Pwn Day 15

I need to overwrite my page address as well as add a rdi value to pass a conditional for my ret2win

Analyzing this I can tell my variable is 0x70 bytes in size

When I continue down the disassembly

I can see my first input is getting placed into a buffer of 0x78 bytes

So I need 0x78+0x8 bytes to overwrite my address completly. Though I dont want that due to a partial overwrite

I can say that since underlined in green is my current address Im writing to and the underlined in red is my return address as of this moment. We can also tell they are part of the same page. -> 0x3000

It appears this challenge is checking for a correctly sized input. This isnt even a canary

My immediate first guess is since I see it is using a strlen function as a check for size input, there could be a byte terminator for this

Looks like I passed it. RAX is 1 while I sent 400 bytes

The memcpy copied my input to an empty address. This empty address was 0x7ffe06cde380

my ret address was 0x7ffe06cde3f8

The above was giving me issues. I realized a null byte failing this check. Time to flood with A’s

After 5 tries, I got super lucky and hit the flag

Moving onto the next challenge

Finally looks like I have a canary! Time to leak it!

Number 1 is taking my empty address of 0x150 size and saving it to rax then with the qword ptr it takes the address pointing to that space and movs it to rax