| Spoilery comment, but I assume it's okay since there are already spoilers commented. So it appears that the address for the "admin" global variable is the 7th parameter on the stack. Two questions about this:
1. When using objdump/ghidra, I saw the address for admin was something like "0010407c". When using the string format exploit to print out the stack values, the 7th parameter always ended in 7c but otherwise was completely different every time. Is this due to address randomization moving around the BSS segment?
2. I assume the address of "admin" is only on the stack in the first place due to it being a leftover pushed argument when calling strcpy(admin_cpy, (char *)%admin)?
Thanks! |
==> |