nyyyddddn

nyyyddddn

nssctfr16_wp
pwnnc_pwnre一个异或的逻辑, 异或后是一串base64编码,提交解码后的文本就进到shell了 1234a = [0x44,0x7c,0x5e,0x44,0x41,0x21,0x42,0x57,0x75,0x21,0x74,0x56,0x44,0x57,0x5d,0x67,0x44,0x46,0x29,0x45,0x5d,0x56,0x29,0x67,0x46,0x22,0x25,0x76,0x74,0x6a,0x52,0x69,0x5d,0x47,0x41,0x78,0x76,0x41,0x2d,0x2d]for i in a: print(chr(i ^ 0x10),...
春秋杯冬季赛wp
pwn好菜,pwn就出了一个题,堆题做不出 nmanager可以用printf %s泄露libc的地址,然后打ret2libc,n为8刚刚好到rbp那 12345678910111213141516171819202122232425262728unsigned __int64 __fastcall modify(__int64 a1){ char buf[24]; // [rsp+10h] [rbp-20h] BYREF unsigned __int64 v3; // [rsp+28h] [rbp-8h] v3 = __readfsqword(0x28u); do ...
pwnable.tw
pwnable.tw持续更新 start检查一下保护 和查看每个段的权限发现,栈上有可执行权限 12345678lhj@lhj-virtual-machine:~/Desktop/pwntw/start$ checksec start[*] '/home/lhj/Desktop/pwntw/start/start' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8...
uoftctf_pwn_wp
pwnbasic-overflow 有一个shell函数,栈溢出覆盖返回地址为shell 1234567int __cdecl main(int argc, const char **argv, const char **envp){ char v4[64]; // [rsp+0h] [rbp-40h] BYREF gets(v4, argv, envp); return 0;} 1234int shell(){ return execve("/bin/sh", 0LL, 0LL);} exp 1234567891...
pwnable.kr
fd程序逻辑是这样的, 从fd里读数据,如果数据为LETMEWIN就会输出flag。那可以让fd = 0 (标准输入),让read去read我的输入,然后再输入LETMEWIN 123456789101112131415161718192021#include <stdio.h>#include <stdlib.h>#include <string.h>char buf[32];int main(int argc, char* argv[], char* envp[]){ if(argc<2){ ...
Hackergame2023
Hackergame 启动Hackergame启动!发现校验相似度是在前端校验的,然后通过url传参相似度,传递个100过去就拿到flag了 更深更暗在main.js里有一段生成flag的代码,在控制台中调用就好了 12345async function getFlag(token) { // Generate the flag based on user's token let hash = CryptoJS.SHA256(`dEEper_@nd_d@rKer_${token}`).toString(); return `fla...
GeekChallenge2023
re点击就送的逆向题.S的文件 使用as命令来汇编一下,然后ida打开分析逻辑 1as -o output.o input.S 置反一下逻辑 1234567891011121314151617int __cdecl main(int argc, const char **argv, const char **envp){ int i; // [rsp+Ch] [rbp-54h] char s1[32]; // [rsp+10h] [rbp-50h] BYREF char s2[40]; // [rsp+30h] [rbp-30h] BYREF unsigned __i...
moectf_wp
REReverse入门指北12if ( *(_DWORD *)v7 == 13 ) sub_401082(aMoectfF1rstSt3, v6); 1aMoectfF1rstSt3 db 'moectf{F1rst_St3p_1s_D0ne}',0Ah,0 base_64pycdc 下载 编译 发现是base64变种 http://web.chacuo.net/netbasex 把索引表复制进去解密拿到flag UPX!exeinfope中看到是upx 3.9 脱壳后 12345678910111213for ( j = 0; ; +...
newstar2023_week1
REeasy_RE确实是打开就有 1flag{we1c0me_to_rev3rse!!} elfinputString 先异或然后+16 然后base64encode后和flag cmp,decode后-16 异或就好了 1234s1 = (char *)base64_encode(v6, v3); if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") ) ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234...
exp本地不通远程通的问题
今天看一个ret2text的题目的时候,遇到了exp本地不通,远程通的奇怪问题,题目是这样的 有个backdoor函数是这样的 exp是这样的 123456789101112131415from pwn import *# p=remote("1.container.jingsai.apicon.cn",30509)elf = context.binary = ELF('./Intruduce')p = process()context.log_level='debug'payload=b'a'* (...
avatar
nyyyddddn
快来和我贴贴qaq
FRIENDS
yuro shin