Tags: pwn gdbscript 

Rating: 4.5

My messy gdb-peda script :(, but hey it works!
idk why it doesn't work with plain gdb, please comment if anyone has an idea!

PS, This script is not the correct way to solve the challenge as it takes approx half an hour or more to process all the binaries, I just wanted to share it :P

flag = ""
for x in range(1,1000):
gdb.execute('set python print-stack full')
gdb.execute('set confirm off')
gdb.execute('file {:03}.c.out'.format(x))
gdb.execute('b *main')
gdb.execute('run < test')
ret_addr = str(gdb.parse_and_eval('$eip')).split()[0]
cmp_addr = str(hex(int(ret_addr,16)-67))
print("CMP : "+ cmp_addr)
gdb.execute('b *'+ cmp_addr)
gdb.execute('run < test')
flag += chr(int(str(gdb.parse_and_eval('$eax')),16))
print("FLAG : "+flag)
gdb.execute('del {}-{}'.format(i,i+1))

Run it with gdb as :
`gdb -x pedascript.py`

Please note that I used **record** instruction to get the address of `ret` in main and then calculated the offset of `cmp al,dl` from the bottom as there are unnecessary chars declared in some binaries which makes the task difficult as offset changes and we cant simply use the same **break \*main+x** (where x is a constant for all) for others too. And I subtracted the difference between the position of `cmp` and `ret` which remains constant ie. 67. And we keep on concatenating our flag and display it at the same time, perfect!

GDB is a tool with hidden capabilities.
To me the concept of Process Records was completely new and I'll spend more time to master it.

Refer to its wiki for more juicy stuff [here](https://sourceware.org/gdb/wiki/ProcessRecord/Tutorial)
Also I know It can be done without using process records but whats the fun in that XD

By [@MrT4ntr4](http://twitter.com/MrT4ntr4)