Hello everyone,

I am working on the SEED Lab: Format String Attack (ARM64 version). I am currently stuck on Task 3.B, where the goal is to change a target variable's value to 0x5000.

My Environment:

Lab: SEED Labs - Format String Attack (ARM64)

Target Address: 0x0000000000490040

Target Value (Before): 0x1122334455667788

Input Buffer Address: 0x0000fffffffff508

Architecture: 64-bit ARM (Ubuntu 20.04)

The Problem: I cannot get the "Value (after)" to change at all. I have tried over 80 different offsets. Every time I run the exploit, the server output shows the target address bytes being printed as text (appearing as the @ symbol, which is 0x40), but the %n operator never successfully writes to the memory.

What I have tried:

Front-loading the address: Placing the 8-byte address at the very start of the payload and using %64$n (based on where the buffer starts).

Padding for Alignment: Using 8-byte markers like ABCDEFGH to force 64-bit alignment.

Brute Force: Running a script to test every offset from 1 to 80.

Large Widths: Using %20480x and %p strings to reach the required character count.

Observation: In my output, I often see ABCDEFGH@The target variable's value (after). This suggests printf is parsing the address as part of the string to be printed rather than using it as an argument for %n. Because the address 0x490040 contains null bytes in 64-bit (40 00 49 00 00 00 00 00), I suspect the null bytes might be terminating the format string if I put the address at the beginning. However, putting it at the end hasn't worked either.

Question: On this specific ARM64 SEED Lab setup, is there a known issue with stack alignment or a specific hidden offset required to reach the buffer? How do you handle the null bytes in the target address when constructing the payload for printf?