Binary Protection Bypass
Look up which binary-exploitation bypass works against ASLR, PIE, and related protections when you are auditing or CTF-solving native code with an agent.
Overview
Binary Protection Bypass is an agent skill for the Ship phase that cross-references exploit bypass techniques against binary protections and the primitives each technique requires.
Install
npx skills add https://github.com/yaklang/hack-skills --skill binary-protection-bypassWhat is this skill?
- Protection × bypass × primitive matrix for ASLR, PIE, and related mitigations
- Per-technique success rates and architecture notes (e.g. brute force vs ret2dlresolve)
- Deterministic leak paths: format string, OOB read, UAF read, stack reading
- No-leak options: SROP, ret2dlresolve, partial overwrite, return-to-PLT
- Designed as companion lookup after loading the parent protection-bypass SKILL.md
- ASLR brute force ~1/4096 success rate noted for 32-bit x86
- Partial overwrite success described as 1/16 per nibble for page offset
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You know a binary has ASLR or PIE enabled but cannot quickly match a viable bypass to the primitive you actually have in the bug.
Who is it for?
Authorized binary security work, CTF prep, or agent-led exploit planning when protections are already identified.
Skip if: Casual indie web-app shipping, beginners learning HTTP security, or any unauthorized target testing.
When should I use this skill?
Load for systematic lookup of which bypass technique works against which protection and what primitive is required, after the parent protection-bypass SKILL.md context.
What do I get? / Deliverables
You get a ranked matrix of bypass options, required primitives, and architecture notes so the next exploitation step is chosen systematically instead of by guesswork.
- Chosen bypass technique matched to protection and available primitive
- Architecture-aware exploitation plan notes
Recommended Skills
Journey fit
Canonical shelf is Ship because the matrix supports pre-release and adversarial security review of binaries, not day-one product ideation. Security subphase fits a cross-reference playbook for exploit primitives and protection bypasses rather than feature implementation.
How it compares
Use as a structured lookup matrix alongside per-protection SKILL.md depth, not instead of dynamic debugging with GDB or lldb.
Common Questions / FAQ
Who is binary-protection-bypass for?
Security researchers, CTF players, and agent operators doing authorized native binary analysis who need a fast protection-to-bypass map.
When should I use binary-protection-bypass?
During Ship security review when ASLR, PIE, or stack mitigations block your chain and you must pick leak, partial overwrite, ret2dlresolve, SROP, or PLT-based paths.
Is binary-protection-bypass safe to install?
It is documentation-only knowledge; review the Security Audits panel on this page and only apply techniques on systems you are allowed to test.
SKILL.md
READMESKILL.md - Binary Protection Bypass
# Protection Bypass Matrix — Comprehensive Cross-Reference > **AI LOAD INSTRUCTION**: Load this for a systematic lookup of which bypass technique works against which protection, and what primitive is required. Assumes [SKILL.md](./SKILL.md) is loaded for individual protection details. --- ## 1. PROTECTION × BYPASS × PRIMITIVE MATRIX ### ASLR Bypass | Bypass Technique | Required Primitive | Success Rate | Architecture | Notes | |---|---|---|---|---| | Format string leak | `printf(user_input)` | 100% (deterministic) | Any | `%p` leak stack/libc/heap addresses | | OOB read | Array bounds violation | 100% | Any | Read adjacent pointers | | UAF read | Use-after-free | 100% | Any | Read freed chunk fd/bk → libc/heap | | Brute force | Ability to retry | ~1/4096 (32-bit) | x86 only | Infeasible on 64-bit (28-bit entropy) | | Partial overwrite | 1-2 byte write | 1/16 per nibble | Any | Page offset (12 bits) is fixed | | ret2dlresolve | Stack overflow + writable area | 100% | Any | No ASLR knowledge needed | | SROP | Stack overflow + sigreturn gadget | 100% | Any | Set all registers without knowledge | | Return-to-PLT | Stack overflow | 100% | No PIE | PLT addresses fixed without PIE | | Stack reading | Fork server + crash oracle | 100% | Any | Byte-by-byte in child process | | stdout FILE abuse | Write to stdout structure | 100% | Any | Partial overwrite `_IO_write_base` | ### PIE Bypass | Bypass Technique | Required Primitive | Success Rate | Notes | |---|---|---|---| | Leak .text pointer | Read from stack (return addr) | 100% | PIE base = addr - offset | | Partial overwrite | 1-2 byte overflow | 1/16 | Last 12 bits fixed | | BROP | Fork server, crash probing | ~100% | Blind discovery without binary | | Relative addressing | Known offset between objects | 100% | Intra-binary references | ### NX Bypass | Bypass Technique | Required Primitive | Gadget Requirement | Notes | |---|---|---|---| | ROP chain | Stack overflow | `pop reg; ret` gadgets | Standard approach | | ret2libc | Stack overflow | `pop rdi; ret` (64-bit) | Call system/execve | | ret2csu | Stack overflow | `__libc_csu_init` | 3 args without `pop rdx` | | SROP | Stack overflow | `syscall; ret` + sigreturn | Set all registers | | mprotect chain | Stack overflow + known address | `pop rdi/rsi/rdx; ret` | Make page RWX | | JIT spray | JIT engine present | None | Plant code in JIT pages | ### Canary Bypass | Bypass Technique | Required Primitive | Condition | Notes | |---|---|---|---| | Format string leak | `printf(user_input)` | Canary on stack before return addr | `%N$p` reads canary | | Brute force | Fork server | Canary same in child | 256 × 7 attempts (64-bit) | | Stack reading | One-byte write/read | Overwrite null byte, read error | Output-based oracle | | Thread TLS overwrite | Large overflow | Overflow reaches `fs:[0x28]` | Overwrite canary source | | `__stack_chk_fail` GOT | Partial RELRO + write | GOT writable | Replace with no-op | | Avoid stack entirely | Heap vulnerability | No canary on heap | Heap exploitation path | ### RELRO Bypass | RELRO Level | Writable Targets | Bypass | |---|---|---| | None | `.got`, `.got.plt`, `.dynamic` | Direct GOT overwrite | | Partial | `.got.plt` (lazy binding entries) | GOT overwrite on lazy-bound functions | | Full | Nothing in GOT | `__malloc_hook` (pre-2.34), `_IO_FILE`, `exit_funcs`, stack, `.fini_array` | ### Full RELRO Alternative Target Matrix | Target | glibc Version | Required Knowledge | Overwrite Size | Trigger | |---|---|---|---|---| | `__malloc_hook` | < 2.34 | libc base | 8 bytes | Any malloc (printf with large fmt) | | `__free_hook` | < 2.34 | libc base | 8 bytes | Any free | | `__realloc_hook` | < 2.34 | libc base | 8 bytes | Any realloc | | `_IO_list_all` | Any | libc base | 8 bytes | exit / abort | | `_IO_FILE vtable` | Any (bypass varies) | libc base + heap | 8 bytes + fake vtable | I/O operation or exit | | `__exit_funcs` | Any | libc base + pointer guard | 8 bytes (mangled) | exit() | | `TLS_dtor