🚩babymem
Notes
Binary Ninja
Binja High Level IL has its own syntax. It is a C-like language, but you can't assume it is just C. I recommend reading the documentation to avoid confusion.
Binary Ninja vs. IDA
The course itself recommends binja, but I recommend IDA, period. You will know why after you work through all the challenges.
Renaming
A huge part of this chapter is finding offsets of different variables. If you would like to do it the static analysis way, renaming these variables would help a lot.
Remote vs. Local
If you download the binary to your local machine, the relative offsets inside the binary stay the same. That is, you can use whatever tools you want on your local machine to find those offsets. You don't have to do everything on the remote machine.
Level 1
Teaching Level
Solution 1: Binja
To overwrite the win
variable, first we need to figure out where the input buffer and the win
variable locate in memory. In binja, I recommend the following workflow:
Step 1: Read linear high level IL, find key variables and rename them. In this case, we look for
buffer
andwin
.Step 2: Switch to disassembly and look for renamed variables. Jot down their offsets.
Read the linear high level IL of the vuln()
function and rename variables:
Switch to disassembly and look for buffer
and win
:
Solution 2: IDA
In IDA, things are even easier. First we name the win
variable:
The offset relative to rbp can be found in the variable declarations:
The downside is that IDA does not recognize all the function names, so I still recommend binja for this chapter.
Exploit
Level 2
Teaching Level
Solution
The offsets are not easy to find for this level. Instead, we just spam enough A
's so that the win
variable on the stack is overwritten.
Exploit
Last updated