$ ./crackfire Welcome to CrackFire! Enter the secret code: > If you type anything other than the hidden code you get:
printf("Enter the secret code:\n"); scanf("%s", buf); // <-- NO length limit scanf("%s", ...) reads until whitespace, no size check → . But more importantly, later there is a printf that prints the user‑controlled string without a format string :
The is stored in the binary as a global: https- bit.ly crackfire
%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p %p Output (truncated):
%p %p %p %p %p %p produces:
0x404060: "t0pS3cr3tC0de!" In main you’ll see:
base = leaked_puts_addr - puts_offset_in_binary For the purpose of this write‑up we’ll assume the binary’s base is 0x555555554000 (typical ASLR value on my system). All subsequent addresses are . 6. Locating the return address on the stack When printf(buf) processes the format string, the stack layout looks like: All subsequent addresses are
Thus (zero‑based) from the start of the format string corresponds to the saved return address.