1  ---
 2  abbr:
 3    - "PIE: Position Independent Executable"
 4  ---
 5  Category: #pwn 
 6  Rated Difficulty: #Easy 
 7  Personal Difficulty: #Medium 
 8  
 9  I learnt about stack alignment on this one and that parameters for a function are passed into registers instead of pushed to the stack(unless there is >6 parameters for the function). [Read here](https://www.cameronwickes.co.uk/calling-conventions-x86-x64/)
10  
11  Immediately realised that there was a buffer overflow bug on the read since the param takes 8 bytes but the read will read 0x66 bytes. 
12  
13  Realised that the variable that is vulnerable to buffer overflow is at offset -0x28. This means I have to write 0x28 junk + 8 for the base pointer then I will reach the return address.
14  
15  There is a function that will read the flag called *fill_ammo* at address 0x4014fa. Since there is no PIE, we can just reference this address
16  
17  This function wants us to pass 3 params. So we need to write the params in the register *rdi*, *rsi*, *rdx* in order.
18  
19  Since we can't overwrite those registers, we need to find a gadget that would `pop rdi; ret;` for us.
20  
21  After successfully finding it, we add that to our payload
22  
23  So the final payload looks like 'A'\* 40 + RET(gadget address) POP_RDI(gadget address)+p64(\xdeadbeef)+POP_RSI(gadget address)+p64(\xdeadbabe)+POP_RDX(gadget_address)+p64(\xdeadbeef)+0x4014fa