Checksec & Binary Protections Quick Reference
==============================================

CHECKSEC
  checksec ./binary              Check all protections
  checksec --file=./binary       Same (explicit)

PROTECTIONS EXPLAINED

  RELRO (Relocation Read-Only)
    No RELRO         GOT is writable — easy GOT overwrite
    Partial RELRO    Some sections read-only after load
    Full RELRO       GOT fully read-only — no GOT overwrite

  Stack Canary
    No canary found  Stack buffer overflow is straightforward
    Canary found     Random value on stack — must leak or bypass

  NX (No-Execute)
    NX disabled      Can execute shellcode on stack/heap
    NX enabled       Stack/heap not executable — use ROP/ret2libc

  PIE (Position Independent Executable)
    No PIE           Binary at fixed address — addresses known
    PIE enabled      ASLR for binary — need info leak

  ASLR (Address Space Layout Randomization)
    Check:  cat /proc/sys/kernel/randomize_va_space
    0 = off, 1 = partial, 2 = full
    Disable: echo 0 > /proc/sys/kernel/randomize_va_space

PWNTOOLS CHECKSEC
  from pwn import *
  e = ELF("./binary")
  # Prints protections automatically

  e.pie              True/False
  e.canary           True/False
  e.nx               True/False

FILE COMMAND
  file ./binary      Architecture, linking, stripped?

READELF
  readelf -h binary   ELF header
  readelf -S binary   Section headers
  readelf -l binary   Program headers
  readelf -s binary   Symbol table
  readelf -d binary   Dynamic section
  readelf -r binary   Relocations

COMMON CTF STRATEGY
  No canary + No PIE + No NX    → Direct shellcode on stack
  No canary + No PIE + NX       → ret2libc / ROP
  Canary + No PIE + NX          → Leak canary, then ROP
  Canary + PIE + NX             → Leak canary + PIE base, ROP
  Full RELRO + all protections  → Look for format string / logic bugs
