Merge branch 'main' of https://github.com/gio-del/ODC-Challenges-CTF

writeups/packing/dynamism/.gdb_history

@@ -1,117 +1,3 @@
-start
-ni
-start
-ni
-start
-ni
-start
-start
-ni
-si
-ni
-exit
-start
-ni
-si
-ni
-ni
-si
-ni
-a
-quit
-start
-disass main
-b *0x001011cd
-c
-c
-ni
-start
-start
-exit
-start
-ni
-c
-start
-ni
-si
-ni
-c
-exit
-start
-vmmap
-disass 0x555555555000, +100
-disass 0x555555555000, +200
-disass 0x555555555000, +300
-disass 0x555555555000, +500
-disass 0x555555555000, +500
-disass 0x555555555000, +600
-b *0x00005555555551b7
-c
-start
-c
-exit
-start
-vmmap
-disass 0x555555555000, +600
-b *0x00005555555551b7
-c
-exit
-start
-start
-start
-vmmap
-disass 0x555555555000, +600
-b *0x00005555555551b7
-c
-start
-c
-quit
-vmmap
-start
-vmmap
-disass 0x555555555000,+600
-b *0x555555555560
-c
-exit
-start
-vmmap
-disass 0x555555555000, +100
-disass 0x555555555000, +200
-disass 0x555555555000, +300
-disass 0x555555555000, +400
-b *0x0000555555555160
-c
-ni
-si
-ni
-si
-disass 0x555555555190, +100
-ni
-exit
-start
-vmmap
-disass 0x555555555000, +100
-disass 0x555555555000, +300
-disass 0x555555555000, +400
-b *0x0000555555555160
-c
-ni
-si
-ni
-si
-disass 0x555555555190, +100
-ni
-exit
-start
-vmmap
-disass 0x555555555000, +200
-disass 0x555555555000, +400
-disass 0x555555555000, +450
-b *0x0000555555555190
-c
-ni
-si
-ni
 ni
 ni
 x/30gx 0x7ffff7ffa000
@@ -219,3 +105,152 @@ x/10gx 0x5555555592a0
 x/10s 0x5555555593a0
 disass 0x7ffff7ffa000, +100
 exit
+start
+b *0x555555555190
+c
+ni
+b *0x555555555560
+c
+ni
+x/50gx 0x7ffff7ffa000
+si
+disass 0x7ffff7ffa000, +100
+disass 0x7ffff7ffa000, +120
+disass 0x7ffff7ffa000, +130
+ni
+ni
+si
+ni
+ni
+disass 0x5555555592a0, +100
+x/20gx 0x00005555555592a0
+ni
+si
+ni
+x/30gx 0x7ffff7ffa000
+ni
+ni
+disass 0x7ffff7ffa000, +100
+si
+ni
+x/10gx 0x7fffffffde50
+ni
+ni
+ni
+ni
+x/10gx 0x5555555593a0-0x100
+ni
+x/10gx 0x5555555593a0
+x/10gx 0x5555555592a0
+ni
+si
+ni
+si
+disass 0x7ffff7ffa000, +100
+disass 0x7ffff7ffa000, +50
+disass 0x7ffff7ffa000, +70
+disass 0x7ffff7ffa000, +75
+disass 0x7ffff7ffa000, +70
+ni
+x/20gx 0x5555555592a0
+x/10gx 0x5555555592a0
+x/10gx 0x5555555593a0
+x/10x 0x5555555593a0
+x/10b 0x5555555593a0
+x/50b 0x5555555592a0
+x/72b 0x5555555592a0
+x/73b 0x5555555592a0
+x/72b 0x5555555592a0
+x/72g 0x5555555592a0
+x/72x 0x5555555592a0
+s/72x 0x5555555592a0
+s/72w 0x5555555592a0
+b/72w 0x5555555592a0
+x/72w 0x5555555592a0
+x 0x5555555592a0
+x/72 0x5555555592a0
+x/72b 0x5555555592a0
+x/72xb 0x5555555592a0
+x /72xb 0x5555555592a0
+x /73xb 0x5555555592a0
+exit
+start
+ni
+b *0x555555555190
+c
+ni
+exit
+start
+b *0x555555555190
+c
+ni
+si
+ni
+disass0x555555555000
+disass 0x555555555000, +100
+disass 0x555555555000, +300
+disass 0x555555555000, +400
+ni
+x/10gx 0x5555555596b0
+ni
+x/10gx 0x5555555597b0
+ni
+si
+ni
+disass 0x7ffff7ffa000, +100
+c
+exit
+start
+c
+run aaa
+exit
+run aaa
+start
+exit
+start
+disass 0x555555555260, +100
+disass 0x555555555260, +200
+exit
+b *0x00101574
+start
+c
+exit
+start
+ni
+si
+ni
+si
+ni
+exit
+b *0x555555555190
+c
+stat
+start
+c
+nini
+ni
+exit
+b *0x555555555190
+start aaa
+c
+ni
+si
+ni
+si
+x/30i 0x7ffff7ffa000
+x/30i ni0x7ffff7ffa000
+ni
+exit
+b *0x555555555574
+start aaaa
+c
+ni
+exit
+b *0x555555555574
+start aaaa
+c
+si
+ni
+si
+ni
+ni

writeups/packing/dynamism/writeup_sketch

@@ -31,7 +31,7 @@ The first part of data code
 1. After 0x00 in RDI there will be the heap chunk address (input of code function)
 2. Jump to 0x27
 3. Call 0x05
-4. Pop RSI will put 0x27 (int3 address) into RSI
+4. Pop RSI will put 0x2c (int3 address) into RSI
 5. Then basically a cycle will move 72 byte from 0x27 on into the heap
 
 tl;dr; data is a piece of code to put 72 byte into the heap, this code will be used as a key to xor the flag