-recreation- - Bad Memories -v0.9-

gdb -c core.dump (gdb) dump memory recovered.bin 0x400000 0x401000 # typical .text section But better: use volatility (if full memory dump) or memdump from /proc/pid/maps style.

Check if that note was freed:

Also found references to malloc , free , heap , and flag.txt . Since only the core dump was given (no original binary), we need to recreate the binary or at least its memory layout.

strings core.dump | grep -i ctf Returns: Bad Memories -v0.9- -recreation-

Loading memory... [1] Allocate [2] Write [3] Read [4] Free [5] Exit A heap note manager – likely vulnerable to UAF (use-after-free) or double-free.

Flag: CTFBad_Memories_Unleash_Secret_Recreation Alternatively, the flag might already be in memory. Dump all strings from core:

Using gdb with the core file:

So a note was freed, then its print_func pointer was overwritten via another allocation (use-after-free write), pointing to the secret function. The core dump captured the program after the exploit but before the flag was printed. We can manually trigger the print:

CTFBad_Memories_Unleash_Secret_Recreation To recreate the vulnerability locally:

[0x00401234]> afl | grep secret 0x00401456 sym.secret_function Disassemble secret_function : gdb -c core

(gdb) set void *(char *)0x6020a0 = 0x401456 (gdb) call (*(void(*)(char*))0x6020a0)(0x6020a0+8) Output:

Check with radare2 :