Reverse Engineering → All Reverse Engineering articles
We leave the stack for the glibc heap, where the allocator's own bookkeeping is the attack surface. You will learn chunks…
A format string bug — printf(user_input) instead of printf("%s", user_input) — gives you both an arbitrary memor…
The stack canary is the last classic mitigation: a random cookie between your buffer and the saved return address, checked in the …
Every chain so far hardcoded addresses, which only works with ASLR off. This is the keystone that makes it work on a real target: …
ret2libc calls one whole function — ROP generalises that to arbitrary computation built from borrowed scraps. A gadget is a few in…
NX kills shellcode on the stack, so stop injecting code and reuse code already there. libc is mapped into every process, executabl…
Everything so far ran on easy mode — no canary, no NX, no PIE, no ASLR. Real binaries turn it all on, so this part is the map for …
ret2win jumped to a function with no arguments. Real targets need you to call functions WITH controlled arguments — and on x86-64 …
ret2win only worked because a win() existed. When it does not, you bring your own code. We hand-roll a null-free execve("/bin/sh")…
Everything so far converges into your first real working exploit. We take a vulnerable program and walk the whole recipe end to en…