Also found references to malloc , free , heap , and flag.txt . Since only the core dump was given (no original binary), we need to recreate the binary or at least its memory layout.
CTFBad_Memories_Unleash_Secret_Recreation To recreate the vulnerability locally:
Flag: CTFBad_Memories_Unleash_Secret_Recreation Alternatively, the flag might already be in memory. Dump all strings from core: Bad Memories -v0.9- -recreation-
So a note was freed, then its print_func pointer was overwritten via another allocation (use-after-free write), pointing to the secret function. The core dump captured the program after the exploit but before the flag was printed. We can manually trigger the print:
core.dump: ELF 64-bit LSB core file, x86-64, version 1 (SYSV) Check what program generated it: Also found references to malloc , free , heap , and flag
Category: Reverse Engineering / Forensics (Memory Analysis) Difficulty: Medium Author: CTF Player Tooling: strings , gdb / radare2 , Volatility 3 (or 2 ), hexdump , python 1. Challenge Description "We recovered a core dump from a suspicious process. The developer said it's 'just a game', but we saw unusual memory access patterns. Find the flag hidden in the bad memories." Provided file: core.dump (or bad_memories.v0.9.core ) 2. Initial Analysis First, identify the file type:
(gdb) set void *(char *)0x6020a0 = 0x401456 (gdb) call (*(void(*)(char*))0x6020a0)(0x6020a0+8) Output: Dump all strings from core: So a note
file core.dump Output:
gdb -c core.dump (gdb) dump memory recovered.bin 0x400000 0x401000 # typical .text section But better: use volatility (if full memory dump) or memdump from /proc/pid/maps style.