From c3ddefd67d685365dd36b67dbe1754b138dc58c6 Mon Sep 17 00:00:00 2001 From: gbrochar Date: Mon, 19 May 2025 18:01:05 +0200 Subject: [PATCH] chore: level3 walkthrough --- level3/Ressources/walkthrough.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 level3/Ressources/walkthrough.md diff --git a/level3/Ressources/walkthrough.md b/level3/Ressources/walkthrough.md new file mode 100644 index 0000000..9af22b0 --- /dev/null +++ b/level3/Ressources/walkthrough.md @@ -0,0 +1,7 @@ +We can use printf format string attack, with %n we can write a value at any position. We see in the code we need have the address 0x804988c to equal 64. So we need to write 64 characters with printf and then have %n point on 0x804988c. + +Printf has a variable number of arguments, the first of them is always supposed to be a string with format indicators. if we have n format indicators we are supposed to have n+1 arguments. If we call with less than that, printf is still gonna search for them on the stack anyway, we can use that to our advantage. + +We need to find the start of our string using %8x until it print 41414141, then we replace it with 0x804988c, and the last %x with a %s (or use %m$s, m replaced by the number of x needed) + +