Pwn Day 5

I heard great things about pwn. Its time to finally go through it from Beginning to End!

I am using Medium as a repo for my notes from the pwn courses.

Control Flow Manipulation

I want to have indirect or direct control of the RIP reg

Now part of control flow manipulation is understanding the zero flag in relation to jmps

Currently I want to compare a derefenced value

cmp [rdi], 0x7f454c46

This is generating an error of Error: ambiguous operand size for `cmp’

What Im thinking is this is a size issue for the operand. Sizes need to be equal when comparing

so a dword ptr could be my solution

dword ptr is used to communicate with the assembler the size of an register

My next challenge is understanding the mul instruction

MUL multiplies RAX with the operand

My first attempt looked like this

Time to try IMUL

Imul uses explict operands

meaning I can use a dereferenced value

From the above screenshoot I can tell Im super close to solving this problem. Its clear to me im using too big of a register

Of course the above wont work since Im using a dword in relation to a qword

I then tried this, It seems my order of operations is out of place

my goal is to do [rdi+4]-[rdi+8]+[rdi+0xc]

Funny enough after staring hours

Well, got the flag!