Reverse engineering PWN tasks or exploiting binary vulnerabilities (Part 2 / Stack1)

Friends, I greet you all! Let's continue “puffing” 🙂 For those who haven't read the first article – it's HERE!

Before we begin, I'll leave you with a couple of useful resources:

Theory – Articles on what Buffer Overflow is and how to use it

Practice – Cool PWN themed tasks from Codeby Games

In this article we will solve the Stack1 task (you can download the EXE file HERE).

Stack1

Let's start with static analysis, open stack1.exe in GHIDRA:

Let's analyze our binary file:

We get the decompiled code:

We immediately pay attention to the use of the unsafe strcpy() function, which copies our passed argument into a 64-byte array (local_54). Last time we overwrote the variable, and this time we need to assign it a specific value, namely 0x61626364. By overwriting the variable, our condition will work, and we will see the line “you have correctly…”.

Let's move on to “dynamics”! Open x64dbg, open stack1.exe and click “Change command line arguments”:

But what should we write as an argument? Remember that our array is 64 bytes, so we'll fill it with “A” characters. Next, we need to add 0x61626364. Open the ASCII table to find out what these characters are:

Excellent! Taking into account byte order our argument will look like this:

Click “OK”, put a breakpoint on the comparison instruction “cmp EAX,61626364”:

Let's launch! Fill the array with “A” symbols and successfully write to EAX – 61626364 (these are our “dcba” symbols):

The CMP instruction “successfully” compares the value in the EAX register with the value 61626364, and we get the desired message in the terminal (P.S. CMP actually performs a subtraction operation between two operands to check the equality or inequality of these operands):

Thank you all for your attention! P.S. If you liked the writeup, please like it! This way I will know that the topic is useful to many people so I can continue the series of articles on this topic! 🙂