Tutorial 1
PwnTools
The general flow is to use recv and send to communicate with the program.
Useful Functions
p32: a wrapper aroundstruct packthat “packs” a number into little endian formatu32: a wrapper aroundstruct unpackwhich unpacks a number from little endian to decimal
GDB & Assembly
Registers
rpc: Program Counterrdi: arg1rsi: arg2
Memory Regions
# gdb command
pwndbg> vmap
# Sneak Peek: the map file
$ cat /proc/self/map
55ab404b3000-55ab404bb000 r-xp 00000000 103:04 4980761 /bin/cat
55ab406ba000-55ab406bb000 r--p 00007000 103:04 4980761 /bin/cat
55ab406bb000-55ab406bc000 rw-p 00008000 103:04 4980761 /bin/cat
55ab42019000-55ab4203a000 rw-p 00000000 00:00 0 [heap]
7fcaadfba000-7fcaae989000 r--p 00000000 103:04 5904987 /usr/lib/locale/locale-archive
7fcaae989000-7fcaaeb70000 r-xp 00000000 103:04 660332 /lib/x86_64-linux-gnu/libc-2.27.so
7fcaaeb70000-7fcaaed70000 ---p 001e7000 103:04 660332 /lib/x86_64-linux-gnu/libc-2.27.so
7fcaaed70000-7fcaaed74000 r--p 001e7000 103:04 660332 /lib/x86_64-linux-gnu/libc-2.27.so
7fcaaed74000-7fcaaed76000 rw-p 001eb000 103:04 660332 /lib/x86_64-linux-gnu/libc-2.27.so
7fcaaed76000-7fcaaed7a000 rw-p 00000000 00:00 0
7fcaaed7a000-7fcaaeda1000 r-xp 00000000 103:04 660304 /lib/x86_64-linux-gnu/ld-2.27.so
7fcaaef65000-7fcaaef89000 rw-p 00000000 00:00 0
7fcaaefa1000-7fcaaefa2000 r--p 00027000 103:04 660304 /lib/x86_64-linux-gnu/ld-2.27.so
7fcaaefa2000-7fcaaefa3000 rw-p 00028000 103:04 660304 /lib/x86_64-linux-gnu/ld-2.27.so
7fcaaefa3000-7fcaaefa4000 rw-p 00000000 00:00 0
7ffeedbaa000-7ffeedbcb000 rw-p 00000000 00:00 0 [stack]
7ffeedbe9000-7ffeedbec000 r--p 00000000 00:00 0 [vvar]
7ffeedbec000-7ffeedbee000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
| Region | Permissions | Description |
|---|---|---|
| Code | r-xp |
The program instructions |
Reverse Engineering
IDA
F5: Convert to C (free version allows 32bit)