# De Bruijn Sequences De Bruijn sequences of order `n` is simply a sequence where no string of `n` characters is repeated. This makes finding the offset until EIP much simpler - we can just pass in a De Bruijn sequence, get the value within EIP and find the **one possible match** within the sequence to calculate the offset. Let's do this on the **ret2win** binary. ### Generating the Pattern Again, `radare2` comes with a nice command-line tool (called `ragg2`) that can generate it for us. Let's create a sequence of length `100`. ``` $ ragg2 -P 100 -r AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh ``` The `-P` specifies the length while `-r` tells it to show ascii bytes rather than hex pairs. ### Using the Pattern Now we have the pattern, let's just input it in `radare2` when prompted for input, make it crash and then calculate how far along the sequence the EIP is. Simples. ``` $ r2 -d -A vuln [0xf7ede0b0]> dc Overflow me AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh child stopped with signal 11 [+] SIGNAL 11 errno=0 addr=0x41534141 code=1 ret=0 ``` The address it crashes on is `0x41534141`; we can use `radare2`'s in-built `wopO` command to work out the offset. ``` [0x41534141]> wopO 0x41534141 52 ``` Awesome - we get the correct value! We can also be lazy and not copy the value. ``` [0x41534141]> wopO `dr eip` 52 ``` The backticks means the `dr eip` is calculated first, before the `wopO` is run on the result of it. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/binexp/stack/de-bruijn-sequences.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.