radare2 cannt get crash address

[CuB3y0nd]

Environment

Mon Aug 14 10:53:22 AM CST 2023

radare2 5.8.9 31015 @ linux-x86-64
birth: git.5.8.8-420-g25a0777d61 2023-08-14__19:59:42
commit: 25a0777d613486f190ea99fa5399754e2eaba1c6
options: gpl -O? cs:5 cl:2 make

Linux x86_64

Description

Can't get crash address in 64-bit program.

Test

This is my source code:

// gcc source.c -o vuln-64 -no-pie -fno-stack-protector

#include <stdio.h>

void vuln() {
  char buffer[40];
  puts("Overflow Me");
  gets(buffer);
}

int main() { vuln(); }

void flag(int check, int check2) {
  if (check == 0xdeadc0de && check2 == 0xc0ded00d) {
    puts("Got it!");
  }
}

Here is the debug interface:

λ ~ r2 -A -d ./vuln-64
WARN: Memory Maps cannot be listed without the debugger. See 'om' instead
INFO: Analyze all flags starting with sym. and entry0 (aa)
INFO: Analyze all functions arguments/locals (afva@@@F)
INFO: Analyze function calls (aac)
INFO: Analyze len bytes of instructions for references (aar)
INFO: Finding and parsing C++ vtables (avrr)
INFO: Skipping type matching analysis in debugger mode (aaft)
INFO: Propagate noreturn information (aanr)
INFO: Use -AA or aaaa to perform additional experimental analysis
[0x7fa8ac3cb280]> s main; pdf
            ; DATA XREF from entry0 @ 0x40106d(r)
┌ 21: int main (int argc, char **argv, char **envp);
│           0x0040115a      55             push rbp
│           0x0040115b      4889e5         mov rbp, rsp
│           0x0040115e      b800000000     mov eax, 0
│           0x00401163      e8caffffff     call sym.vuln
│           0x00401168      b800000000     mov eax, 0
│           0x0040116d      5d             pop rbp
└           0x0040116e      c3             ret
[0x0040115a]> db 0x00401168
[0x0040115a]> dc
Overflow Me
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmABnABoABpABqABrABsABtABuABvABwABxAByABzAB1AB2AB3AB4AB5AB6AB7AB8AB9AB0ACBACCACDACEACFACGACHACIACJACKACLACMACNACOACPACQACRACSACTACUACVACWACXACYACZACaACbACcACdACeACfACgAChACiACjACkAClACmACnACoACpACqACrACsA
[+] SIGNAL 11 errno=0 addr=0x00000000 code=128 si_pid=0 ret=0
[0x00401159]>

The buffer is 40 Bytes, I use ragg2 -r -P 500 generated 500 Bytes send into overflow, but it didn't get crash address.

It can overflow 32-bits program and get the crash addr with same steps above.