So a note was freed, then its print_func pointer was overwritten via another allocation (use-after-free write), pointing to the secret function. The core dump captured the program after the exploit but before the flag was printed. We can manually trigger the print:
Also found references to malloc , free , heap , and flag.txt . Since only the core dump was given (no original binary), we need to recreate the binary or at least its memory layout. Bad Memories -v0.9- -recreation-
eu-unstrip -n --core=core.dump This reveals the missing binary path and build ID. We can fetch or reconstruct. After recovering the binary (named bad_memories_v0.9 ), analyze it: So a note was freed, then its print_func
In GDB, call the overwritten function:
void secret_function() char flag[64]; FILE *f = fopen("flag.txt", "r"); fread(flag, 1, 64, f); flag[strcspn(flag, "\n")] = 0; printf("Flag: %s\n", flag); Since only the core dump was given (no
[0x00401234]> afl | grep secret 0x00401456 sym.secret_function Disassemble secret_function :