- Bug 1:
printf(player_name). - Bug 2: glibc
TYPE_3RNG is used with a 3-byte seed. We can just bruteforce it and win any amount of money we want. - Leak all the addresses we want.
- Use
%nto overwrite the LSB of pointer to money, so that it points to the feedback address instead. - Play 1 round and recover the RNG seed.
- Play another round and bet a very specific amount of money, so that the feedback address is changed to the address of the return address.
- Enter one_gadget address as feedback.
warmup
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||