Let’s start by looking at the source code of the challenge.
Firstly, we have a volatile int modified variable statement. This statement tells the compiler that it should not optimize it by any means. This means that this variable is open to modify somewhere else during the execution and the compiler is forced to reload the variable every time. Read more at Wikipedia.
After that we’re going to copy the contents of argv into buffer. Notice how we’re using strcpy() function that won’t care about the size of the destination buffer, we can simply copy 1000 bytes into 64 bytes buffer resulting in buffer overflow. That’s why we should be using strncpy() function that takes another argument - number of bytes to copy.
In last section of code we have if(modified == 0x61626364). As the modified variable is equal to 0 we have to modify it with a previously detected buffer overflow vulnerability. But firstly, let’s take a look at the disassembly of this program.
First thing what we can see is that in this line DWORD PTR [esp+0x5c],0x0, value 0x0 is moved into stack with offset 0x5c. That’s the modified variable. At the next arrow we can see lea eax,[esp+0x1c], so the variable passed to the parameter passed to the function strcpy() is located at esp plus offset 0x1c. That’s our buffer. We can also check that by substracting both addressed. The difference should be the size of buffer, so 64 bytes.
Let’s take a look at this simple stack representation, showing the local variables that are put onto the stack.
If we supply the program with number of elements smaller than 64, then it will run without smallest problem.
But what will happen if we overflow the buffer with 2 ‘A’ letters bigger than the allocated size, so in this case 64 ‘A’ letters.
As you can see, our modified variable gets overwritten as it’s the next variable on the stack.
Now we have to make sure that this check modified == 0x61626364 is correct. Firstly let’s convert them to characters.
But we have to remeber that values in memory are stored in little endian. Read more here. Basically we have to revert the values into dcba.