This article isn’t particularly technical, I just wanted to show how I reverse-engineered this challenge fully statically using Binary Ninja. The write-up is on the blog of the team I did the CTF with : Hexagon (beware of the brutal color theme change).

Cheapie (pwn - 198 pts) Êtes-vous familier avec le tas ? Yay a heap challenge ! Setup The given libc didn’t have any symbols and no loader was provided, so I ran pwninit to retrieve a libc with symbols and a loader. Which I didn’t realise until me writing this, is that pwninit gave me a different libc, that changed the final part of the exploit : getting a shell ! Read more...

I used the proximity browser in IDA with the “Add node -> Find path” feature to get the path between the main and walk_end function. Once all the function names in the path where dumped, in the same order as in IDA, inside functions.txt, you just have to tell angr to discard, avoid, every state wherein the callstack is different from the path linking main and walk_end. from IPython import embed import angr p = angr. Read more...