i know it’s kinda old but i really love this kind of rop challenge.

1. Source code

2. Way of thinking

first of all, i audit the source a little bit and i notice that there are 4func that we need to focus on: vuln,win_function1 , win_function2 , flag .

to get to the flag, you have to line up the GOT win1 , win2 and pass an arg 0xdeadbaad before calling the flag function.

ok then, let’s jump to the m4g1k!!!

3. Hacking

first, let’s check if there are any protection on the binary (because the remote server don’t have gdb-peda, which have checksec, and of course from myself don’t have enough knowledge about testing the binary)

you can see, only NX on (and the ASLR off too), it’s make our exploit a lot easier

Now let dump disassembler mnemonics of those function we notice before

Now, let’s build our payload (i’m a one-liner command ^.^)

We got our offset from vuln which is 0x18 + 4 . The next 4 bytes is win_function1 to set the GOT win1 to true.

next the the win_function2 , we have to push 0xBAAAAAAD to set win2 to true (remember the flag address after the win_function2 )

and when you came to the flag function, push 0xDEADBAAD to stack

now, our final payload become

28 byte offset + '\xcb\x85\x04\x08' + '\xd8\x85\x04\x08' + '\x2b\x86\x04\x08' + '\xad\xaa\xaa\xba' + '\xad\xba\xad\xde'

enjoy hacking!!!

a loner