An approach for load-time hacking using LD_PRELOAD is presented.
We discuss a simple, yet intriguing, strategy for overcoming the limitations discussed in Part 1 (i.e., the first publication given in the reference) of reverse engineering and exploitation using LD_PRELOAD, a dynamic linking technique. In particular, we relax the need for exit(1) in the main function. The essence of the technique is that both the stack pointer (esp) and the base frame pointer (ebp) are carefully adjusted when the wrapper to the library function is called. The proposed solution allows us to safely return to libc after dynamically modifying the control flow in the wrapper to (library) functions.