tag:blogger.com,1999:blog-3932878064881956934.post6687720240884006484..comments2023-05-22T19:36:11.633+05:30Comments on voidsecurity: Boston Key Party CTF 2013 - Pwnable 200 - fss_gainesville - [Team xbios]Reno Roberthttp://www.blogger.com/profile/01980174423078410529noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-3932878064881956934.post-38846734172221487932013-06-11T19:48:37.108+05:302013-06-11T19:48:37.108+05:30Yeah, I generally use rp++ to find the gadgets
htt...Yeah, I generally use rp++ to find the gadgets<br />https://github.com/0vercl0k/rp<br /><br />You also have the gadget to load esi (ie argument 2)<br />(gdb) x/10i 0x004018ab<br /> 0x4018ab <__libc_csu_init+123>: mov esi,DWORD PTR [rsp+0x28]<br /> 0x4018af <__libc_csu_init+127>: mov r15,QWORD PTR [rsp+0x30]<br /> 0x4018b4 <__libc_csu_init+132>: add rsp,0x38<br /> 0x4018b8 <__libc_csu_init+136>: ret<br /><br />(gdb) x/10i 0x004018b0<br /> 0x4018b0 <__libc_csu_init+128>: mov edi,DWORD PTR [rsp+0x30]<br /> 0x4018b4 <__libc_csu_init+132>: add rsp,0x38<br /> 0x4018b8 <__libc_csu_init+136>: ret<br /><br />Both these gadgets are part of __libc_csu_init. So I think it will be found in all executables<br />Reno Roberthttps://www.blogger.com/profile/01980174423078410529noreply@blogger.comtag:blogger.com,1999:blog-3932878064881956934.post-15907821717803287862013-06-11T19:14:27.809+05:302013-06-11T19:14:27.809+05:30How do you find the gadget mov edi, dword [rsp+0x3...How do you find the gadget mov edi, dword [rsp+0x30] ? any tools?Anonymoushttps://www.blogger.com/profile/16981816558475822820noreply@blogger.com