I’ve been stuck on the “Take control of EIP” question for a few days now.
I know the offset, and from what I understand, that means the EBP is that many bytes into higher memory from the ESP.
Since the question is asking to examine the registers and return the address of EBP, I figured it’s just (address of ESP) + (offset received using the pattern_offset.rb script) = address of EBP.
The offset is definitely correct, as I can overwrite the EBP using that exact number of bytes.
I have also tried simply setting a breakpoint to main, and using “info register” to examine the register and return the value of EBP. I’m kinda of running out of ideas and I think I’m just confusing myself more now.
Thanks for both the question and the clarification. The question is incorrect in that it is asking for something other than what it wants. It asks for the address of EBP when it wants the value (pattern) within EBP. Other people have reported this and the question should really be fixed.
An aside, IMHO, a better question would be to ask for the pattern offset of EBP. Determining the correct pattern offset implies the student knows both how to examine EBP’s value as well as apply other techniques outlined within the lesson.
To be clear, I am really enjoying the module, and other modules in the path, but wanted to share my two cents on this.
Given the question in that section of the module, I’ve tried:
1.) Running the program as is
2.) Checking the ebp register.
3.) Inputting the address as the answer
4.) Answer is incorrect
Since this did not work, I thought maybe it’s referring to the address of ebp at main. I tried:
1.) Setting a breakpoint at main
2.) Running program
3.) Inputting the address of ebp at that breakpoint
4.) Answer is incorrect
At this point, I’m pretty confused. Going over my notes again. Reading through that section again. I saw this thread on the forum and decided to do the following:
1.) Create the string using the python tool provided in the section
2.) Inputing the command provided in the section example, using the string.
3.) Running the program
4.) Checking register ebp and submitting the address as the answer
5.) Answer is incorrect
I know I’m doing something wrong here. I’m out of ideas. Any hints?
*Edit. I’ve also tried reversing the order of bytes from the address due to little endianness, still not the correct answer.
Hi I would also like to reply to this question as I also didnt understood what was asked…
My understanding was that we had to find out what the EBP address was before we overwrite it with a payload. I think that would reflect the knowledge you have about this topic better.
Also the question is very confusing.
For the people that are stuck on this question just follow the same steps in the top of the read section and paste the value EBP has after you run it.
Maybe for your own understanding try to find out the address of EBP before you over write it! (this is not answer to the question )
)