3
攻防世界-高手区-PWN部分-WriteUP
source link: https://iamywang.github.io/2020/adworld-pwn-2/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
0x01 dice_game
char buf[55]; // [rsp+0h] [rbp-50h] |
覆盖seed,让伪随机数变成确定的。
首先填充0x40个字符,然后加上p64(1)。
p = remote('220.249.52.133',54186) |
拿到flag:cyberpeace{22068165d7b159caeea14a0985464246}
0x02 forgot
int sub_80486CC() |
需要构造溢出到这个函数,地址是0x080486CC
... |
注意main函数中这些变量的关系,需要构造溢出覆盖掉某个int变量为目标函数的地址。
后面要让v14相对v3的偏移量恰好指向那个变量。从而调用函数。
观察得到:只要输入字符a,那么v14最后的值为2。
这样:覆盖v4。
from pwn import * |
最后的情况:
v4 = 0x080486CC |
flag:cyberpeace{e6862a8733408cc383e336a39d611b47}
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK