But I already typed that…
** http://assets-2013.legitbs.net/liabilities/policebox**
** http://assets-2013.legitbs.net/liabilities/core**
Opening the core file in gdb reveals that it was “dumped” at the 2nd instruction of main.
Reversing policebox gave:
int __cdecl main()
{
signed int v1; // [sp+1Ch] [bp-4h]@5
if ( !isatty(ttyfd) )
perror("not on a tty");
if ( tcgetattr(ttyfd, &orig_termios) < 0 )
perror("can't get tty settings");
atexit(tty_exit);
tty_raw();
v1 = 0;
printf("The key is: ");
while ( v1 <= 63 )
{
if ( (unsigned __int8)getchar() == 13 )
{
puts("\r");
return 0;
}
++v1;
}
return 0;
}
This problem probably gave people the most trouble. As you’re looking for the output of getchar().
Eventually we realized that the core file also contained a gdb execution log using the ProcessRecord feature (http://sourceware.org/gdb/onlinedocs/gdb/Process-Record-and-Replay.html). This means that every instruction that was executed and the result was stored in the core file. Simply loading the record file with “record restore core” and then adding a breakpoint after the getchar() call means we can get the input that was typed to the program.
Key:
w0rlds.w0rst.k3yl0gger!