0

I have a small doubt, i'm doing a ctf that provides me only the ELF file. I have been able, using Ghidra to decompile it, but here is the problem: at a certain point i read: fread(flag,0x400,1,__stream); (before there was : __stream = fopen("./flag","rb");

1) I suppose that the "flag" in the fread is where fread stores what "__stream" reads from the flag.txt, but it had never been declared before (i'm referring to "flag" in the fread), is it actually a buffer as i'm expecting? If yes, where are the value that were read stored in the memory (so where is this buffer stored? In the stack?)

2) Is it normal that fread has a 0x400 dimension value and a 1 as the number of elements to read?

Thanks to everyone in advance!

Jrghen
  • 11
  • 2
  • "but it had never been declared before". That can't be right. `flag` must be defined somewhere. But we don't know what code you are referring to so can't say anything more specific than that. – kaylum May 09 '20 at 11:23
  • If i look at the assembly code, right before calling fread, it just says : `PUSH flag` , not an address in memory. Also looking at the main, all variables used are locally declared, but there is no sign of a variable called "flag" – Jrghen May 09 '20 at 11:30
  • `PUSH flag` pushes the value of the symbol `flag` onto the stack. In assembly, the value of such a symbol is the address of memory where space for an object named `flag` has been provided. This symbol must be defined in some way. – Eric Postpischil May 09 '20 at 13:11

0 Answers0