Hdhub4ubike -

if __name__ == "__main__": main() Running the script prints the flag instantly:

// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0; hdhub4ubike

/* ---------------------------------------------------- */ int check_key(const char *key) // key must be exactly 0x30 bytes long if (strlen(key) != 0x30) return 0; if __name__ == "__main__": main() Running the script

0x0040119f: lea rdi, [rip+0x2000] ; address of the flag string 0x004011a6: call puts@plt 0x004011a6 is the (the call instruction itself). If we return to this address after the overflow, the program will execute the puts call with the correct argument already loaded (the lea instruction that loads the flag pointer into rdi is right before it). The flag is printed without ever passing the check_key test

=== Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 Success! The flag is printed without ever passing the check_key test. If you prefer a “classic� shellcode approach, you can place a /bin/sh payload on the stack and return to it.

$ ./hdhub4ubike === Welcome to the HD Bike Hub === Enter your hub key: Static analysis quickly reveals that the binary is stripped (no symbols) and that it is compiled with , -z execstack , and -no-pie – classic “easy pwn� settings.