This year me and my friends decided to take part in more CTFs; this series is a present from heavens and we'll be using it like the Bible! Keep up the good work!
Brilliant stuff cryptocat! One question - 9:12, why is the instruction after cmp (at *main+140) "je" and not "jne". In my understanding, cmp instruction compares ebp-0xc value to 0. If it matches, it shouldn't jump. Please clarify this. Also please note that I am a beginner to assembly language and buffer overflow, so please excuse if this is too basic a question.
Hey, thanks mate! the cmp instruction will indeed compare ebp-0xc value to 0. "je" is saying "jump if equals", i.e. if ebp-0xc == 0, jump (to main+169). On the other hand "jne" is saying "jump if NOT equals", i.e. if ebp-0xc != 0, jump (to main+169). In this example, it's a "je" so if the value on the stack equals zero, it will jump 😉
Thanks! There's a copy of the script here: github.com/Crypto-Cat/CTF/blob/main/auto_ghidra.py To create the ghidra_auto command, you can add a line to the ~/.bash_aliases file pointing to the script like: alias ghidra_auto = 'python3 /home/user/auto_ghidra.py'
Instead of writing a PwnTools script you could also just run something like (python2 -c "print 'a'*6 + '\x01'") | ./login which is flexible for other stuff too, you can also echo -e aaaaaa'\x01' and stuff like that I must say though I really love your tutorial. It's seriously awesome
Hey! I'm using Parrot OS, kind of similar to Kali. I've been using it for a few years now but will probably go back to Kali next time I make a new VM (Parrot seems really slow to upgrade packages).
Hi, thank you for creating this playlist! I want to ask something, I am a newbie and I tried to follow everything you do in your videos but I didnt get segmentation fault in my terminal, even though i clearly overflowed the input. This also happened in the first video (the ./vuln), and Ive tried to fix it so i can get the segfault but i cant. I also tried to get the segfault in the gdb (gdb ./login, and run) and changing my ulimit -c unlimited, but i still didnt get it. Is there any way so i can get my terminal to report the errors and segfault? thanks in advance!
also, when i run the program (using ./login) and type 12 a's (aaaaaaaaaaaaaaaa), the authorised = 0, but with 13 a's, the authorised finally become 97. Is this caused by something related to my machine (im using kali linux in mac m1, arm64), since i also cant use the -m32 flag?
Hey, sorry I don't really do binary exploitation any more xD I hear of a lot of people having issues with Mac M1 but also haven't investigated - just doing web hacking these days 🕸
Nope! You can do all the exercises in 64 bit but it will create differences, e.g. address sizes, registers, calling conventions.. I did a video series on ROP Emporium a couple of years ago and every video has a 32 bit challenge, followed by a 64 bit equivalent so you can really see the differences side by side. The challenges are more advanced than this intro series though: th-cam.com/video/oBZy0bGNezo/w-d-xo.html
First of all: Thank you so much!!! This is pure gold. 😇But how do I manage it to use the commands/functions from pwn directly in the terminal? I can only use them in python terminal...
Thank you! 💜 You need to make sure pwntools is in your path, e.g. when you run "echo $PATH", the directory that these functions are in (e.g. cyclic) should be present. It might vary depending on OS/version/how you installed, but mine is in "/home/crystal/.local/bin". If you run "locate cyclic", you should be able to confirm the path you need, then just at it to your .bashrc file 😉
Hi, I have slight issues compiling the c code to binary, I get ```/usr/include/stdio.h:27:10: fatal error: bits/libc-header-start.h: No such file or directory ``` error Is it normal ? Can I just proceed with the pre compiled binaries without trying to change them as you teach ?
You should be able to use the pre-compiled binaries, but it's good to be able to compile C code I guess 😆 What operating system are you using? Maybe try to install: sudo apt-get install gcc-multilib
This year me and my friends decided to take part in more CTFs; this series is a present from heavens and we'll be using it like the Bible! Keep up the good work!
Awww thanks mate, that's great to hear 💜
The explenation is literally awesome 🖤
Thank you 💜
This video is awesome!!!! I am a newbie to binary exploit, finally I am able to understand.
That's what I like to hear!! 👊
loving this man. You need to do a tutorial on C code decompilation with IDA/Pro
Haha I've barely touched IDA since ghidra release 😆
Great series just stumbled on it!
Thank you! 🙏
Awesome video. Thanks man!
Brilliant stuff cryptocat! One question - 9:12, why is the instruction after cmp (at *main+140) "je" and not "jne". In my understanding, cmp instruction compares ebp-0xc value to 0. If it matches, it shouldn't jump. Please clarify this. Also please note that I am a beginner to assembly language and buffer overflow, so please excuse if this is too basic a question.
Hey, thanks mate! the cmp instruction will indeed compare ebp-0xc value to 0. "je" is saying "jump if equals", i.e. if ebp-0xc == 0, jump (to main+169).
On the other hand "jne" is saying "jump if NOT equals", i.e. if ebp-0xc != 0, jump (to main+169). In this example, it's a "je" so if the value on the stack equals zero, it will jump 😉
Thank you so much for making this !
np, glad you like! 💜
thnaks
Hi, could you please explain how to set up the ghidra_auto command? (ps love your videos!)
Thanks! There's a copy of the script here: github.com/Crypto-Cat/CTF/blob/main/auto_ghidra.py
To create the ghidra_auto command, you can add a line to the ~/.bash_aliases file pointing to the script like:
alias ghidra_auto = 'python3 /home/user/auto_ghidra.py'
Instead of writing a PwnTools script you could also just run something like (python2 -c "print 'a'*6 + '\x01'") | ./login which is flexible for other stuff too, you can also echo -e aaaaaa'\x01' and stuff like that
I must say though I really love your tutorial. It's seriously awesome
Very true, thanks!
I want to know what linux system you are using,
it doesn't look like ubuntu.I really like this
I like its desktop style
Hey! I'm using Parrot OS, kind of similar to Kali. I've been using it for a few years now but will probably go back to Kali next time I make a new VM (Parrot seems really slow to upgrade packages).
Hi, thank you for creating this playlist! I want to ask something, I am a newbie and I tried to follow everything you do in your videos but I didnt get segmentation fault in my terminal, even though i clearly overflowed the input. This also happened in the first video (the ./vuln), and Ive tried to fix it so i can get the segfault but i cant. I also tried to get the segfault in the gdb (gdb ./login, and run) and changing my ulimit -c unlimited, but i still didnt get it.
Is there any way so i can get my terminal to report the errors and segfault? thanks in advance!
also, when i run the program (using ./login) and type 12 a's (aaaaaaaaaaaaaaaa), the authorised = 0, but with 13 a's, the authorised finally become 97. Is this caused by something related to my machine (im using kali linux in mac m1, arm64), since i also cant use the -m32 flag?
Hey, sorry I don't really do binary exploitation any more xD I hear of a lot of people having issues with Mac M1 but also haven't investigated - just doing web hacking these days 🕸
Does it have to be 32 bit to work? I'm having issues with the -m32 flag
Nope! You can do all the exercises in 64 bit but it will create differences, e.g. address sizes, registers, calling conventions.. I did a video series on ROP Emporium a couple of years ago and every video has a 32 bit challenge, followed by a 64 bit equivalent so you can really see the differences side by side. The challenges are more advanced than this intro series though: th-cam.com/video/oBZy0bGNezo/w-d-xo.html
First of all: Thank you so much!!! This is pure gold. 😇But how do I manage it to use the commands/functions from pwn directly in the terminal? I can only use them in python terminal...
Thank you! 💜 You need to make sure pwntools is in your path, e.g. when you run "echo $PATH", the directory that these functions are in (e.g. cyclic) should be present.
It might vary depending on OS/version/how you installed, but mine is in "/home/crystal/.local/bin". If you run "locate cyclic", you should be able to confirm the path you need, then just at it to your .bashrc file 😉
Hi, I have slight issues compiling the c code to binary, I get ```/usr/include/stdio.h:27:10: fatal error: bits/libc-header-start.h: No such file or directory
``` error
Is it normal ?
Can I just proceed with the pre compiled binaries without trying to change them as you teach ?
You should be able to use the pre-compiled binaries, but it's good to be able to compile C code I guess 😆
What operating system are you using? Maybe try to install:
sudo apt-get install gcc-multilib
keep em coming
🔥🔥🔥
Awesome stuff!
Cheers 🙏🥰