31 lines
1.3 KiB
Markdown
31 lines
1.3 KiB
Markdown
# find main layout with `objdump -d --disassemble=main vuln`
|
|
```assembly
|
|
0000000000001400 <main>:
|
|
1400: f3 0f 1e fa endbr64
|
|
1404: 55 push %rbp
|
|
1405: 48 89 e5 mov %rsp,%rbp
|
|
1408: 48 8d 35 9a fe ff ff lea -0x166(%rip),%rsi # 12a9 <segfault_handler>
|
|
140f: bf 0b 00 00 00 mov $0xb,%edi
|
|
1414: e8 57 fd ff ff call 1170 <signal@plt>
|
|
1419: 48 8b 05 f0 2b 00 00 mov 0x2bf0(%rip),%rax # 4010 <stdout@GLIBC_2.2.5>
|
|
1420: b9 00 00 00 00 mov $0x0,%ecx
|
|
1425: ba 02 00 00 00 mov $0x2,%edx
|
|
142a: be 00 00 00 00 mov $0x0,%esi
|
|
142f: 48 89 c7 mov %rax,%rdi
|
|
1432: e8 49 fd ff ff call 1180 <setvbuf@plt>
|
|
1437: b8 00 00 00 00 mov $0x0,%eax
|
|
143c: e8 86 fe ff ff call 12c7 <call_functions>
|
|
1441: b8 00 00 00 00 mov $0x0,%eax
|
|
1446: 5d pop %rbp
|
|
1447: c3 ret
|
|
```
|
|
# find `main` and `win` locations
|
|
```
|
|
000000000000136a g F .text 0000000000000096 win
|
|
0000000000001400 g F .text 0000000000000048 main
|
|
```
|
|
# find buffer offset to read return address into `main` via gdb
|
|
- %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx
|
|
- return value $\leftrightarrow$ *main+65 after dot
|
|
|