gbrochar
/
RainFall
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore: level3 walkthrough

This commit is contained in:
gbrochar 2025-05-19 18:01:05 +02:00
parent 406c44ee86
commit c3ddefd67d
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
level3/Ressources/walkthrough.md Normal file
View File

@ -0,0 +1,7 @@
We can use printf format string attack, with %n we can write a value at any position. We see in the code we need have the address 0x804988c to equal 64. So we need to write 64 characters with printf and then have %n point on 0x804988c.
Printf has a variable number of arguments, the first of them is always supposed to be a string with format indicators. if we have n format indicators we are supposed to have n+1 arguments. If we call with less than that, printf is still gonna search for them on the stack anyway, we can use that to our advantage.
We need to find the start of our string using %8x until it print 41414141, then we replace it with 0x804988c, and the last %x with a %s (or use %m$s, m replaced by the number of x needed)