Jan 30, 2021
Hacking Series Part 7
Challenge: Forky
Category: reverse engineering
We are given a binary named “vuln” and told to find the last integer value passed to the function doNothing, this number serves as the flag. The first thing I did was open vuln in IDA, and saw that the program was very small with only two main areas to pay attention to. The first area is four function calls to _fork , and the second is the doNothing function mentioned before.
Since we now know the context of the program, by “last integer value” I assumed that we needed to find the last integer passed to doNothing in the last fork. To do this, I made the binary executable and opened it in gdb. I then added a breakpoint at the address of fork with the command b fork@plt .
Since the function is called four times in the program, I used continue until I reached the last call to fork. In order to view the integer that is in the last fork, we have to attach to the child process it spawns so that we can continue running only that process until we reach doNothing.
Now we need to add another breakpoint somewhere in or around doNothing to see the integer sent as a parameter. First, we need to determine exactly how many parameters this function takes in the first place. Looking at the IDA view of this function, it seems like it takes only one parameter, called arg_0 .
Since there is only one argument, the integer we need must be stored there. In the image above, there is a line that makes it really easy to find the integer:
mov eax, [ebp+arg_0]We know for sure that after this line, the integer passed to doNothing will be stored in eax. So, after this line is an ideal place to add another breakpoint in gdb. To do this, I first looked at the equivalent assembly of doNothing in gdb.
The ideal place to add a breakpoint is at address 0x56555560 , since it comes after the mov instruction to eax. I set the breakpoint in gdb using the command b *0x56555560 , then continued execution. As expected, the program hit the breakpoint, so the only thing to do now is look inside eax.
The address of the integer is what is truly stored in eax, but the integer that it holds is shown right beside it. The last integer value passed to doNothing is -721750240.
picoCTF{-721750240}
