I have basic idea of binex (did the Ellingston root both manual and auto way) but can't crack this one.
My idea: I realised there's a rbp register that contains the last 16 bytes of the input. I found 120 chars cause overflow, so I searched :
system call at 0x401040,
pop_rdi at 0x40120b
pop_rbp at 0x401139
Now, /bin/sh is only 7 chars, but //bin/sh works just fine, so I made it that, made a junk of 120-8 =112 chars and assembled a rop chain like:
junk + '//bin/sh' + pop_rdi + pop_rbp + sys
Executing it results in
sh: $']\303\017\037D': command not found
So that makes me think I'm onto something just gotta get rid of that nonsense static crap afterward. I just can't find what causes it?
Please nudge/help me andofc also tell if I'm doing somethingstupid