ELF x86 ptrace¶

Root-me challenge: Compiled with GCC32 4.3.4 on linux gentoo.

1. Use, for example, Ghidra.

2. Search for main() in Functions.

3. Analysis (in Decompiler):

(local_1e == local_14[4]) &&
(local_1d == local_14[5])) &&
(local_1c == local_14[1])) &&
(local_1b == local_14[10]))
puts("\nGood password !!!\n");

Resources¶

• The GNU binary utils

• Ptrace - process trace

• SSTIC 06 - Playing with ptrace

Counter moves¶

A ptrace self-check detects a debugger. It is bypassable, and serves as one layer among several at best. Defenders’ notes on this are under the application layer as a target.