Tags: gdbscript reverse 

Rating: 4.7

Requirement gdb PEDA extension.

```python
def b2s(b=None):
return ''.join([chr(int(x, 2)) for x in b])

def s8(s):
s = ''.join(s)
return [s[i:i+8][::-1] for i in range(0, len(s), 8)]

flag = ['0'] * 832

with open('_input', 'w') as f:
f.write('A' * 103)

peda.execute('file ./elementary')
peda.set_breakpoint(0x555555554000 + 0xCEB88)

peda.execute("run < _input")

def get_current_inst():
return peda.current_inst(peda.getreg("rip"))[1]

while peda.getreg("rip") < 0x555555554000 + 0xD827F:
while 'and' != get_current_inst()[:3]:
cur = get_current_inst()
if cur == 'mov rax,QWORD PTR [rbp-0x18]':
offset = 0
bit = 0
elif 'sar' == cur[:3]:
bit = int(cur.split(',')[1], 16)
elif 'add' == cur[:3]:
offset = int(cur.split(',')[1], 16)
peda.execute('si')

while 'call' not in get_current_inst():
peda.execute('si')

tmp = peda.getreg('edi')
peda.execute('ni')
ret = peda.getreg('eax')

if ret != 0 and tmp == ret:
tmp = 0
elif ret != 0 and tmp != ret:
tmp = 1

flag[offset * 8 + bit] = chr(0x30 + tmp)

peda.execute('set $eax=0')

while get_current_inst() != 'mov rax,QWORD PTR [rbp-0x18]' and peda.getreg("rip") < 0x555555554000 + 0xD827F:
peda.execute('si')

flag = s8(flag)
print(b2s(flag))
```

A little bit explanation, this one for parsing which flag bit offset is being passed as argument for `funtion[0-9]+`.
```python
while 'and' != get_current_inst()[:3]:
cur = get_current_inst()
if cur == 'mov rax,QWORD PTR [rbp-0x18]':
offset = 0
bit = 0
elif 'sar' == cur[:3]:
bit = int(cur.split(',')[1], 16)
elif 'add' == cur[:3]:
offset = int(cur.split(',')[1], 16)
peda.execute('si')
```

and this snippet below is used to step until call instruction
```python
while 'call' not in get_current_inst():
peda.execute('si')
```

After `call funtion([0-9]+)` reached, this will compare the argument passed and return value after step out from function call. Then set flag bits to correct value accordingly.
```python
tmp = peda.getreg('edi')
peda.execute('ni')
ret = peda.getreg('eax')

if ret != 0 and tmp == ret:
tmp = 0
elif ret != 0 and tmp != ret:
tmp = 1
flag[offset * 8 + bit] = chr(0x30 + tmp)
```

arty-hlrMarch 21, 2019, 11:10 a.m.

Hi! Great writeup :) Just a question, what did you import to use peda in Python? Doing `import peda` doesn't work for me even though I have peda installed.