Library hooking & Code caving
Details
For this third event, we will continue the exploitation of Pwn Adventure 3 from where we left at the end of the meetup #1.
Pwn Adventure 3 is an online RPG intentionally vulnerable developed by Vector35 for the Ghost in the Shellcode 2015's CTF. In order to avoid spending too much time with the preparation, I expect you to download the client and make sure you can run the game before joining the workshop.
Windows client: http://pwnadventure.com/PwnAdventure3_Windows.zip
Linux client: http://pwnadventure.com/PwnAdventure3_Linux.zip
We will also need a disassembler, I would recommend IDA Free: https://hex-rays.com/ida-free/#download
⏪ HOOKING LIBRARY & CODE CAVING
For this workshop, we will trigger on the fly the changes we've done during the first meetup, i.e. running faster and jumping higher. This will be possible with two different techniques.
- Hooking the game logic library using LD_PRELOAD (Linux): We will create a class with the same exported function names in order to execute arbitrary instructions instead of the initial ones.
- Create a code cave, re-route the execution flow to our cave with arbitrary instructions, then return to the calling function.
🗺️ LOCATION
The University of Louvain-La-Neuve (UCL) will be hosting DCG3210 events. This time, every member or the DEF CON GROUP are allowed to attend on premise. For those who cannot attend, you can still follow the event on our Discord where I will stream the presentation and the workshop.
Discord: https://discord.gg/DJRJD8V5?event=967519985264132107