Types

Other

De Bruijn Sequences

The better way to calculate offsets

De Bruijn sequences of order **one possible match** within the sequence to calculate the offset. Let's do this on the **ret2win** binary.

`n`

is simply a sequence where no string of `n`

characters is repeated. This makes finding the offset until EIP much simpler - we can just pass in a De Bruijn sequence, get the value within EIP and find the Generating the Pattern

Again,

`radare2`

comes with a nice command-line tool (called `ragg2`

) that can generate it for us. Let's create a sequence of length `100`

.1

$ ragg2 -P 100 -r

2

AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh

Copied!

The

`-P`

specifies the length while `-r`

tells it to show ascii bytes rather than hex pairs.Using the Pattern

Now we have the pattern, let's just input it in

`radare2`

when prompted for input, make it crash and then calculate how far along the sequence the EIP is. Simples.1

$ r2 -d -A vuln

2

â€‹

3

[0xf7ede0b0]> dc

4

Overflow me

5

AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh

6

child stopped with signal 11

7

[+] SIGNAL 11 errno=0 addr=0x41534141 code=1 ret=0

Copied!

The address it crashes on is

`0x41534141`

; we can use `radare2`

's in-built `wopO`

command to work out the offset.1

[0x41534141]> wopO 0x41534141

2

52

Copied!

Awesome - we get the correct value!

We can also be lazy and not copy the value.

1

[0x41534141]> wopO `dr eip`

2

52

Copied!

The backticks means the

`dr eip`

is calculated first, before the `wopO`

is run on the result of it.Last modified 1yr ago

Export as PDF

Copy link