# Debugging Refresher ## Level 1: ``` Starting program: /challenge/embryogdb_level1 ### ### Welcome to /challenge/embryogdb_level1! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. You are running in gdb! The program is currently paused. This is because it has set its own breakpoint here. You can use the command `start` to start a program, with a breakpoint set on `main`. You can use the command `starti` to start a program, with a breakpoint set on `_start`. You can use the command `run` to start a program, with no breakpoint set. You can use the command `attach <PID>` to attach to some other already running program. You can use the command `core <PATH>` to analyze the coredump of an already run program. When starting or running a program, you can specify arguments in almost exactly the same way as you would on your shell. For example, you can use `start <ARGV1> <ARGV2> <ARGVN> < <STDIN_PATH>`. Use the command `continue`, or `c` for short, in order to continue program execution. ``` ``` (gdb) c Continuing. You win! Here is your flag: pwn.college{0PNg1TMqkfhtWsyoFBM4angmNw6.0FN0IDLwMzN1czW} ``` Just countinue and you get flag Flag: pwn.college{0PNg1TMqkfhtWsyoFBM4angmNw6.0FN0IDLwMzN1czW} ## Level 2: ``` Starting program: /challenge/embryogdb_level2 ### ### Welcome to /challenge/embryogdb_level2! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. You can see the values for all your registers with `info registers`. Alternatively, you can also just print a particular register's value with the `print` command, or `p` for short. For example, `p $rdi` will print the value of $rdi in decimal. You can also print it's value in hex with `p/x $rdi`. In order to solve this level, you must figure out the current random value of register r12 in hex. The random value has been set! Program received signal SIGTRAP, Trace/breakpoint trap. ``` ``` (gdb) info reg rax 0x20 32 rbx 0x5839a2c5bcb0 97004567248048 rcx 0x72d63204f297 126264287752855 rdx 0x0 0 rsi 0x72d63212e723 126264288667427 rdi 0x72d63212f7e0 126264288671712 rbp 0x7ffcc05cbb60 0x7ffcc05cbb60 rsp 0x7ffcc05cbb20 0x7ffcc05cbb20 r8 0x20 32 r9 0x2c 44 r10 0x0 0 r11 0x246 582 r12 0xe07606643da2870a -2272621934361278710 r13 0x7ffcc05cbc50 140723535789136 r14 0x0 0 r15 0x0 0 rip 0x5839a2c5bbfd 0x5839a2c5bbfd <main+343> eflags 0x246 [ PF ZF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) c Continuing. Random value: 0xe07606643da2870a You input: e07606643da2870a The correct answer is: e07606643da2870a You win! Here is your flag: pwn.college{IZbcvd_7SDs-EHk7zyANJMaCY97.0VN0IDLwMzN1czW} [Inferior 1 (process 971) exited normally] (gdb) ``` Use info reg to see the value of r12 then enter the correct number Flag: pwn.college{IZbcvd_7SDs-EHk7zyANJMaCY97.0VN0IDLwMzN1czW} ## Level 3: ``` Starting program: /challenge/embryogdb_level3 ### ### Welcome to /challenge/embryogdb_level3! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. You can examine the contents of memory using the `x/<n><u><f> <address>` parameterized command. In this format `<u>` is the unit size to display, `<f>` is the format to display it in, and `<n>` is the number of elements to display. Valid unit sizes are `b` (1 byte), `h` (2 bytes), `w` (4 bytes), and `g` (8 bytes). Valid formats are `d` (decimal), `x` (hexadecimal), `s` (string) and `i` (instruction). The address can be specified using a register name, symbol name, or absolute address. Additionally, you can supply mathematical expressions when specifying the address. For example, `x/8i $rip` will print the next 8 instructions from the current instruction pointer. `x/16i main` will print the first 16 instructions of main. You can also use `disassemble main`, or `disas main` for short, to print all of the instructions of main. Alternatively, `x/16gx $rsp` will print the first 16 values on the stack. `x/gx $rbp-0x32` will print the local variable stored there on the stack. You will probably want to view your instructions using the CORRECT assembly syntax. You can do that with the command `set disassembly-flavor intel`. In order to solve this level, you must figure out the random value on the stack (the value read in from `/dev/urandom`). Think about what the arguments to the read system call are. Program received signal SIGTRAP, Trace/breakpoint trap. ``` ``` (gdb) x/16gx $rsp 0x7fff57116b60: 0x0000000000000002 0x00007fff57116ca8 0x7fff57116b70: 0x00007fff57116c98 0x0000000199c97d10 0x7fff57116b80: 0x0000000000000000 0x00005fb899c972a0 0x7fff57116b90: 0x00007fff57116c90 0x2275d24ad8e27500 0x7fff57116ba0: 0x0000000000000000 0x000078cebed18083 0x7fff57116bb0: 0x000078cebef24620 0x00007fff57116c98 0x7fff57116bc0: 0x0000000100000000 0x00005fb899c97aa6 0x7fff57116bd0: 0x00005fb899c97d10 0x1c82f956f7b6a9a8 (gdb) c Continuing. The random value has been set! Program received signal SIGTRAP, Trace/breakpoint trap. 0x00005fb899c97c64 in main () (gdb) x/16gx $rsp 0x7fff57116b60: 0x0000000000000002 0x00007fff57116ca8 0x7fff57116b70: 0x00007fff57116c98 0x0000000199c97d10 0x7fff57116b80: 0x0000000000000000 0x67dc1c829f911d57 0x7fff57116b90: 0x00007fff57116c90 0x2275d24ad8e27500 0x7fff57116ba0: 0x0000000000000000 0x000078cebed18083 0x7fff57116bb0: 0x000078cebef24620 0x00007fff57116c98 0x7fff57116bc0: 0x0000000100000000 0x00005fb899c97aa6 0x7fff57116bd0: 0x00005fb899c97d10 0x1c82f956f7b6a9a8 (gdb) c Continuing. Random value: 0x67dc1c829f911d57 You input: 67dc1c829f911d57 The correct answer is: 67dc1c829f911d57 You win! Here is your flag: pwn.college{kYrx9BM0eDwPkaEPR9sbpsvFlhn.0lN0IDLwMzN1czW} [Inferior 1 (process 965) exited normally] (gdb) ``` Use **x/16gx $rsp** to print 16 first value on the stack then continue and print 16 first value on the stack again and find the difference ## Level 4: ``` ### ### Welcome to /challenge/embryogdb_level4! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. A critical part of dynamic analysis is getting your program to the state you are interested in analyzing. So far, these challenges have automatically set breakpoints for you to pause execution at states you may be interested in analyzing. It is important to be able to do this yourself. There are a number of ways to move forward in the program's execution. You can use the `stepi <n>` command, or `si <n>` for short, in order to step forward one instruction. You can use the `nexti <n>` command, or `ni <n>` for short, in order to step forward one instruction, while stepping over any function calls. The `<n>` parameter is optional, but allows you to perform multiple steps at once. You can use the `finish` command in order to finish the currently executing function. You can use the `break *<address>` parameterized command in order to set a breakpoint at the specified-address. You have already used the `continue` command, which will continue execution until the program hits a breakpoint. While stepping through a program, you may find it useful to have some values displayed to you at all times. There are multiple ways to do this. The simplest way is to use the `display/<n><u><f>` parameterized command, which follows exactly the same format as the `x/<n><u><f>` parameterized command. For example, `display/8i $rip` will always show you the next 8 instructions. On the other hand, `display/4gx $rsp` will always show you the first 4 values on the stack. Another option is to use the `layout regs` command. This will put gdb into its TUI mode and show you the contents of all of the registers, as well as nearby instructions. In order to solve this level, you must figure out a series of random values which will be placed on the stack. You are highly encouraged to try using combinations of `stepi`, `nexti`, `break`, `continue`, and `finish` to make sure you have a good internal understanding of these commands. The commands are all absolutely critical to navigating a program's execution. Program received signal SIGTRAP, Trace/breakpoint trap. ``` ``` 0x00005bad8fdb5c73 in main () (gdb) disass main Dump of assembler code for function main: 0x00005bad8fdb5aa6 <+0>: endbr64 0x00005bad8fdb5aaa <+4>: push %rbp 0x00005bad8fdb5aab <+5>: mov %rsp,%rbp 0x00005bad8fdb5aae <+8>: sub $0x40,%rsp 0x00005bad8fdb5ab2 <+12>: mov %edi,-0x24(%rbp) 0x00005bad8fdb5ab5 <+15>: mov %rsi,-0x30(%rbp) 0x00005bad8fdb5ab9 <+19>: mov %rdx,-0x38(%rbp) 0x00005bad8fdb5abd <+23>: mov %fs:0x28,%rax 0x00005bad8fdb5ac6 <+32>: mov %rax,-0x8(%rbp) 0x00005bad8fdb5aca <+36>: xor %eax,%eax 0x00005bad8fdb5acc <+38>: cmpl $0x0,-0x24(%rbp) 0x00005bad8fdb5ad0 <+42>: jg 0x5bad8fdb5af1 <main+75> 0x00005bad8fdb5ad2 <+44>: lea 0x1070(%rip),%rcx # 0x5bad8fdb6b49 <__PRETTY_FUNCTION__.5345> 0x00005bad8fdb5ad9 <+51>: mov $0x51,%edx 0x00005bad8fdb5ade <+56>: lea 0x54c(%rip),%rsi # 0x5bad8fdb6031 0x00005bad8fdb5ae5 <+63>: lea 0x6d0(%rip),%rdi # 0x5bad8fdb61bc 0x00005bad8fdb5aec <+70>: callq 0x5bad8fdb51f0 <__assert_fail@plt> 0x00005bad8fdb5af1 <+75>: lea 0x6cd(%rip),%rdi # 0x5bad8fdb61c5 0x00005bad8fdb5af8 <+82>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5afd <+87>: mov -0x30(%rbp),%rax 0x00005bad8fdb5b01 <+91>: mov (%rax),%rax 0x00005bad8fdb5b04 <+94>: mov %rax,%rsi 0x00005bad8fdb5b07 <+97>: lea 0x6bb(%rip),%rdi # 0x5bad8fdb61c9 0x00005bad8fdb5b0e <+104>: mov $0x0,%eax 0x00005bad8fdb5b13 <+109>: callq 0x5bad8fdb51d0 <printf@plt> 0x00005bad8fdb5b18 <+114>: lea 0x6a6(%rip),%rdi # 0x5bad8fdb61c5 0x00005bad8fdb5b1f <+121>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5b24 <+126>: mov $0xa,%edi 0x00005bad8fdb5b29 <+131>: callq 0x5bad8fdb5170 <putchar@plt> 0x00005bad8fdb5b2e <+136>: mov 0x24eb(%rip),%rax # 0x5bad8fdb8020 <stdin@@GLIBC_2.2.5> --Type <RET> for more, q to quit, c to continue without paging--c 0x00005bad8fdb5b35 <+143>: mov $0x0,%ecx 0x00005bad8fdb5b3a <+148>: mov $0x2,%edx 0x00005bad8fdb5b3f <+153>: mov $0x0,%esi 0x00005bad8fdb5b44 <+158>: mov %rax,%rdi 0x00005bad8fdb5b47 <+161>: callq 0x5bad8fdb5240 <setvbuf@plt> 0x00005bad8fdb5b4c <+166>: mov 0x24bd(%rip),%rax # 0x5bad8fdb8010 <stdout@@GLIBC_2.2.5> 0x00005bad8fdb5b53 <+173>: mov $0x1,%ecx 0x00005bad8fdb5b58 <+178>: mov $0x2,%edx 0x00005bad8fdb5b5d <+183>: mov $0x0,%esi 0x00005bad8fdb5b62 <+188>: mov %rax,%rdi 0x00005bad8fdb5b65 <+191>: callq 0x5bad8fdb5240 <setvbuf@plt> 0x00005bad8fdb5b6a <+196>: lea 0x66f(%rip),%rdi # 0x5bad8fdb61e0 0x00005bad8fdb5b71 <+203>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5b76 <+208>: lea 0x6db(%rip),%rdi # 0x5bad8fdb6258 0x00005bad8fdb5b7d <+215>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5b82 <+220>: lea 0x72f(%rip),%rdi # 0x5bad8fdb62b8 0x00005bad8fdb5b89 <+227>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5b8e <+232>: lea 0x79b(%rip),%rdi # 0x5bad8fdb6330 0x00005bad8fdb5b95 <+239>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5b9a <+244>: lea 0x807(%rip),%rdi # 0x5bad8fdb63a8 0x00005bad8fdb5ba1 <+251>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5ba6 <+256>: lea 0x833(%rip),%rdi # 0x5bad8fdb63e0 0x00005bad8fdb5bad <+263>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5bb2 <+268>: lea 0x89f(%rip),%rdi # 0x5bad8fdb6458 0x00005bad8fdb5bb9 <+275>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5bbe <+280>: lea 0x90b(%rip),%rdi # 0x5bad8fdb64d0 0x00005bad8fdb5bc5 <+287>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5bca <+292>: lea 0x977(%rip),%rdi # 0x5bad8fdb6548 0x00005bad8fdb5bd1 <+299>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5bd6 <+304>: lea 0x9db(%rip),%rdi # 0x5bad8fdb65b8 0x00005bad8fdb5bdd <+311>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5be2 <+316>: lea 0xa47(%rip),%rdi # 0x5bad8fdb6630 0x00005bad8fdb5be9 <+323>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5bee <+328>: lea 0xab3(%rip),%rdi # 0x5bad8fdb66a8 0x00005bad8fdb5bf5 <+335>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5bfa <+340>: lea 0xab7(%rip),%rdi # 0x5bad8fdb66b8 0x00005bad8fdb5c01 <+347>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c06 <+352>: lea 0xb23(%rip),%rdi # 0x5bad8fdb6730 0x00005bad8fdb5c0d <+359>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c12 <+364>: lea 0xb8f(%rip),%rdi # 0x5bad8fdb67a8 0x00005bad8fdb5c19 <+371>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c1e <+376>: lea 0xbfb(%rip),%rdi # 0x5bad8fdb6820 0x00005bad8fdb5c25 <+383>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c2a <+388>: lea 0xc67(%rip),%rdi # 0x5bad8fdb6898 0x00005bad8fdb5c31 <+395>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c36 <+400>: lea 0xcdb(%rip),%rdi # 0x5bad8fdb6918 0x00005bad8fdb5c3d <+407>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c42 <+412>: lea 0xd07(%rip),%rdi # 0x5bad8fdb6950 0x00005bad8fdb5c49 <+419>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c4e <+424>: lea 0xd73(%rip),%rdi # 0x5bad8fdb69c8 0x00005bad8fdb5c55 <+431>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c5a <+436>: lea 0xde7(%rip),%rdi # 0x5bad8fdb6a48 0x00005bad8fdb5c61 <+443>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c66 <+448>: lea 0xe4f(%rip),%rdi # 0x5bad8fdb6abc 0x00005bad8fdb5c6d <+455>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5c72 <+460>: int3 => 0x00005bad8fdb5c73 <+461>: nop 0x00005bad8fdb5c74 <+462>: movl $0x0,-0x1c(%rbp) 0x00005bad8fdb5c7b <+469>: jmpq 0x5bad8fdb5d2b <main+645> 0x00005bad8fdb5c80 <+474>: mov $0x0,%esi 0x00005bad8fdb5c85 <+479>: lea 0xe3c(%rip),%rdi # 0x5bad8fdb6ac8 0x00005bad8fdb5c8c <+486>: mov $0x0,%eax 0x00005bad8fdb5c91 <+491>: callq 0x5bad8fdb5250 <open@plt> 0x00005bad8fdb5c96 <+496>: mov %eax,%ecx 0x00005bad8fdb5c98 <+498>: lea -0x18(%rbp),%rax 0x00005bad8fdb5c9c <+502>: mov $0x8,%edx 0x00005bad8fdb5ca1 <+507>: mov %rax,%rsi 0x00005bad8fdb5ca4 <+510>: mov %ecx,%edi 0x00005bad8fdb5ca6 <+512>: callq 0x5bad8fdb5210 <read@plt> 0x00005bad8fdb5cab <+517>: lea 0xe26(%rip),%rdi # 0x5bad8fdb6ad8 0x00005bad8fdb5cb2 <+524>: callq 0x5bad8fdb5190 <puts@plt> 0x00005bad8fdb5cb7 <+529>: lea 0xe3a(%rip),%rdi # 0x5bad8fdb6af8 0x00005bad8fdb5cbe <+536>: mov $0x0,%eax 0x00005bad8fdb5cc3 <+541>: callq 0x5bad8fdb51d0 <printf@plt> 0x00005bad8fdb5cc8 <+546>: lea -0x10(%rbp),%rax 0x00005bad8fdb5ccc <+550>: mov %rax,%rsi 0x00005bad8fdb5ccf <+553>: lea 0xe31(%rip),%rdi # 0x5bad8fdb6b07 0x00005bad8fdb5cd6 <+560>: mov $0x0,%eax 0x00005bad8fdb5cdb <+565>: callq 0x5bad8fdb5260 <__isoc99_scanf@plt> 0x00005bad8fdb5ce0 <+570>: mov -0x10(%rbp),%rax 0x00005bad8fdb5ce4 <+574>: mov %rax,%rsi 0x00005bad8fdb5ce7 <+577>: lea 0xe1e(%rip),%rdi # 0x5bad8fdb6b0c 0x00005bad8fdb5cee <+584>: mov $0x0,%eax 0x00005bad8fdb5cf3 <+589>: callq 0x5bad8fdb51d0 <printf@plt> 0x00005bad8fdb5cf8 <+594>: mov -0x18(%rbp),%rax 0x00005bad8fdb5cfc <+598>: mov %rax,%rsi 0x00005bad8fdb5cff <+601>: lea 0xe17(%rip),%rdi # 0x5bad8fdb6b1d 0x00005bad8fdb5d06 <+608>: mov $0x0,%eax 0x00005bad8fdb5d0b <+613>: callq 0x5bad8fdb51d0 <printf@plt> 0x00005bad8fdb5d10 <+618>: mov -0x10(%rbp),%rdx 0x00005bad8fdb5d14 <+622>: mov -0x18(%rbp),%rax 0x00005bad8fdb5d18 <+626>: cmp %rax,%rdx 0x00005bad8fdb5d1b <+629>: je 0x5bad8fdb5d27 <main+641> 0x00005bad8fdb5d1d <+631>: mov $0x1,%edi 0x00005bad8fdb5d22 <+636>: callq 0x5bad8fdb5280 <exit@plt> 0x00005bad8fdb5d27 <+641>: addl $0x1,-0x1c(%rbp) 0x00005bad8fdb5d2b <+645>: cmpl $0x3,-0x1c(%rbp) 0x00005bad8fdb5d2f <+649>: jle 0x5bad8fdb5c80 <main+474> 0x00005bad8fdb5d35 <+655>: mov $0x0,%eax 0x00005bad8fdb5d3a <+660>: callq 0x5bad8fdb597d <win> 0x00005bad8fdb5d3f <+665>: mov $0x0,%eax 0x00005bad8fdb5d44 <+670>: mov -0x8(%rbp),%rcx 0x00005bad8fdb5d48 <+674>: xor %fs:0x28,%rcx 0x00005bad8fdb5d51 <+683>: je 0x5bad8fdb5d58 <main+690> 0x00005bad8fdb5d53 <+685>: callq 0x5bad8fdb51c0 <__stack_chk_fail@plt> 0x00005bad8fdb5d58 <+690>: leaveq 0x00005bad8fdb5d59 <+691>: retq End of assembler dump. (gdb) b* 0x00005bad8fdb5cc8 Breakpoint 1 at 0x5bad8fdb5cc8 (gdb) x/16gx $rsp 0x7ffe2598d550: 0x0000000000000002 0x00007ffe2598d698 0x7ffe2598d560: 0x00007ffe2598d688 0x000000018fdb5d60 0x7ffe2598d570: 0x0000000000000000 0x00005bad8fdb52a0 0x7ffe2598d580: 0x00007ffe2598d680 0x62934a28edbf8800 0x7ffe2598d590: 0x0000000000000000 0x000079c9965e7083 0x7ffe2598d5a0: 0x000079c9967f3620 0x00007ffe2598d688 0x7ffe2598d5b0: 0x0000000100000000 0x00005bad8fdb5aa6 0x7ffe2598d5c0: 0x00005bad8fdb5d60 0x22954742436e0a0f (gdb) c Continuing. The random value has been set! Random value: Breakpoint 1, 0x00005bad8fdb5cc8 in main () (gdb) x/16gx $rsp 0x7ffe2598d550: 0x0000000000000002 0x00007ffe2598d698 0x7ffe2598d560: 0x00007ffe2598d688 0x000000018fdb5d60 0x7ffe2598d570: 0x0000000000000000 0x03496e75f06b3b22 0x7ffe2598d580: 0x00007ffe2598d680 0x62934a28edbf8800 0x7ffe2598d590: 0x0000000000000000 0x000079c9965e7083 0x7ffe2598d5a0: 0x000079c9967f3620 0x00007ffe2598d688 0x7ffe2598d5b0: 0x0000000100000000 0x00005bad8fdb5aa6 0x7ffe2598d5c0: 0x00005bad8fdb5d60 0x22954742436e0a0f (gdb) ni 0x00005bad8fdb5ccc in main () (gdb) 0x00005bad8fdb5ccf in main () (gdb) 0x00005bad8fdb5cd6 in main () (gdb) 0x00005bad8fdb5cdb in main () (gdb) 0x03496e75f06b3b22 0x00005bad8fdb5ce0 in main () (gdb) c Continuing. You input: 3496e75f06b3b22 The correct answer is: 3496e75f06b3b22 The random value has been set! Random value: Breakpoint 1, 0x00005bad8fdb5cc8 in main () (gdb) x/16gx $rsp 0x7ffe2598d550: 0x0000000000000002 0x00007ffe2598d698 0x7ffe2598d560: 0x00007ffe2598d688 0x000000018fdb5d60 0x7ffe2598d570: 0x0000000100000000 0x82849545de20033f 0x7ffe2598d580: 0x03496e75f06b3b22 0x62934a28edbf8800 0x7ffe2598d590: 0x0000000000000000 0x000079c9965e7083 0x7ffe2598d5a0: 0x000079c9967f3620 0x00007ffe2598d688 0x7ffe2598d5b0: 0x0000000100000000 0x00005bad8fdb5aa6 0x7ffe2598d5c0: 0x00005bad8fdb5d60 0x22954742436e0a0f (gdb) c Continuing. 0x82849545de20033f You input: 82849545de20033f The correct answer is: 82849545de20033f The random value has been set! Random value: Breakpoint 1, 0x00005bad8fdb5cc8 in main () (gdb) x/16gx $rsp 0x7ffe2598d550: 0x0000000000000002 0x00007ffe2598d698 0x7ffe2598d560: 0x00007ffe2598d688 0x000000018fdb5d60 0x7ffe2598d570: 0x0000000200000000 0x73dc7112d1eb7762 0x7ffe2598d580: 0x82849545de20033f 0x62934a28edbf8800 0x7ffe2598d590: 0x0000000000000000 0x000079c9965e7083 0x7ffe2598d5a0: 0x000079c9967f3620 0x00007ffe2598d688 0x7ffe2598d5b0: 0x0000000100000000 0x00005bad8fdb5aa6 0x7ffe2598d5c0: 0x00005bad8fdb5d60 0x22954742436e0a0f (gdb) c Continuing. 0x73dc7112d1eb7762 You input: 73dc7112d1eb7762 The correct answer is: 73dc7112d1eb7762 The random value has been set! Random value: Breakpoint 1, 0x00005bad8fdb5cc8 in main () (gdb) x/16gx $rsp 0x7ffe2598d550: 0x0000000000000002 0x00007ffe2598d698 0x7ffe2598d560: 0x00007ffe2598d688 0x000000018fdb5d60 0x7ffe2598d570: 0x0000000300000000 0x5ee083bf6b6e40b3 0x7ffe2598d580: 0x73dc7112d1eb7762 0x62934a28edbf8800 0x7ffe2598d590: 0x0000000000000000 0x000079c9965e7083 0x7ffe2598d5a0: 0x000079c9967f3620 0x00007ffe2598d688 0x7ffe2598d5b0: 0x0000000100000000 0x00005bad8fdb5aa6 0x7ffe2598d5c0: 0x00005bad8fdb5d60 0x22954742436e0a0f (gdb) c Continuing. 0x5ee083bf6b6e40b3 You input: 5ee083bf6b6e40b3 The correct answer is: 5ee083bf6b6e40b3 You win! Here is your flag: pwn.college{8ItJO9Med3et5lSLCTPeHNoRDi1.01N0IDLwMzN1czW} [Inferior 1 (process 1558) exited normally] (gdb) ``` First of all, i **disass the main function** and put the breakpoint after print **The random value has been set!**. Then i check the stack before let it run then i check it after **The random value has been set!** so i can compare between the old and the newest stack by my eyes and answer all of their question Flag: pwn.college{8ItJO9Med3et5lSLCTPeHNoRDi1.01N0IDLwMzN1czW} ## Level 5: ``` Starting program: /challenge/embryogdb_level5 ### ### Welcome to /challenge/embryogdb_level5! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. We write code in order to express an idea which can be reproduced and refined. We can think of our analysis as a program which injests the target to be analyzed as data. As the saying goes, code is data and data is code. While using gdb interactively as we've done with the past levels is incredibly powerful, another powerful tool is gdb scripting. By scripting gdb, you can very quickly create a custom-tailored program analysis tool. If you know how to interact with gdb, you already know how to write a gdb script--the syntax is exactly the same. You can write your commands to some file, for example `x.gdb`, and then launch gdb using the flag `-x <PATH_TO_SCRIPT>`. This file will execute all of the gdb commands after gdb launches. Alternatively, you can execute individual commands with `-ex '<COMMAND>'`. You can pass multiple commands with multiple `-ex` arguments. Finally, you can have some commands be always executed for any gdb session by putting them in `~/.gdbinit`. You probably want to put `set disassembly-flavor intel` in there. Within gdb scripting, a very powerful construct is breakpoint commands. Consider the following gdb script: start break *main+42 commands x/gx $rbp-0x32 continue end continue In this case, whenever we hit the instruction at `main+42`, we will output a particular local variable and then continue execution. Now consider a similar, but slightly more advanced script using some commands you haven't yet seen: start break *main+42 commands silent set $local_variable = *(unsigned long long*)($rbp-0x32) printf "Current value: %llx\n", $local_variable continue end continue In this case, the `silent` indicates that we want gdb to not report that we have hit a breakpoint, to make the output a bit cleaner. Then we use the `set` command to define a variable within our gdb session, whose value is our local variable. Finally, we output the current value using a formatted string. Use gdb scripting to help you collect the random values. Program received signal SIGTRAP, Trace/breakpoint trap. ``` ``` (gdb) disass main Dump of assembler code for function main: 0x00005f98a912aaa6 <+0>: endbr64 0x00005f98a912aaaa <+4>: push %rbp 0x00005f98a912aaab <+5>: mov %rsp,%rbp 0x00005f98a912aaae <+8>: sub $0x40,%rsp 0x00005f98a912aab2 <+12>: mov %edi,-0x24(%rbp) 0x00005f98a912aab5 <+15>: mov %rsi,-0x30(%rbp) 0x00005f98a912aab9 <+19>: mov %rdx,-0x38(%rbp) 0x00005f98a912aabd <+23>: mov %fs:0x28,%rax 0x00005f98a912aac6 <+32>: mov %rax,-0x8(%rbp) 0x00005f98a912aaca <+36>: xor %eax,%eax 0x00005f98a912aacc <+38>: cmpl $0x0,-0x24(%rbp) 0x00005f98a912aad0 <+42>: jg 0x5f98a912aaf1 <main+75> 0x00005f98a912aad2 <+44>: lea 0x1050(%rip),%rcx # 0x5f98a912bb29 <__PRETTY_FUNCTION__.5345> 0x00005f98a912aad9 <+51>: mov $0x51,%edx 0x00005f98a912aade <+56>: lea 0x54c(%rip),%rsi # 0x5f98a912b031 0x00005f98a912aae5 <+63>: lea 0x6d0(%rip),%rdi # 0x5f98a912b1bc 0x00005f98a912aaec <+70>: callq 0x5f98a912a1f0 <__assert_fail@plt> 0x00005f98a912aaf1 <+75>: lea 0x6cd(%rip),%rdi # 0x5f98a912b1c5 0x00005f98a912aaf8 <+82>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912aafd <+87>: mov -0x30(%rbp),%rax 0x00005f98a912ab01 <+91>: mov (%rax),%rax 0x00005f98a912ab04 <+94>: mov %rax,%rsi 0x00005f98a912ab07 <+97>: lea 0x6bb(%rip),%rdi # 0x5f98a912b1c9 --Type <RET> for more, q to quit, c to continue without paging--c 0x00005f98a912ab0e <+104>: mov $0x0,%eax 0x00005f98a912ab13 <+109>: callq 0x5f98a912a1d0 <printf@plt> 0x00005f98a912ab18 <+114>: lea 0x6a6(%rip),%rdi # 0x5f98a912b1c5 0x00005f98a912ab1f <+121>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ab24 <+126>: mov $0xa,%edi 0x00005f98a912ab29 <+131>: callq 0x5f98a912a170 <putchar@plt> 0x00005f98a912ab2e <+136>: mov 0x24eb(%rip),%rax # 0x5f98a912d020 <stdin@@GLIBC_2.2.5> 0x00005f98a912ab35 <+143>: mov $0x0,%ecx 0x00005f98a912ab3a <+148>: mov $0x2,%edx 0x00005f98a912ab3f <+153>: mov $0x0,%esi 0x00005f98a912ab44 <+158>: mov %rax,%rdi 0x00005f98a912ab47 <+161>: callq 0x5f98a912a240 <setvbuf@plt> 0x00005f98a912ab4c <+166>: mov 0x24bd(%rip),%rax # 0x5f98a912d010 <stdout@@GLIBC_2.2.5> 0x00005f98a912ab53 <+173>: mov $0x1,%ecx 0x00005f98a912ab58 <+178>: mov $0x2,%edx 0x00005f98a912ab5d <+183>: mov $0x0,%esi 0x00005f98a912ab62 <+188>: mov %rax,%rdi 0x00005f98a912ab65 <+191>: callq 0x5f98a912a240 <setvbuf@plt> 0x00005f98a912ab6a <+196>: lea 0x66f(%rip),%rdi # 0x5f98a912b1e0 0x00005f98a912ab71 <+203>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ab76 <+208>: lea 0x6db(%rip),%rdi # 0x5f98a912b258 0x00005f98a912ab7d <+215>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ab82 <+220>: lea 0x72f(%rip),%rdi # 0x5f98a912b2b8 0x00005f98a912ab89 <+227>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ab8e <+232>: lea 0x7a3(%rip),%rdi # 0x5f98a912b338 0x00005f98a912ab95 <+239>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ab9a <+244>: lea 0x7ff(%rip),%rdi # 0x5f98a912b3a0 0x00005f98a912aba1 <+251>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912aba6 <+256>: lea 0x86b(%rip),%rdi # 0x5f98a912b418 0x00005f98a912abad <+263>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912abb2 <+268>: lea 0x8d7(%rip),%rdi # 0x5f98a912b490 0x00005f98a912abb9 <+275>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912abbe <+280>: lea 0x943(%rip),%rdi # 0x5f98a912b508 0x00005f98a912abc5 <+287>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912abca <+292>: lea 0x9af(%rip),%rdi # 0x5f98a912b580 0x00005f98a912abd1 <+299>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912abd6 <+304>: lea 0xa1b(%rip),%rdi # 0x5f98a912b5f8 0x00005f98a912abdd <+311>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912abe2 <+316>: lea 0xa87(%rip),%rdi # 0x5f98a912b670 0x00005f98a912abe9 <+323>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912abee <+328>: lea 0xaf1(%rip),%rdi # 0x5f98a912b6e6 0x00005f98a912abf5 <+335>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912abfa <+340>: lea 0xaf7(%rip),%rdi # 0x5f98a912b6f8 0x00005f98a912ac01 <+347>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac06 <+352>: lea 0xb57(%rip),%rdi # 0x5f98a912b764 0x00005f98a912ac0d <+359>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac12 <+364>: lea 0xb53(%rip),%rdi # 0x5f98a912b76c 0x00005f98a912ac19 <+371>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac1e <+376>: lea 0xb58(%rip),%rdi # 0x5f98a912b77d 0x00005f98a912ac25 <+383>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac2a <+388>: lea 0xb57(%rip),%rdi # 0x5f98a912b788 0x00005f98a912ac31 <+395>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac36 <+400>: lea 0xb5e(%rip),%rdi # 0x5f98a912b79b 0x00005f98a912ac3d <+407>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac42 <+412>: lea 0xb5f(%rip),%rdi # 0x5f98a912b7a8 0x00005f98a912ac49 <+419>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac4e <+424>: lea 0xb59(%rip),%rdi # 0x5f98a912b7ae 0x00005f98a912ac55 <+431>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac5a <+436>: lea 0xb58(%rip),%rdi # 0x5f98a912b7b9 0x00005f98a912ac61 <+443>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac66 <+448>: lea 0xb53(%rip),%rdi # 0x5f98a912b7c0 0x00005f98a912ac6d <+455>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac72 <+460>: lea 0xbc0(%rip),%rdi # 0x5f98a912b839 0x00005f98a912ac79 <+467>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac7e <+472>: lea 0xbc3(%rip),%rdi # 0x5f98a912b848 0x00005f98a912ac85 <+479>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac8a <+484>: lea 0xad3(%rip),%rdi # 0x5f98a912b764 0x00005f98a912ac91 <+491>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ac96 <+496>: lea 0xacf(%rip),%rdi # 0x5f98a912b76c 0x00005f98a912ac9d <+503>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912aca2 <+508>: lea 0xad4(%rip),%rdi # 0x5f98a912b77d 0x00005f98a912aca9 <+515>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912acae <+520>: lea 0xbf8(%rip),%rdi # 0x5f98a912b8ad 0x00005f98a912acb5 <+527>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912acba <+532>: lea 0xbf7(%rip),%rdi # 0x5f98a912b8b8 0x00005f98a912acc1 <+539>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912acc6 <+544>: lea 0xc2b(%rip),%rdi # 0x5f98a912b8f8 0x00005f98a912accd <+551>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912acd2 <+556>: lea 0xac2(%rip),%rdi # 0x5f98a912b79b 0x00005f98a912acd9 <+563>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912acde <+568>: lea 0xac3(%rip),%rdi # 0x5f98a912b7a8 0x00005f98a912ace5 <+575>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912acea <+580>: lea 0xabd(%rip),%rdi # 0x5f98a912b7ae 0x00005f98a912acf1 <+587>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912acf6 <+592>: lea 0xabc(%rip),%rdi # 0x5f98a912b7b9 0x00005f98a912acfd <+599>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ad02 <+604>: lea 0xc27(%rip),%rdi # 0x5f98a912b930 0x00005f98a912ad09 <+611>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ad0e <+616>: lea 0xc93(%rip),%rdi # 0x5f98a912b9a8 0x00005f98a912ad15 <+623>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ad1a <+628>: lea 0xcff(%rip),%rdi # 0x5f98a912ba20 0x00005f98a912ad21 <+635>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ad26 <+640>: lea 0xd43(%rip),%rdi # 0x5f98a912ba70 0x00005f98a912ad2d <+647>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ad32 <+652>: int3 => 0x00005f98a912ad33 <+653>: nop 0x00005f98a912ad34 <+654>: movl $0x0,-0x1c(%rbp) 0x00005f98a912ad3b <+661>: jmpq 0x5f98a912adeb <main+837> 0x00005f98a912ad40 <+666>: mov $0x0,%esi 0x00005f98a912ad45 <+671>: lea 0xd5e(%rip),%rdi # 0x5f98a912baaa 0x00005f98a912ad4c <+678>: mov $0x0,%eax 0x00005f98a912ad51 <+683>: callq 0x5f98a912a250 <open@plt> 0x00005f98a912ad56 <+688>: mov %eax,%ecx 0x00005f98a912ad58 <+690>: lea -0x18(%rbp),%rax 0x00005f98a912ad5c <+694>: mov $0x8,%edx 0x00005f98a912ad61 <+699>: mov %rax,%rsi 0x00005f98a912ad64 <+702>: mov %ecx,%edi 0x00005f98a912ad66 <+704>: callq 0x5f98a912a210 <read@plt> 0x00005f98a912ad6b <+709>: lea 0xd46(%rip),%rdi # 0x5f98a912bab8 0x00005f98a912ad72 <+716>: callq 0x5f98a912a190 <puts@plt> 0x00005f98a912ad77 <+721>: lea 0xd5a(%rip),%rdi # 0x5f98a912bad8 0x00005f98a912ad7e <+728>: mov $0x0,%eax 0x00005f98a912ad83 <+733>: callq 0x5f98a912a1d0 <printf@plt> 0x00005f98a912ad88 <+738>: lea -0x10(%rbp),%rax 0x00005f98a912ad8c <+742>: mov %rax,%rsi 0x00005f98a912ad8f <+745>: lea 0xd51(%rip),%rdi # 0x5f98a912bae7 0x00005f98a912ad96 <+752>: mov $0x0,%eax 0x00005f98a912ad9b <+757>: callq 0x5f98a912a260 <__isoc99_scanf@plt> 0x00005f98a912ada0 <+762>: mov -0x10(%rbp),%rax 0x00005f98a912ada4 <+766>: mov %rax,%rsi 0x00005f98a912ada7 <+769>: lea 0xd3e(%rip),%rdi # 0x5f98a912baec 0x00005f98a912adae <+776>: mov $0x0,%eax 0x00005f98a912adb3 <+781>: callq 0x5f98a912a1d0 <printf@plt> 0x00005f98a912adb8 <+786>: mov -0x18(%rbp),%rax 0x00005f98a912adbc <+790>: mov %rax,%rsi 0x00005f98a912adbf <+793>: lea 0xd37(%rip),%rdi # 0x5f98a912bafd 0x00005f98a912adc6 <+800>: mov $0x0,%eax 0x00005f98a912adcb <+805>: callq 0x5f98a912a1d0 <printf@plt> 0x00005f98a912add0 <+810>: mov -0x10(%rbp),%rdx 0x00005f98a912add4 <+814>: mov -0x18(%rbp),%rax 0x00005f98a912add8 <+818>: cmp %rax,%rdx 0x00005f98a912addb <+821>: je 0x5f98a912ade7 <main+833> 0x00005f98a912addd <+823>: mov $0x1,%edi 0x00005f98a912ade2 <+828>: callq 0x5f98a912a280 <exit@plt> 0x00005f98a912ade7 <+833>: addl $0x1,-0x1c(%rbp) 0x00005f98a912adeb <+837>: cmpl $0x7,-0x1c(%rbp) 0x00005f98a912adef <+841>: jle 0x5f98a912ad40 <main+666> 0x00005f98a912adf5 <+847>: mov $0x0,%eax 0x00005f98a912adfa <+852>: callq 0x5f98a912a97d <win> 0x00005f98a912adff <+857>: mov $0x0,%eax 0x00005f98a912ae04 <+862>: mov -0x8(%rbp),%rcx 0x00005f98a912ae08 <+866>: xor %fs:0x28,%rcx 0x00005f98a912ae11 <+875>: je 0x5f98a912ae18 <main+882> 0x00005f98a912ae13 <+877>: callq 0x5f98a912a1c0 <__stack_chk_fail@plt> 0x00005f98a912ae18 <+882>: leaveq 0x00005f98a912ae19 <+883>: retq End of assembler dump. (gdb) b* 0x00005f98a912ad96 Breakpoint 1 at 0x5f98a912ad96 (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000000000000 0x00005f98a912a2a0 0x7ffe6e97c160: 0x00007ffe6e97c260 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000000000000 0xbf020b39fdf9cee2 0x7ffe6e97c160: 0x00007ffe6e97c260 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0xbf020b39fdf9cee2 You input: bf020b39fdf9cee2 The correct answer is: bf020b39fdf9cee2 The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000100000000 0xf7a6a1eeb128f94c 0x7ffe6e97c160: 0xbf020b39fdf9cee2 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0xf7a6a1eeb128f94c You input: f7a6a1eeb128f94c The correct answer is: f7a6a1eeb128f94c The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000200000000 0x965fb6dda2c6852d 0x7ffe6e97c160: 0xf7a6a1eeb128f94c 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0x965fb6dda2c6852d You input: 965fb6dda2c6852d The correct answer is: 965fb6dda2c6852d The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000300000000 0x694d3b31ad0c0e83 0x7ffe6e97c160: 0x965fb6dda2c6852d 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0x694d3b31ad0c0e83 You input: 694d3b31ad0c0e83 The correct answer is: 694d3b31ad0c0e83 The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000400000000 0x84a6920498d9125c 0x7ffe6e97c160: 0x694d3b31ad0c0e83 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0x84a6920498d9125c You input: 84a6920498d9125c The correct answer is: 84a6920498d9125c The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000500000000 0xb1e853efd32c69eb 0x7ffe6e97c160: 0x84a6920498d9125c 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0xb1e853efd32c69eb You input: b1e853efd32c69eb The correct answer is: b1e853efd32c69eb The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000600000000 0xafa790ef63af566f 0x7ffe6e97c160: 0xb1e853efd32c69eb 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0xafa790ef63af566f You input: afa790ef63af566f The correct answer is: afa790ef63af566f The random value has been set! Random value: Breakpoint 1, 0x00005f98a912ad96 in main () (gdb) x/16gx $rsp 0x7ffe6e97c130: 0x0000000000000002 0x00007ffe6e97c278 0x7ffe6e97c140: 0x00007ffe6e97c268 0x00000001a912ae20 0x7ffe6e97c150: 0x0000000700000000 0x7281c8cbae94f641 0x7ffe6e97c160: 0xafa790ef63af566f 0xf37aa50439685b00 0x7ffe6e97c170: 0x0000000000000000 0x00007020164b2083 0x7ffe6e97c180: 0x00007020166be620 0x00007ffe6e97c268 0x7ffe6e97c190: 0x0000000100000000 0x00005f98a912aaa6 0x7ffe6e97c1a0: 0x00005f98a912ae20 0x9a34a3039e97e488 (gdb) c Continuing. 0x7281c8cbae94f641 You input: 7281c8cbae94f641 The correct answer is: 7281c8cbae94f641 You win! Here is your flag: pwn.college{8HsHdNIeLx_JyAGK_cYYPbBM8Qh.0FO0IDLwMzN1czW} [Inferior 1 (process 690) exited normally] (gdb) ``` Same with the challenge before but you need to answer more Flag: pwn.college{8HsHdNIeLx_JyAGK_cYYPbBM8Qh.0FO0IDLwMzN1czW} ## Level 6: ``` ### ### Welcome to /challenge/embryogdb_level6! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. As it turns out, gdb has FULL control over the target process. Not only can you analyze the program's state, but you can also modify it. While gdb probably isn't the best tool for doing long term maintenance on a program, sometimes it can be useful to quickly modify the behavior of your target process in order to more easily analyze it. You can modify the state of your target program with the `set` command. For example, you can use `set $rdi = 0` to zero out $rdi. You can use `set *((uint64_t *) $rsp) = 0x1234` to set the first value on the stack to 0x1234. You can use `set *((uint16_t *) 0x31337000) = 0x1337` to set 2 bytes at 0x31337000 to 0x1337. Suppose your target is some networked application which reads from some socket on fd 42. Maybe it would be easier for the purposes of your analysis if the target instead read from stdin. You could achieve something like that with the following gdb script: start catch syscall read commands silent if ($rdi == 42) set $rdi = 0 end continue end continue This example gdb script demonstrates how you can automatically break on system calls, and how you can use conditions within your commands to conditionally perform gdb commands. In the previous level, your gdb scripting solution likely still required you to copy and paste your solutions. This time, try to write a script that doesn't require you to ever talk to the program, and instead automatically solves each challenge by correctly modifying registers / memory. Program received signal SIGTRAP, Trace/breakpoint trap. ``` ```python from pwn import * import binascii p = process("/challenge/embryogdb_level6") p.recvuntil(b"(gdb) ") p.sendline(b"run") p.recvuntil(b"(gdb) ") p.sendline(b"b *main+625") p.recvuntil(b"(gdb) ") p.sendline(b"c") for i in range(64): p.recvuntil(b"(gdb) ") p.sendline(b"x/16gx $rbp-0x18") output = str(p.recvline()) output1 = str(output[1:]) output2 = output1.split("\\t") p.recvuntil(b"(gdb) ") p.sendline(b"c") p.recvuntil(b"Continuing.\n") p.sendline(str(output2[1]).encode()) p.interactive() ``` Same with the challenge before but you need to answer 64 times so i use pwntool to help me.  Flag: pwn.college{U1HanuNOq8DUdGVSLjaHjMjVdPO.0VO0IDLwMzN1czW} ## Level 7: ``` Starting program: /challenge/embryogdb_level7 ### ### Welcome to /challenge/embryogdb_level7! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. As we demonstrated in the previous level, gdb has FULL control over the target process. Under normal circumstances, gdb running as your regular user cannot attach to a privileged process. This is why gdb isn't a massive security issue which would allow you to just immediately solve all the levels. Nevertheless, gdb is still an extremely powerful tool. Running within this elevated instance of gdb gives you elevated control over the entire system. To clearly demonstrate this, see what happens when you run the command `call (void)win()`. As it turns out, all of the levels in this module can be solved in this way. GDB is very powerful! Program received signal SIGTRAP, Trace/breakpoint trap. ``` ``` 0x00005a845937cbb7 in main () (gdb) call (void)win() You win! Here is your flag: pwn.college{U_hqH5RVlWBaHaI4gdmFrrojVZp.0FM1IDLwMzN1czW} ``` Do the same thing that the challenge tell =))) Flag: pwn.college{U_hqH5RVlWBaHaI4gdmFrrojVZp.0FM1IDLwMzN1czW} ## Level 8: ``` ### ### Welcome to /challenge/embryogdb_level8! ### GDB is a very powerful dynamic analysis tool which you can use in order to understand the state of a program throughout its execution. You will become familiar with some of gdb's capabilities in this module. As we demonstrated in the previous level, gdb has FULL control over the target process. Under normal circumstances, gdb running as your regular user cannot attach to a privileged process. This is why gdb isn't a massive security issue which would allow you to just immediately solve all the levels. Nevertheless, gdb is still an extremely powerful tool. Running within this elevated instance of gdb gives you elevated control over the entire system. To clearly demonstrate this, see what happens when you run the command `call (void)win()`. Note that this will _not_ get you the flag (it seems that we broke the win function!), so you'll need to work a bit harder to get this flag! As it turns out, all of the levels other levels in module could be solved in this way. GDB is very powerful! ``` After debug something, i put some breakpoint at near the place that print flag, but it can reach to it, so i try to put more and more nearly on the top and i found it, when it **call puts** it automatically end the program so i try to **jump** after it (use **rip**) and it success. ``` (gdb) disass win Dump of assembler code for function win: 0x000060536763d951 <+0>: endbr64 0x000060536763d955 <+4>: push %rbp 0x000060536763d956 <+5>: mov %rsp,%rbp 0x000060536763d959 <+8>: sub $0x10,%rsp 0x000060536763d95d <+12>: movq $0x0,-0x8(%rbp) 0x000060536763d965 <+20>: mov -0x8(%rbp),%rax 0x000060536763d969 <+24>: mov (%rax),%eax 0x000060536763d96b <+26>: lea 0x1(%rax),%edx 0x000060536763d96e <+29>: mov -0x8(%rbp),%rax 0x000060536763d972 <+33>: mov %edx,(%rax) 0x000060536763d974 <+35>: lea 0x73e(%rip),%rdi # 0x60536763e0b9 0x000060536763d97b <+42>: callq 0x60536763d180 <puts@plt> 0x000060536763d980 <+47>: mov $0x0,%esi 0x000060536763d985 <+52>: lea 0x749(%rip),%rdi # 0x60536763e0d5 0x000060536763d98c <+59>: mov $0x0,%eax 0x000060536763d991 <+64>: callq 0x60536763d240 <open@plt> 0x000060536763d996 <+69>: mov %eax,0x26a4(%rip) # 0x605367640040 <flag_fd.5712> 0x000060536763d99c <+75>: mov 0x269e(%rip),%eax # 0x605367640040 <flag_fd.5712> 0x000060536763d9a2 <+81>: test %eax,%eax 0x000060536763d9a4 <+83>: jns 0x60536763d9ef <win+158> 0x000060536763d9a6 <+85>: callq 0x60536763d170 <__errno_location@plt> 0x000060536763d9ab <+90>: mov (%rax),%eax 0x000060536763d9ad <+92>: mov %eax,%edi --Type <RET> for more, q to quit, c to continue without paging--c 0x000060536763d9af <+94>: callq 0x60536763d270 <strerror@plt> 0x000060536763d9b4 <+99>: mov %rax,%rsi 0x000060536763d9b7 <+102>: lea 0x722(%rip),%rdi # 0x60536763e0e0 0x000060536763d9be <+109>: mov $0x0,%eax 0x000060536763d9c3 <+114>: callq 0x60536763d1c0 <printf@plt> 0x000060536763d9c8 <+119>: callq 0x60536763d1f0 <geteuid@plt> 0x000060536763d9cd <+124>: test %eax,%eax 0x000060536763d9cf <+126>: je 0x60536763da66 <win+277> 0x000060536763d9d5 <+132>: lea 0x734(%rip),%rdi # 0x60536763e110 0x000060536763d9dc <+139>: callq 0x60536763d180 <puts@plt> 0x000060536763d9e1 <+144>: lea 0x750(%rip),%rdi # 0x60536763e138 0x000060536763d9e8 <+151>: callq 0x60536763d180 <puts@plt> 0x000060536763d9ed <+156>: jmp 0x60536763da66 <win+277> 0x000060536763d9ef <+158>: mov 0x264b(%rip),%eax # 0x605367640040 <flag_fd.5712> 0x000060536763d9f5 <+164>: mov $0x100,%edx 0x000060536763d9fa <+169>: lea 0x265f(%rip),%rsi # 0x605367640060 <flag.5711> 0x000060536763da01 <+176>: mov %eax,%edi 0x000060536763da03 <+178>: callq 0x60536763d200 <read@plt> 0x000060536763da08 <+183>: mov %eax,0x2752(%rip) # 0x605367640160 <flag_length.5713> 0x000060536763da0e <+189>: mov 0x274c(%rip),%eax # 0x605367640160 <flag_length.5713> 0x000060536763da14 <+195>: test %eax,%eax 0x000060536763da16 <+197>: jg 0x60536763da3c <win+235> 0x000060536763da18 <+199>: callq 0x60536763d170 <__errno_location@plt> 0x000060536763da1d <+204>: mov (%rax),%eax 0x000060536763da1f <+206>: mov %eax,%edi 0x000060536763da21 <+208>: callq 0x60536763d270 <strerror@plt> 0x000060536763da26 <+213>: mov %rax,%rsi 0x000060536763da29 <+216>: lea 0x760(%rip),%rdi # 0x60536763e190 0x000060536763da30 <+223>: mov $0x0,%eax 0x000060536763da35 <+228>: callq 0x60536763d1c0 <printf@plt> 0x000060536763da3a <+233>: jmp 0x60536763da67 <win+278> 0x000060536763da3c <+235>: mov 0x271e(%rip),%eax # 0x605367640160 <flag_length.5713> 0x000060536763da42 <+241>: cltq 0x000060536763da44 <+243>: mov %rax,%rdx 0x000060536763da47 <+246>: lea 0x2612(%rip),%rsi # 0x605367640060 <flag.5711> 0x000060536763da4e <+253>: mov $0x1,%edi 0x000060536763da53 <+258>: callq 0x60536763d1a0 <write@plt> 0x000060536763da58 <+263>: lea 0x75b(%rip),%rdi # 0x60536763e1ba 0x000060536763da5f <+270>: callq 0x60536763d180 <puts@plt> 0x000060536763da64 <+275>: jmp 0x60536763da67 <win+278> 0x000060536763da66 <+277>: nop 0x000060536763da67 <+278>: leaveq 0x000060536763da68 <+279>: retq End of assembler dump. (gdb) set $rip=win+47 (gdb) c Continuing. pwn.college{sB4JS4KG2vtdzn6WAK7uSvEYJg6.dlzMzMDLwMzN1czW} ``` Flag: pwn.college{sB4JS4KG2vtdzn6WAK7uSvEYJg6.dlzMzMDLwMzN1czW}