Pwn helper
ROP
-
The r2pm install seems to be broken. Use this method instead
-
Clone the rarop repository rarop github
npm install
- Make a sym link
ln -s /path/to/rarop/bin/rarop /usr/local/bin/rarop
- Run with
rarop /path/to/binary
Rop'n'roll ยท The Official Radare Blog
Heap
dmh
to see heap memory
Pattern generator / Offset finder
wop
. Example:wop 100 @ eax
- To find the length of a pattern before overwrite (white overwritten using a debruijin pattern, use
wopO eip
- Genereate raw debruijin patterns using
ragg2 -P [length] -r
Pattern searches
- Use
/p [int]
to search for repeated patterns. The int specifies the length of the pattern. Could be helpful in finding user input accross the binary. - Search for asm opcodes by using
/a
. Example/a jmp esp
.
Online writeups
Pwning exploit400 from the Nullcon 2014 CTF with radare2