0wnyou

1. #eminghuliev NoneCTF
2.  
3. archive disclosure
4.  
5. step-1 *bin300*
6.  
7. (gdb) disas main
8. Dump of assembler code for function main:
9. 0x080484d0 <main+0>: lea 0x4(%esp),%ecx
10. 0x080484d4 <main+4>: and $0xfffffff0,%esp
11. 0x080484d7 <main+7>: pushl -0x4(%ecx)
12. 0x080484da <main+10>: push %ebp
13. 0x080484db <main+11>: mov %esp,%ebp
14. 0x080484dd <main+13>: push %ecx
15. 0x080484de <main+14>: sub $0x24,%esp
16. 0x080484e1 <main+17>: movl $0x8048559,(%esp)
17. 0x080484e8 <main+24>: call 0x8048374 <getenv@plt>
18. 0x080484ed <main+29>: mov %eax,-0x8(%ebp)
19. 0x080484f0 <main+32>: movl $0x804855e,0x4(%esp)
20. 0x080484f8 <main+40>: lea -0xe(%ebp),%eax
21. 0x080484fb <main+43>: mov %eax,(%esp)
22. 0x080484fe <main+46>: call 0x8048394 <strcmp@plt>
23. 0x08048503 <main+51>: test %eax,%eax
24. 0x08048505 <main+53>: jne 0x8048513 <main+67>
25. 0x08048507 <main+55>: movl $0x8048564,(%esp)
26. 0x0804850e <main+62>: call 0x8048344 <printf@plt>
27. 0x08048513 <main+67>: add $0x24,%esp
28. 0x08048516 <main+70>: pop %ecx
29. 0x08048517 <main+71>: pop %ebp
30. 0x08048518 <main+72>: lea -0x4(%ecx),%esp
31. 0x0804851b <main+75>: ret
32. 0x0804851c <main+76>: nop
33. 0x0804851d <main+77>: nop
34. 0x0804851e <main+78>: nop
35. 0x0804851f <main+79>: nop
36. End of assembler dump.
37.  
38. == > section
39.  
40. 0x08048507 <main+55>: movl $0x8048564,(%esp) ===> move data stack pointer and check adress
41. 0x0804850e <main+62>: call 0x8048344 <printf@plt> <----- call printf function :)
42.  
43. Examine the variable as a string
44.  
45. (gdb) x/s 0x8048564
46. 0x8048564 <.rodata+12>: "Flag: az4d1f2g6g8r"