starnakin/42_rainfall
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: bunch of improvements and typos in the walkthrough

Browse Source
This commit is contained in:
0x35c
2025-05-07 14:04:04 +02:00
parent ca011b34f4
commit fb1ba7aee8
11 changed files with 35 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
level6/walkthrough
View File

@ -1,9 +1,10 @@
# Level6
Using ghidra, we can decompile the code and see that it calls `malloc` twice.
The first malloc has a size of 64 bytes and is a buffer where the program will `strcpy(buf, av[1])`. The second one is a function pointer pointing to `m()` function by default (prints "Nope."). We want to change its value to point to the correct function `n()` that will open a shell.
Using ghidra, we can decompile the code and see that it calls `malloc()` twice.
The first malloc has a size of 64 bytes and is a buffer where the program will `strcpy(buf, av[1])`. The second one is a function pointer pointing to `m()` printing `"Nope."`. We want to change its value to point to the correct function `n()` that will open a shell.
To achieve this, we will overflow the first malloc and the second one's header so that we can write the adress through the input in `av[1]`.
To calculate the offset between the 2 allocations, we used gdb's breakpoints and prints, leading us to an offset of 72 bytes (64 + 8).
We just need to print 72 bytes followed by the address of `n()`.
Here is the command:
./level6 $(python -c 'print "A"*72 + "\x54\x84\x04\x08"')