The sixth day of AoC23 contains a Memory Corruption task.
We are tasked with looking at a game with memory corruption vulnerabilities (buffer overflows).
We are tasked with looking at a game with memory corruption vulnerabilities (buffer overflows).
Learning Objectives #
- Understand how specific languages may not handle memory safely.
- Understand how variables might overflow into adjacent memory and corrupt it.
- Exploit a simple buffer overflow to directly change memory you are not supposed to access.
Overview #
The objective of the game is to save Christmas by buying the star for the Christmas tree (10'000 coins). You can also change your name for a fee of 1 coin per character.
This is my key takeaways from today:
- Buffer overflows occur in some programming languages, mostly
CandC++, where the variables’ boundaries aren’t strict. - When strings are written in memory, each character is written in order, taking 1 byte each.
- A
NULLcharacter is also concatenated at the end of the string. ANULLcharacter is simply a byte with the value 0x00. - Integers in
C++are stored in a very particular way in memory:- First, integers have a fixed memory space of 4 bytes.
- Secondly, an integer’s bytes are stored in reverse order in most desktop macchines. This is known as the
little-endianbyte order.
Questions #
- If the coins variable had the in-memory value of “4f 4f 50 53”, how many coins would you have in the game?
print(int("0x53504f4f", 0))
- What is the value of the final flag?
You have to fill the buffer past the player_name, coins, shopk_name, namer_name and when you’re down to inv_items, add a d as the ID for the star is d. Fill the buffer with 4*11 characters to get down to the inventory, then add a d.