   .`____'.   | |
#| |     | |_     | | |  |  `--'  |  | | |  | \____| |  | | |  | (____) |  | |
#| |     `.__\    | | |   '.____.'   | | |   \______,'  | | |  `.______.'  | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |   ______     | | |     ____     | | |   _    _     | | |   _______    | |
#| |  |_   _ \    | | |   .'    '.   | | |  | |  | |    | | |  |  ___  |   | |
#| |    | |_) |   | | |  |  .--.  |  | | |  | |__| |_   | | |  |_/  / /    | |
#| |    |  __'.   | | |  | |    | |  | | |  |____   _|  | | |      / /     | |
#| |   _| |__) |  | | |  |  `--'  |  | | |      _| |_   | | |     / /      | |
#| |  |_______/   | | |   '.____.'   | | |     |_____|  | | |    /_/       | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |      __      | | |      __      | | |     __       | | |    ______    | |
#| |     /  \     | | |     /  \     | | |    /  |      | | |  .' ____ '.  | |
#| |    / /\ \    | | |    / /\ \    | | |    `| |      | | |  | (____) |  | |
#| |   / ____ \   | | |   / ____ \   | | |     | |      | | |  '_.____. |  | |
#| | _/ /    \ \_ | | | _/ /    \ \_ | | |    _| |_     | | |  | \____| |  | |
#| ||____|  |____|| | ||____|  |____|| | |   |_____|    | | |   \______,'  | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |    ______    | | |   _______    | | |   _______    | | |     ______   | |
#| |   / ____ `.  | | |  |  ___  |   | | |  |  _____|   | | |   .' ___  |  | |
#| |   `'  __) |  | | |  |_/  / /    | | |  | |____     | | |  / .'   \_|  | |
#| |   _  |__ '.  | | |      / /     | | |  '_.____''.  | | |  | |         | |
#| |  | \____) |  | | |     / /      | | |  | \____) |  | | |  \ `.___.'\  | |
#| |   \______.'  | | |    /_/       | | |   \______.'  | | |   `._____.'  | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |     ______   | | |   _______    | | |     ____     | | |      __      | |
#| |   .' ___  |  | | |  |  ___  |   | | |   .'    '.   | | |     /  \     | |
#| |  / .'   \_|  | | |  |_/  / /    | | |  |  .--.  |  | | |    / /\ \    | |
#| |  | |         | | |      / /     | | |  | |    | |  | | |   / ____ \   | |
#| |  \ `.___.'\  | | |     / /      | | |  |  `--'  |  | | | _/ /    \ \_ | |
#| |   `._____.'  | | |    /_/       | | |   '.____.'   | | ||____|  |____|| |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |  _________   | | |     __       | | |     ______   | | |   _    _     | |
#| | |_   ___  |  | | |    /  |      | | |   .' ___  |  | | |  | |  | |    | |
#| |   | |_  \_|  | | |    `| |      | | |  / .'   \_|  | | |  | |__| |_   | |
#| |   |  _|  _   | | |     | |      | | |  | |         | | |  |____   _|  | |
#| |  _| |___/ |  | | |    _| |_     | | |  \ `.___.'\  | | |      _| |_   | |
#| | |_________|  | | |   |_____|    | | |   `._____.'  | | |     |_____|  | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |     ____     | | |      __      | | |     ____     | | |    ______    | |
#| |   .' __ '.   | | |     /  \     | | |   .'    '.   | | |   / ____ `.  | |
#| |   | (__) |   | | |    / /\ \    | | |  |  .--.  |  | | |   `'  __) |  | |
#| |   .`____'.   | | |   / ____ \   | | |  | |    | |  | | |   _  |__ '.  | |
#| |  | (____) |  | | | _/ /    \ \_ | | |  |  `--'  |  | | |  | \____) |  | |
#| |  `.______.'  | | ||____|  |____|| | |   '.____.'   | | |   \______.'  | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------. .----------------. .----------------.
#| .--------------. | .--------------. | .--------------. | .--------------. |
#| |      __      | | |  ________    | | |    _____     | | |     ______   | |
#| |     /  \     | | | |_   ___ `.  | | |   / ___ `.   | | |   .' ___  |  | |
#| |    / /\ \    | | |   | |   `. \ | | |  |_/___) |   | | |  / .'   \_|  | |
#| |   / ____ \   | | |   | |    | | | | |   .'____.'   | | |  | |         | |
#| | _/ /    \ \_ | | |  _| |___.' / | | |  / /____     | | |  \ `.___.'\  | |
#| ||____|  |____|| | | |________.'  | | |  |_______|   | | |   `._____.'  | |
#| |              | | |              | | |              | | |              | |
#| '--------------' | '--------------' | '--------------' | '--------------' |
# '----------------' '----------------' '----------------' '----------------'
# .----------------. .----------------.
#| .--------------. | .--------------. |
#| |    ______    | | |     __       | |
#| |  .' ____ \   | | |    \_ `.     | |
#| |  | |____\_|  | | |      | |     | |
#| |  | '____`'.  | | |       > >    | |
#| |  | (____) |  | | |     _| |     | |
#| |  '.______.'  | | |    /__.'     | |
#| |              | | |              | |
#| '--------------' | '--------------' |
# '----------------' '----------------'