Why can integer store a hex value but cannot store the same value in decimal?


I most recently successfully exploited a C executable by causing its char array to overflow in to another variable. I did this by piping in the output of exploit1.py in to the command line which was accepted as an argument by lab2C. Here is the command I used: ./lab2C.exe "$(python /tmp/exploit1.py)". The final exploit1.py file looks like this:


def main():



I had read in Hacking: The Art of Exploitation, by Jon Erickson, that you could pipe in hex byte code in to a file using the command line so I tried it and I was successful in calling the shell() function.

One thing I am still confused about, however, is why piping in the decimal version of 0xdeadbeef as an argument does not work. Here is the original file that I attempted to pipe the output of in to the command line:

exploit1.py (original):

def main():



When I did this the command line returned the following:

Not authenticated.
set_me was 892548915

Why does this not work? Is it because the integer container cannot hold the decimal value of 0xdeadbeef because it is too large? If that is the case, why can the integer accept the hex byte code equivalent?

Specs- Architecture: i686; CPU op-mode(s): 32-bit, 64-bit; Kernel name: Linux; Kernel-version: #40~14.04.1-Ubuntu; Compiler-version: Ubuntu 4.8.4-2ubuntu1~14.04

(Here is lab2C for reference): lab2C:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void shell()
    printf("You did it.\n");

int main(int argc, char** argv)
    if(argc != 2)
            printf("usage:\n%s string\n", argv[0]);
            return EXIT_FAILURE;

    int set_me = 0;
    char buf[15];
    strcpy(buf, argv[1]);

    if(set_me == 0xdeadbeef)
            printf("Not authenticated.\nset_me was %d\n", set_me);

    return EXIT_SUCCESS;
asked on Stack Overflow May 4, 2018 by Darien Springer • edited May 4, 2018 by Darien Springer

1 Answer


0xdeadbeef is equal to 3735928559, but "3735928559" is equal to

>>> [hex(ord(c)) for c in "3735928559"]
['0x33', '0x37', '0x33', '0x35', '0x39', '0x32', '0x38', '0x35', '0x35', '0x39']

That is, "\x33\x37\x33..."

The deal with this exploit is that the representation of an integer is overwritten with the representation of a string, not the parsed value of the string.

answered on Stack Overflow May 4, 2018 by N00byEdge

User contributions licensed under CC BY-SA 3.0