Speedrun Checkpoint

OK you should be able to work through the first 6-7 speedruns. Please let me know in the Discord where you are by Monday. Just so I can adjust the pacing to what people need.

32-bit arguments...

The story I want to tell you is why things get weird when pwning an argument into a 32-bit challenge.

TLDR: payload=b"A"*offset + p32(win_ADDR) + p32(mysteryhere) + p32(argument1) + p32(argument2)

I want to explain the mysteryhere part, which is the address we go to AFTER the win_ADDR but why would it be there?

If we need to jump into multiple functions with multiple arguments we get into a weird sudoko fail state. So I also want to show you how to clean that up.

Applied Calling Conventions

So we have the zero to hero challenge problem set.

Problem 2 from that set is called 2ret-to-win.

Here is is: bufover-2

Here is its source code:

Here is a burger-based rough representation of what is happening at the moment you will get to control the stack via overflow:

This burger-stack visualizer was made by a former PWN student of ours while she was wrestling with calling conventions: simple-stack-visualizer

Let's talk this out, and I'll push/pop the stack according to the calling conventions.

What exactly should the payload look like to jump to a win function AND pass it arguments? Why do I think this question is important and interesting?

Alright let's start to PWN it together here's a starter script:

Intro to Write-Ups

So write-ups are the primary way of learning new techniques and tools.

They are community-made micro-tutorials showing your process for a particular problem.

If you are overwhelmed by a particular problem go hunting for write-ups of problems that seem similar. Those write-ups will have keywords, insights, and clever concepts that will grow you.

Challenge 5leap_frog (actually zipline)

Solve https://sec.prof.ninja/challenge/pwn_stuff/5leap_frog/zipline by following this student-made write-up: