Categories: Security, tech

pretty good level I learned a few new stuff

so lets hit the game

fighting with the app till it crashes and hell yeah we start from fault 😀

so we need to see what’s going on

much assembly to read but there is some stuff interesting

strlen memcpy memset

but the natural feeling memcpy is our way 😛

lets see what inside esp

you will notice that our A’z life  in the memory  this is a good point that we are on the track

also, I found the source code is available  it will save us sometimes to understand what the app do

2 functions good,bad

good drop the shell

bad function says some stuff

the main function lets see the logic of the app


one line function functionpinter == bad function

setting limit t to char buffer to 50 😀 this is how u do it !!!.

if statement to check if the argument less  than 4 char to return 0

send argv1 data to the buffer


override the memory of the buffer

then call the function functionpointer(); == bad 😀

u call the bad function and i will call ur …..

okay  now we know what’s going on

lets do the hard work

so lets do a break point after the memcpy love


run the gdb again with 60 char data

(gdb) r $(python -c “print ‘A’ * 60”)

and take a look of the ESP


here is our data

now we want to jump to function good 😀  so lets print function address’s

0x08048474 good this our target lets reverse it


lets send the payload

the app say sorry 🙂 and exit on address 0x80484a4

after re-looking what happen in ESP


we will notice that space  between 0x41414141 and 0x080484a4 16 bit

so lets add more 16bit to the payload

new process <3


    Leave a Reply

    Your email address will not be published. Required fields are marked *


    This site uses Akismet to reduce spam. Learn how your comment data is processed.