k0rian's blog

EldenRing 2简单的uaf,因为寒假才刚开始入门堆，所以写得稍微详细点。先看看伪c, 123456789101112131415161718192021222324252627282930313233// local variable allocation has failed, the output may be wrong!int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [rsp+1Ch] [rbp-4h] BYREF init(argc, argv, envp); while ( 1 ) { menu(*(_QWORD *)&argc); *(_QWORD *)&argc = "%d"; __isoc99_scanf("%d", &v4); switch ( v4 ) { case 1: add_note(); ...

ezsignIn手速够快直接拿下一血 elden ring黑屏加载难绷，思路大概这样，栈迁移到bss段，mprotect改bss段权限，然后bss段注入shellcode执行orw. 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061from pwn import *context(arch="amd64",log_level="debug")#p=process("./vuln")p=remote("47.100.137.175",32546)one=0xe3afelibc=ELF("./libc.so.6")elf=context.binary=ELF("./vuln")sleep(8)#gdb.attach(p)pop_rdi=0x00000000004013e3main=0x401297 ...

ez_fmt本来想着用格式化字符串低位爆破，不过看了别的师傅的文章，似乎有更为巧妙的思路。先给大家看看题目 1234567891011121314151617nt __cdecl main(int argc, const char **argv, const char **envp){ char buf[88]; // [rsp+0h] [rbp-60h] BYREF unsigned __int64 v5; // [rsp+58h] [rbp-8h] v5 = __readfsqword(0x28u); setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 2, 0LL); printf("There is a gift for you %p\n", buf); read(0, buf, 0x30uLL); if ( w == 0xFFFF ) { printf(buf); w = 0; } return 0;} 题目逻辑很简单，给了一个栈上的地 ...

Hacknote对于入门堆的师傅来说，这是个不错的入门题，但pwnabletw上扣了符号表，gdb调试起来比较麻烦，建议先做攻防世界上的，我们先看看ida反编译出来的代码 123456789101112131415161718192021222324252627282930313233343536373839404142void __cdecl __noreturn main(){ int v0; // eax char buf[4]; // [esp+8h] [ebp-10h] BYREF unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 2, 0); while ( 1 ) { while ( 1 ) { all_choice(); read(0, buf, 4u); v0 = atoi(buf); ...