0x404060: "t0pS3cr3tC0de!" In main you’ll see:
The classic technique is to write the lower 2 bytes, then the upper 2 bytes, then the upper 4 bytes, etc. Since we have a full 64‑bit address we’ll do it in (lower and higher dword) using %n twice. 7.1. Compute split values win_addr = 0x5555555552f0 low = win_addr & 0xffffffff # 0x5552f0 high = win_addr >> 32 # 0x5555 We need to place the low dword at the saved RIP, then the high dword at saved RIP+4. 7.2. Choose where to write the two addresses We’ll prepend the two addresses to the format string; they’ll become the first two arguments ( %1$ , %2$ ). Then we’ll use %3$n and %4$n to write to those addresses. https- bit.ly crackfire
printf("Enter the secret code:\n"); scanf("%s", buf); // <-- NO length limit scanf("%s", ...) reads until whitespace, no size check → . But more importantly, later there is a printf that prints the user‑controlled string without a format string : 0x404060: "t0pS3cr3tC0de
base = leaked_puts_addr - puts_offset_in_binary For the purpose of this write‑up we’ll assume the binary’s base is 0x555555554000 (typical ASLR value on my system). All subsequent addresses are . 6. Locating the return address on the stack When printf(buf) processes the format string, the stack layout looks like: Compute split values win_addr = 0x5555555552f0 low =
| Address | Symbol | Purpose | |---------|--------|---------| | 0x401260 | main | reads user input with scanf("%s", buf) | | 0x4010f0 | check | compares input to a hidden string ( secret ) | | 0x401240 | win | prints flag and exits |