picoCTF Solutions

Tools / Cyclic Pattern

Cyclic Pattern Generator (de Bruijn)

Generate the same cyclic patterns that pwntools cyclic and msf-pattern_create produce, then look up the offset of any 4-8 byte slice you saw at crash time. Lets you find the exact distance to RIP/EIP without leaving the browser.

Pattern

aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaaaAaaaBaaaCaaaDaaaEaaaFaaaGaaaHaaaIaaaJaaaKaaaLaaaMaaaNaaaOaaaPaaaQaaaRaaaSaaaTaaaUaaaVaaaWaaaXaaa

200 bytes generated

Find offset

How cyclic patterns find the saved return address

A de Bruijn sequence of order n over alphabet k contains every possible n-length subsequence exactly once. That uniqueness is the trick: if you flood a vulnerable buffer with the pattern and crash the program, the bytes that landed in RIP (or EIP, or any other corrupted register) appear at one and only one position in the pattern. Look up that position and you know the exact distance from your buffer to the saved return address.

On x86 (32-bit) you usually want n=4 because EIP is 4 bytes. On x86_64 use n=8.

When you crash, GDB will show the corrupted register in little-endian order. Use the “Hex (LE-reversed)” mode to paste 0x6361616461616263 and have the tool reverse it before searching. Or copy the ASCII directly out of the crashing program’s output and use ASCII mode.

Once you have the offset, build the actual exploit payload with the pwntools Payload Builder (p32 / p64) and inspect raw bytes with the Hex Viewer.

Challenges that use this tool