🚩babymem
Last updated
Last updated
Binja High Level IL has its own syntax. It is a C-like language, but you can't assume it is just C. I recommend reading the documentation to avoid confusion.
The course itself recommends binja, but I recommend IDA, period. You will know why after you work through all the challenges.
A huge part of this chapter is finding offsets of different variables. If you would like to do it the static analysis way, renaming these variables would help a lot.
If you download the binary to your local machine, the relative offsets inside the binary stay the same. That is, you can use whatever tools you want on your local machine to find those offsets. You don't have to do everything on the remote machine.
To overwrite the win variable, first we need to figure out where the input buffer and the win variable locate in memory. In binja, I recommend the following workflow:
Step 1: Read linear high level IL, find key variables and rename them. In this case, we look for buffer and win.
Step 2: Switch to disassembly and look for renamed variables. Jot down their offsets.
Read the linear high level IL of the vuln() function and rename variables:
Switch to disassembly and look for buffer and win:
In IDA, things are even easier. First we name the win variable:
The offset relative to rbp can be found in the variable declarations:
The downside is that IDA does not recognize all the function names, so I still recommend binja for this chapter.
The offsets are not easy to find for this level. Instead, we just spam enough A's so that the win variable on the stack is overwritten.
