Rolling

• Windows 8.1• IDA 6.6

• Kali Linux adm64• EDB ( 動態調適器 )

Libc 6 required• To solve it, add the following line to the sources.list:• deb http://ftp.debian.org/debian sid main

• Then install a new linbc:• apt-get update• apt-get -t sid install libc6-dev

main

4006c7

Call rax?• 轉動態調適• 過 4006c7 直接 F7 進 call rax

• 觀察 1• 參數給 test

• "57 102 108 97 103 115 115 116 97 114 116 119 105 116 104 57", • which is "9flagsstartwith9"

• 觀察二• Start with 9: 參數給 “ 9abc123”• rax 指向另一檢查 function

結論• 開頭是 9447• 接下來 ith char 都 relate 到 (i-4)th char• 用 (i-4)th char + {offset}• Offsets: +57 +59 +56 +53 -9 -1 -5 -3 +10 -8 +14 +5• => flag is: “9447{9447rollingisfun}”

Ref.• http://theevilbit.blogspot.tw/2014/12/9447-ctf-2014-writeup-reversi

ng-125100.html