Here's the look when executing the binary
The buffer overflow exist after inputing the second question.
If we decompile the binary with ghidra
, we will see the function that been called when the program start from main
function.
After the snowman
function ended, it call another function named investigate()
.
The buffer of the variable are 64 byte long
This is 64 bit executable file, so if we cant to overwrite the return address, we must add extra 8 bytes for EBP
.
If we check the security with checksec
, we can see if the NX
are enabled so we couldn't simply put shellcode on it. But the PIE
are disabled so we can get the actual address on the program.