pwn-tools-2.4

Objective:

This level requires you to write an assembly code snippet to meet the following condition to bypass the check, and use the asm API from pwntools to compile the assembly code and complete the challenge. The condition for this challenge is:

Set a specific stack memory area.(refer to the `trace` method of the `ASMChallenge` class)

In short: We need 8 bytes at [rsp] (stack top) after code runs must equal the original value minus the register rbx. top_of_stack = top_of_stack - rbx

Solution Code:

from pwn import *

context.arch = "amd64"
context.os = "linux"
context.log_level = "debug"

binary = "/challenge/pwntools-tutorials-level2.4"
p = process(binary)

payload = asm("""
    pop rax
    sub rax, rbx
    push rax
""")
p.sendafter(b"Please give me your assembly in bytes", payload)
print(p.recvall().decode())

This challenge prefers using push and pop instructions instead of direct [rsp] dereferencing. Direct memory access like mov [rsp], reg probably works but is discouraged. So we goota pop this shit.

What happened? :

pop rax         ; remove original top of stack value into rax
sub rax, rbx    ; subtract rbx from rax
push rax        ; put the result back on stack

• pop rax reads [rsp] into rax and increments rsp by 8 bytes.

• sub rax, rbx modifies the value as needed.

• push rax decrements rsp by 8 bytes and writes the updated value back onto the stack.

• At the end, the stack top ([rsp]) holds mem_rsp - rbx and Boom

Flag: