Bad Memories -v0.9- -recreation- | Works 100% |

CTFBad_Memories_Unleash_Secret_Recreation To recreate the vulnerability locally:

(gdb) set void *(char *)0x6020a0 = 0x401456 (gdb) call (*(void(*)(char*))0x6020a0)(0x6020a0+8) Output: Bad Memories -v0.9- -recreation-

(gdb) call ((void(*)(char*))0x401456)(0x6020a0+8) Or simply: Bad Memories -v0.9- -recreation-

(gdb) info files Shows the executable was bad_memories_v0.9 . We can try to recover the binary from memory: Bad Memories -v0.9- -recreation-

strings core.dump | head -20 Noticed a binary name: ./bad_memories_v0.9 and a suspicious string: [!] You found a secret? Try -recreation- .

Check with radare2 :

(gdb) x/10gx 0x6020a0 Shows 0x401456 in the vtable slot – that’s the secret function address!