RingZer0 CTF – Time to learn x86 ASM & gdb

My writeups for now will be mainly on the CTFs on the RingZer0 Team Online CTF, but I will also do writeups for CTFs I join. If you have not heard of RingZer0, head to their site and create your account.

The challenge can be found here, and we can download a binary file from the question.

What does the binary do?

First, let’s run the given binary.


No flag is given. Where is the flag? Probably it is created in the program but not been printed out.

Disassemble the binary

Now, let’s open the program in GDB.

challenge11-disas-1Disassembling the binary, the first 2 functions called are malloc and memset. We can see malloc is called to initialize an array of size 24, while memset is afterwards called to initialize the array with zeroes.

From this, it is very likely that a string of size 24 is being created here.


After malloc and memset, other than calling puts on the strings “Loading…” and “Where is the flag?”, we see that the program just does a bunch of string operations to the string.

So, let’s follow the instructions and try to work out the flag!

Nah, ain’t nobody got time for that. Why don’t we just get the address of the string and print the flag out at the end of the program?

Get the address of the string

Set a breakpoint before malloc is called, then run the program and print the value of eax, to get the address of the array.


Here, we find that the address of the array is 0x0804b008

Get the flag!


Let’s choose somewhere near the end of the program to set a breakpoint, so that we can get the contents of the flag.

0x08048544 looks fine, there seems to be no more operations to the string at this point.


We create a breakpoint at 0x08048544, continue the program where we left off earlier, then examine the contents as a string inside the address we previously obtained.

And we get the flag, FLAG-4092849uio2jfklsj4kl


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s