all writeup authors should aspire to reach this level of quality.
@benoitsevens3595 ай бұрын
Thanks for the great explanation. You actually don't need that libc leak (only the heap leak), since system is in the plt of the (non-PIE) binary, so you can call system via the binary, instead of directly via libc.
@SloppyJoePirates4 ай бұрын
D'oh, thanks! Would have made the chal a bit simpler =P Rewatching the video, you can see my cursor pass over the system got/plt entry multiple times... sigh
@局外祥神浪跡天涯 Жыл бұрын
Nice video writeup, thx
@SloppyJoePirates Жыл бұрын
Someone (Voltara) reached out, and they think the issue with remote was because the remote server was using socat, and it's treating 0x7f as backspace characters. So because I was using the libc.system (0x7f....) to overwrite the G.O.T. instead of the plt.system (0x40....), the overwrite of the G.O.T. was messed up. More info: ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat It looks like you could run the exploit multiple times until you got a 0x7e... so, maybe this would have worked!
@reginiumepicmusic7 ай бұрын
Great content. It's very useful. The solution I've found to the problem with the byte 0x7f with socat is to prefix the byte 0x16 to all conflicting bytes like 0x7f. I wanted to ask you if you know why when I decompile the program with Ghidra, it's unable to decompile the part of the switch-case and leaves a large portion of the program undecompile. Nothing similar to the decompilation you show. This has happened to me several times. Best regards. Thank you for this high-quality content.
@SloppyJoePirates7 ай бұрын
Hey @@reginiumepicmusic ! Hmm, sorry not too sure, haven't seen that before. I'm guessing you already tried updating to the latest version to see if that fixes it?
@reginiumepicmusic7 ай бұрын
@@SloppyJoePirates Thanks for you reply. Yes. I did it. I updated and I reinstalled it but still the same. I can't understand it. Luckily, one day I will find the answer.
@redfire58876 ай бұрын
I have been struggling with the same problem! If you happen to find a solution I would Greatly appreciate your help @@reginiumepicmusic
@SB_3.1415 Жыл бұрын
how is this thing only 300 points?!
@SloppyJoePirates Жыл бұрын
haha, maybe the pico team just has a lot of faith in us