Skip to content

HackTheBox x Synack CTF 2021: Split

TL;DR

  • The binary uses ptrace as an anti-debugging mechanism.
  • Debugging is blocked by terminating execution when ptrace is detected.
  • The ptrace call can be patched to immediately return.
  • Removing the anti-debug allows normal analysis and execution.

Video Walkthrough

HackTheBox x Synack RedTeamFive CTF 2021 Split reverse engineering video walkthrough showing ptrace anti-debug patching

Solution

backdoor.py

from pwn import *

# Load our binary
exe = 'split'
elf = context.binary = ELF(exe, checksec=False)

# Patch out the call to ptrace ;)
elf.asm(elf.symbols.ptrace, 'ret')

# Save the patched binary
elf.save('patched')