(gdb) call ((void(*)(char*))0x401456)(0x6020a0+8) Or simply:
eu-unstrip -n --core=core.dump This reveals the missing binary path and build ID. We can fetch or reconstruct. After recovering the binary (named bad_memories_v0.9 ), analyze it:
[0x00401234]> afl | grep secret 0x00401456 sym.secret_function Disassemble secret_function : Bad Memories -v0.9- -recreation-
(gdb) x/10gx 0x6020a0 Shows 0x401456 in the vtable slot – that’s the secret function address!
However, this core dump is process-only. Use elfutils : However, this core dump is process-only
So a note was freed, then its print_func pointer was overwritten via another allocation (use-after-free write), pointing to the secret function. The core dump captured the program after the exploit but before the flag was printed. We can manually trigger the print:
But it’s never called normally. The challenge name "Bad Memories" + -recreation- hints we need to force a UAF to redirect execution to this function. Examine heap chunks in the core dump. We can manually trigger the print: But it’s
(gdb) set void *(char *)0x6020a0 = 0x401456 (gdb) call (*(void(*)(char*))0x6020a0)(0x6020a0+8) Output: