Bad Memories -v0.9- -recreation- -

void secret_function() char flag[64]; FILE *f = fopen("flag.txt", "r"); fread(flag, 1, 64, f); flag[strcspn(flag, "\n")] = 0; printf("Flag: %s\n", flag);

strings core.dump | head -20 Noticed a binary name: ./bad_memories_v0.9 and a suspicious string: [!] You found a secret? Try -recreation- . Bad Memories -v0.9- -recreation-

gdb -c core.dump Inside GDB:

gdb -c core.dump ./bad_memories_v0.9 (gdb) info registers (gdb) x/20gx $rsp Look for a struct: void secret_function() char flag[64]; FILE *f = fopen("flag

But it’s never called normally. The challenge name "Bad Memories" + -recreation- hints we need to force a UAF to redirect execution to this function. Examine heap chunks in the core dump. The challenge name "Bad Memories" + -recreation- hints

Category: Reverse Engineering / Forensics (Memory Analysis) Difficulty: Medium Author: CTF Player Tooling: strings , gdb / radare2 , Volatility 3 (or 2 ), hexdump , python 1. Challenge Description "We recovered a core dump from a suspicious process. The developer said it's 'just a game', but we saw unusual memory access patterns. Find the flag hidden in the bad memories." Provided file: core.dump (or bad_memories.v0.9.core ) 2. Initial Analysis First, identify the file type:

(gdb) x/10gx 0x6020a0 Shows 0x401456 in the vtable slot – that’s the secret function address!