PWN day 13

What does setvbuf do?

From what I found it disabled buffering

This prevents data from being held in memory.

setvbuf(stdout, NULL, _IONBF, 0)

The above allows for output to appear right away. Since usally buffering can cause delays especially when there is input read in from the user.

When investigating the below image, It can be pretty obvious that there is a char variable stored with several bytes of allocation.

Now its time to start the challenge

Underlined is my canary. I can tell for 2 reasons. First the trailing double 0 at the end of the address. Second because of the thread control block with an offset of 0x28

My guess is this is a Full Buffering mode

After stepping several more times I found I need to change the address of a win variable to a static hex address. This one was easy since there was nothing dynamic in the program. So I simply set a byte buffer and an expected value for a cmp instruction

My next challenge was interesting from the beginning

A 0x1000 byte stack frame allocation! This seems excessive.