🌌
N/B Writeups
  • CTF Writeups
  • CTFs
    • 2019
      • OverTheWire Advent
    • 2020
      • Midnight Sun
      • Things I learned from DarkCTF
  • Pwnable.kr
    • 01 - fd
    • 02 - col
    • 03 - bof
    • 04 - flag
    • 05 - passcode
    • 06 - random
    • 07 - input
    • 08 - leg
    • 09 - mistake
    • 10 - Shellshock
    • 11 - coin1
    • 12 - blackjack
    • 13 - lotto
    • 14 - cmd1
    • 15 - cmd2
    • 16 - uaf
    • 17 - memcpy
    • 18 - asm
    • 20 - blukat
    • 21 - horcruxes
    • 33 - echo1
    • 34 - echo2
    • 43 - coin2
  • More Pwn
    • Protostar - format4
  • Lord of SQLI
    • Lord of SQLI
Powered by GitBook
On this page
  • The Challenge
  • The Solution

Was this helpful?

  1. Pwnable.kr

17 - memcpy

Previous16 - uafNext18 - asm

Last updated 4 years ago

Was this helpful?

The Challenge

Are you tired of hacking? take some rest here. Just help me out with my small experiment regarding memcpy performance. after that, flag is yours.

ssh memcpy@pwnable.kr -p2222 (pw:guest)

The Solution

The source code is pretty long, so here is the gist of it:

  • We input sized in ranges between consecutive powers of 2 [Ex. 64 - 128].

  • These sizes are malloced and two memcpy copycats are executed on them.

  • The first is called slow_memcpy, it copies byte by byte. The second is called fast_memcpy, it copies 64-byte chunks. This function actually kicks in when the malloced size is at least 64.

When we run the program with random valid input it crashes here:

printf '8\n24\n56\n120\n248\n504\n1016\n2040\n4088\n8184' | nc 0 9022

guide by intel implies that the address must be aligned by a 16-byte boundary when using movntps. So be it.

malloc uses 8 bytes before the returned address for a header [], so if we send a size that is smaller by 8 from a 16-byte alignment the address returned to us will be aligned.

This
source
http://pwnable.kr/bin/memcpy.c