Don't like this style? Click here to change it! blue.css
OK you should be able to work through the first 6-7 speedruns. Please let me know in the Discord where you are by Monday. Just so I can adjust the pacing to what people need.
The story I want to tell you is why things get weird when pwning an argument into a 32-bit challenge.
payload=b"A"*offset + p32(win_ADDR) + p32(mysteryhere) + p32(argument1) + p32(argument2)
I want to explain the mysteryhere part, which is the address we go to AFTER the win_ADDR but why would it be there?
If we need to jump into multiple functions with multiple arguments we get into a weird sudoko fail state. So I also want to show you how to clean that up.
So we have the zero to hero challenge problem set.
Problem 2 from that set is called 2ret-to-win.
Here is is: bufover-2
Here is its source code:
Here is a burger-based rough representation of what is happening at the moment you will get to control the stack via overflow:
This burger-stack visualizer was made by a former PWN student of ours while she was wrestling with calling conventions: simple-stack-visualizer
Let's talk this out, and I'll push/pop the stack according to the calling conventions.
What exactly should the payload look like to jump to a win function AND pass it arguments? Why do I think this question is important and interesting?
Alright let's start to PWN it together here's a starter script:
So write-ups are the primary way of learning new techniques and tools.
They are community-made micro-tutorials showing your process for a particular problem.
If you are overwhelmed by a particular problem go hunting for write-ups of problems that seem similar. Those write-ups will have keywords, insights, and clever concepts that will grow you.
Solve https://sec.prof.ninja/challenge/pwn_stuff/5leap_frog/zipline by following this student-made write-up: