gdb -c core.dump (gdb) dump memory recovered.bin 0x400000 0x401000 # typical .text section But better: use volatility (if full memory dump) or memdump from /proc/pid/maps style.
(gdb) info files Shows the executable was bad_memories_v0.9 . We can try to recover the binary from memory: Bad Memories -v0.9- -recreation-
(gdb) x/10gx 0x6020a0 Shows 0x401456 in the vtable slot – that’s the secret function address! gdb -c core
Using gdb with the core file:
Check with radare2 :
[0x00401234]> afl | grep secret 0x00401456 sym.secret_function Disassemble secret_function : Bad Memories -v0.9- -recreation-