! [] (https://dreamhack-media.s3.amazonaws.com/attachments/1823cb76628ef92235be1ca022b5da8b2906ceb9bedd2124f44afa9cdde3022b.png) No matter how many times I calculated, the difference was 6. name_len is an int type, so the difference should be 4... Maybe I can do the math

Hello, When solving a problem, you can find out the location of each variable by analyzing it. As far as I know, variables are included in the stack in reverse order. If you look at the source code provided unsigned char box [0x40] = {}; char name [0x40] = {}; int name_len = 0; Well, this is the order.. (Other variables are easy

from pwn import* p = remote ('host3.dreamhack.games', 21344) e = ELF ('. /ssp ') pay = b'a'*129 p.sendafter (b'> ', b'f') p.sendafter (b'box input: ', pay) p.sendafter (b'> ', b'p') p.sendlineafter ('Elem

pwndbg> disas main Disassemble command “disas main”: disasm, disassemble. pwndbg> disasm main This is not a hex string This command is deprecated in Pwndbg. Please use the GDB's built-in syntax for runn

After watching the ssp lecture, I tried to solve the ssp_001 problem. I wrote the exploit code with the phone tool, and I saw other people's write-ups because the payload didn't work based on the theory I had, but unlike what I originally knew, there was a 4-byte dummy between Canari and SFP. I wonder why these dummy values exist!

File Name: test.py from pwn import* from struct import pack context.log_level = 'debug' HOST = 'host3.dreamhack.games' PORT = 20661 #p = remote (HOST, PORT) p = process (”. /ssp_001 “) get_

I'm asking a question because I don't know why it doesn't work even if I look at the exploit code... I'm wondering where it went wrong. <Exploit Code> 1 #! /usr/bin/python 3 2 from pwn import* 3 4 p = remote (“host3.dreamhack.games”, 15608) 5

First, I tried to check if the canary value was properly output, but the execution result was as shown below python ssp_001.py [+] Starting local process'. /ssp_001 ': pid 35290 [F] ill the box [P] rint the box [E] xit Name size: name: stac

I'm trying to debug via pwndbg during wargame, but I get the following error: I think this is a problem caused by trying to do a 32-bit binary file on a 64-bit operating system. Does anyone know a solution..?? pwndbg> b *main breakpoint 1 at 0x804872

... payload = b"a"64 + p32 (canary) + b"b"0x8 + shellcode ... The shell attack was blocked in payload and I looked for the cause, but the address of the get_shell function and I thought there was no problem with the packing of canary values. So maybe the sfp value is wrong? So I changed it to b"b"0x4 -> b"0x8. That