❑ File overview
❍ The 32bit elf "bf" of pwnable.kr is used. There is one shared library "bf_libc.so".
❍ .plt : 08048430
❍ .got.plt : 0804a000
The address of the "fgets" in the shared library is changed.
Before execution, "fgets" points to the address of "plt"(0x8048450), but after execution, the "fgets" points the changed "fgets" address(0xf7e65620) that is in "got".
The "fgets" address(0xf7e65620) in "got" is set only when it is running, and it(0x08048456) is not the real address when the process is finished.
This is because the shared library must be loaded into the process's memory to determine the address of "fgets".
The base address of the loaded library(bf_libc.so) is the value that a function address of "got" minus the offset of the function. The offset(0x5d540) can be checked in the shared library as shown in the image above.
In this case, the base address of the loaded shared library is 0xf7e080e0(0x08048456-0x5d540).
| Check environment | |||
| O S | Ubuntu 15.10 (64bit) | CPU | Intel i7-4710MQ 2.50GHz |
| SHELL | GNU bash (4.3.42) | GPU | Gallium 0.4 on SVGA3D |
| RAM | 984MiB | ||