Types

Other

De Bruijn Sequences

The better way to calculate offsets

De Bruijn sequences of order **one possible match** within the sequence to calculate the offset. Let's do this on the **ret2win** binary.

`n`

is simply a sequence where no string of `n`

characters is repeated. This makes finding the offset until EIP much simpler - we can just pass in a De Bruijn sequence, get the value within EIP and find the Generating the Pattern

Again,

`radare2`

comes with a nice command-line tool (called `ragg2`

) that can generate it for us. Let's create a sequence of length `100`

.$ ragg2 -P 100 -r

AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh

The

`-P`

specifies the length while `-r`

tells it to show ascii bytes rather than hex pairs.Using the Pattern

Now we have the pattern, let's just input it in

`radare2`

when prompted for input, make it crash and then calculate how far along the sequence the EIP is. Simples.$ r2 -d -A vuln

â€‹

[0xf7ede0b0]> dc

Overflow me

AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh

child stopped with signal 11

[+] SIGNAL 11 errno=0 addr=0x41534141 code=1 ret=0

The address it crashes on is

`0x41534141`

; we can use `radare2`

's in-built `wopO`

command to work out the offset.[0x41534141]> wopO 0x41534141

52

Awesome - we get the correct value!

We can also be lazy and not copy the value.

[0x41534141]> wopO `dr eip`

52

The backticks means the

`dr eip`

is calculated first, before the `wopO`

is run on the result of it.Last modified 1yr ago

Export as PDF

Copy link

On this page

Generating the Pattern

Using the Pattern