ARM64 ROP


CSE 598 AVR - Fall 2024

ARM64 has a number of differences in the calling convention, prologues, and epilogues that cause ROP to be different than on x86_64.

Because these challenges are running on an x86-64 host, you might need any of the aarch64-linux-gnu-* tools, such as aarch64-linux-gnu-objdump.

gdb is now a 2-step process:

In one terminal / tmux window:

$ /usr/bin/qemu-aarch64-static -g 1234 /challenge/level-1-0

In another:

$ gdb-multiarch /challenge/level-1-0
(gdb) target remote localhost:1234


Challenges

The goal of this level is quite simple: redirect control flow to the win function.

The goal of this level is quite simple: redirect control flow to the win function.

Now let's see about redirect control flow to multiple functions.

Now let's see about redirect control flow to multiple functions.

What about passing arguments to multiple functions?

What about passing arguments to multiple functions?

If you did the last one correctly this should be easy.

If you did the last one correctly this should be easy.

Now, let's just pop stuff

Now, let's just pop stuff

Now that you have the hang of things, how about you pop a statically compiled binary with no inserted gadgets?

Other compilers are different, let's now do a few levels that are compiled by gcc instead of clang to see the difference.

It seems that compilers can do very strange things, including breaking things, yet I have faith in the hackers...


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score