GitS 2012 Finals – Khazad (Pwn600)

(Note: we did not solve this challenge in time, but I still decided to do a writeup because it’s such a cool challenge!)

This challenge consisted of a server binary which was written in C++. The use of C++ was pretty limited though, in fact after reversing it seemed that only the C++ exception mechanism was used. Of course this made us pretty suspicious, and we looked into interaction of C++ exceptions with the C setjmp/longjmp functions early on. The true ‘bug’ turned out to be much stranger, however…

