pwn 新手 string 格式化字符串
__int64 __fastcall main(int a1, char **a2, char **a3) { _DWORD *v4; // [rsp+18h] [rbp-78h] setbuf(stdout, 0LL); alarm(0x3Cu); sub_400996(60LL); v4 = malloc(8uLL); *v4 = 68; v4[1] = 85; puts("we are wizard, we will give you hand, you can not defeat dragon by yourself ..."); puts("we will tell you two secret ..."); printf("secret[0] is %x\n", v4); printf("secret[1] is %x\n", v4 + 1); puts("do not tell anyone "); sub_400D72(v4); puts("The End.....Really?"); return 0LL; } unsigned __int64 __fastcall sub_400D72(__int64 a1) { char s[24]; // [rsp+10h] [rbp-20h] BYREF unsigned __int64 v3; // [rsp+28h] [rbp-8h] v3 = __readfsqword(0x28u); puts("What should your character's name be:"); _isoc99_scanf("%s", s); if ( strlen(s) <= 0xC ) { puts("Creating a new player."); sub_400A7D(); sub_400BB9(); sub_400CA6(a1); } else { puts("Hei! What's up!"); } return __readfsqword(0x28u) ^ v3; } unsigned __int64 sub_400A7D() { char s1[8]; // [rsp+0h] [rbp-10h] BYREF unsigned __int64 v2; // [rsp+8h] [rbp-8h] v2 = __readfsqword(0x28u); puts(" This is a famous but quite unusual inn. The air is fresh and the"); puts("marble-tiled ground is clean. Few rowdy guests can be seen, and the"); puts("furniture looks undamaged by brawls, which are very common in other pubs"); puts("all around the world. The decoration looks extremely valuable and would fit"); puts("into a palace, but in this city it's quite ordinary. In the middle of the"); puts("room are velvet covered chairs and benches, which surround large oaken"); puts("tables. A large sign is fixed to the northern wall behind a wooden bar. In"); puts("one corner you notice a fireplace."); puts("There are two obvious exits: east, up."); puts("But strange thing is ,no one there."); puts("So, where you will go?east or up?:"); while ( 1 ) { _isoc99_scanf("%s", s1); if ( !strcmp(s1, "east") || !strcmp(s1, "east") ) break; puts("hei! I'm secious!"); puts("So, where you will go?:"); } if ( strcmp(s1, "east") ) { if ( !strcmp(s1, "up") ) sub_4009DD(); puts("YOU KNOW WHAT YOU DO?"); exit(0); } return __readfsqword(0x28u) ^ v2; } unsigned __int64 sub_400BB9() { int v1; // [rsp+4h] [rbp-7Ch] BYREF __int64 v2; // [rsp+8h] [rbp-78h] BYREF char format[104]; // [rsp+10h] [rbp-70h] BYREF unsigned __int64 v4; // [rsp+78h] [rbp-8h] v4 = __readfsqword(0x28u); v2 = 0LL; puts("You travel a short distance east.That's odd, anyone disappear suddenly"); puts(", what happend?! You just travel , and find another hole"); puts("You recall, a big black hole will suckk you into it! Know what should you do?"); puts("go into there(1), or leave(0)?:"); _isoc99_scanf("%d", &v1); if ( v1 == 1 ) { puts("A voice heard in your mind"); puts("'Give me an address'"); _isoc99_scanf("%ld", &v2); puts("And, you wish is:"); _isoc99_scanf("%s", format); puts("Your wish is"); printf(format); puts("I hear it, I hear it...."); } return __readfsqword(0x28u) ^ v4; } unsigned __int64 __fastcall sub_400CA6(_DWORD *a1) { void *v1; // rsi unsigned __int64 v3; // [rsp+18h] [rbp-8h] v3 = __readfsqword(0x28u); puts("Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!"); puts("Dragon say: HaHa! you were supposed to have a normal"); puts("RPG game, but I have changed it! you have no weapon and "); puts("skill! you could not defeat me !"); puts("That's sound terrible! you meet final boss!but you level is ONE!"); if ( *a1 == a1[1] ) { puts("Wizard: I will help you! USE YOU SPELL"); v1 = mmap(0LL, 0x1000uLL, 7, 33, -1, 0LL); read(0, v1, 0x100uLL); ((void (__fastcall *)(_QWORD))v1)(0LL); } return __readfsqword(0x28u) ^ v3; }
elcome to Dragon Games! .~)>> .~))))>>> .~))>> ___\ .~))>>)))>> .-~))>>\ .~)))))>> .-~))>>)> .~)))>>))))>> .-~)>>)> ) .~))>>))))>> .-~)))))>>)> ( )@@*) //)>)))))) .-~))))>>)> ).@(@@ //))>>))) .-~))>>)))))>>)> (( @.@). //))))) .-~)>>)))))>>)> )) )@@*.@@ ) //)>))) //))))))>>))))>>)> (( ((@@@.@@ |/))))) //)))))>>)))>>)> )) @@*. )@@ ) (\_(\ |))>)) //)))>>)))))))>>)> (( @@@(.@(@ . _/`-` ~|b |>))) //)>>)))))))>>)> )* @@@ )@* (@) (@) |))) //))))))>>))))>> (( @. )@( @ . _/ / )) //))>>)))))>>>_._ )@@ (@@*)@@. (6, 6) / ^ )//))))))>>)))>> ~~-. ( @jgs@@. @@@.*@_ ~^~^~, /\ ^ /)>>))))>> _. `, ((@@ @@@*.(@@ . \^^^/' ( ^ )))>> .' `, ((@@).*@@ )@ ) `-' (( ^ ~)_ / `, (@@. (@@ ). ((( ^ `\ | `. (*.@* / (((( \ \ . `. / ((((( \ \ _.-~\ Y, ; / / (((((( \ \.-~ _.`" _.-~`, ; / / `(((((() ) (((((~ `, ; _/ _/ `"""/ /' ; ; _.-~_.-~ / /' _.-~ _.' ((((~~ / /' _.-~ __.--~ (((( __.-~ _.-~ .' .~~ : ,' we are wizard, we will give you hand, you can not defeat dragon by yourself ... we will tell you two secret ... secret[0] is 238e2a0 secret[1] is 238e2a4 do not tell anyone What should your character's name be: asda Creating a new player. This is a famous but quite unusual inn. The air is fresh and the marble-tiled ground is clean. Few rowdy guests can be seen, and the furniture looks undamaged by brawls, which are very common in other pubs all around the world. The decoration looks extremely valuable and would fit into a palace, but in this city it's quite ordinary. In the middle of the room are velvet covered chairs and benches, which surround large oaken tables. A large sign is fixed to the northern wall behind a wooden bar. In one corner you notice a fireplace. There are two obvious exits: east, up. But strange thing is ,no one there. So, where you will go?east or up?: dasda hei! I'm secious! So, where you will go?: dasdas hei! I'm secious! So, where you will go?: dsadasd hei! I'm secious! So, where you will go?: dsadasd hei! I'm secious! So, where you will go?: dasdasd hei! I'm secious! So, where you will go?: dasdsadsa hei! I'm secious! So, where you will go?: dsadasda hei! I'm secious! So, where you will go?: Alarm clock zzet@ubuntu:~/Desktop$ checksec string [*] Checking for new versions of pwntools To disable this functionality, set the contents of /home/zzet/.cache/.pwntools-cache-3.8/update to 'never' (old way). Or add the following lines to ~/.pwn.conf (or /etc/pwn.conf system-wide): [update] interval=never [!] An issue occurred while checking PyPI [*] You have the latest version of Pwntools (4.3.1) [*] '/home/zzet/Desktop/string' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) zzet@ubuntu:~/Desktop$ file sring sring: cannot open `sring' (No such file or directory) zzet@ubuntu:~/Desktop$ file string string: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4f9fd3e83d275c6555ec7059823616ffc2f1af1b, stripped zzet@ubuntu:~/Desktop$
LOAD:0000000000400238 0000001C C /lib64/ld-linux-x86-64.so.2 LOAD:0000000000400509 0000000A C libc.so.6 LOAD:0000000000400518 00000006 C srand LOAD:000000000040051E 0000000F C __isoc99_scanf LOAD:0000000000400537 00000011 C __stack_chk_fail LOAD:0000000000400548 00000007 C printf LOAD:0000000000400554 00000007 C strlen LOAD:0000000000400560 00000007 C stdout LOAD:0000000000400567 00000007 C malloc LOAD:000000000040056E 00000006 C alarm LOAD:0000000000400574 00000007 C setbuf LOAD:000000000040057B 00000007 C strcmp LOAD:0000000000400582 00000012 C __libc_start_main LOAD:0000000000400594 0000000F C __gmon_start__ LOAD:00000000004005A3 0000000A C GLIBC_2.7 LOAD:00000000004005AD 0000000A C GLIBC_2.4 LOAD:00000000004005B7 0000000C C GLIBC_2.2.5 .rodata:0000000000400F98 00000787 C .~)>>\n .~))))>>>\n .~))>> ___\\\n .~))>>)))>> .-~))>>\\\n .~)))))>> .-~))>>)> \n .~)))>>))))>> .-~)>>)> \n ) .~))>>))))>> .-~)))))>>)>\n ( )@@*) //)>)))))) .-~))))>>)>\n ).@(@@ //))>>))) .-~))>>)))))>>)>\n (( @.@). //))))) .-~)>>)))))>>)>\n )) )@@*.@@ ) //)>))) //))))))>>))))>>)>\n (( ((@@@.@@ |/))))) //)))))>>)))>>)>\n )) @@*. )@@ ) (\\_(\\-\b |))>)) //)))>>)))))))>>)>\n (( @@@(.@(@ . _/`-` ~|b |>))) //)>>)))))))>>)>\n )* @@@ )@* (@) (@) /\b|))) //))))))>>))))>>\n (( @. )@( @ . _/ / \b)) //))>>)))))>>>_._\n )@@ (@@*)@@. (6, 6) / ^ .rodata:000000000040171F 00000019 C Welcome to Dragon Games! .rodata:0000000000401738 00000035 C You go right, suddenly, a big hole appear front you! .rodata:0000000000401770 0000002A C where you will go?!left(0) or right(1)?!: .rodata:00000000004017A0 00000027 C You escape it!but another hole appear! .rodata:00000000004017C7 0000000D C YOU ARE DEAD .rodata:00000000004017D8 00000042 C This is a famous but quite unusual inn. The air is fresh and the .rodata:0000000000401820 00000044 C marble-tiled ground is clean. Few rowdy guests can be seen, and the .rodata:0000000000401868 00000049 C furniture looks undamaged by brawls, which are very common in other pubs .rodata:00000000004018B8 0000004C C all around the world. The decoration looks extremely valuable and would fit .rodata:0000000000401908 0000004A C into a palace, but in this city it's quite ordinary. In the middle of the .rodata:0000000000401958 00000047 C room are velvet covered chairs and benches, which surround large oaken .rodata:00000000004019A0 0000004B C tables. A large sign is fixed to the northern wall behind a wooden bar. In .rodata:00000000004019F0 00000023 C one corner you notice a fireplace. .rodata:0000000000401A18 00000027 C There are two obvious exits: east, up. .rodata:0000000000401A40 00000024 C But strange thing is ,no one there. .rodata:0000000000401A68 00000023 C So, where you will go?east or up?: .rodata:0000000000401A93 00000012 C hei! I'm secious! .rodata:0000000000401AA5 00000018 C So, where you will go?: .rodata:0000000000401AC0 00000016 C YOU KNOW WHAT YOU DO? .rodata:0000000000401AD8 00000047 C You travel a short distance east.That's odd, anyone disappear suddenly .rodata:0000000000401B20 00000039 C , what happend?! You just travel , and find another hole .rodata:0000000000401B60 0000004E C You recall, a big black hole will suckk you into it! Know what should you do? .rodata:0000000000401BB0 00000020 C go into there(1), or leave(0)?: .rodata:0000000000401BD0 0000001B C A voice heard in your mind .rodata:0000000000401BEB 00000015 C 'Give me an address' .rodata:0000000000401C04 00000012 C And, you wish is: .rodata:0000000000401C16 0000000D C Your wish is .rodata:0000000000401C23 00000019 C I hear it, I hear it.... .rodata:0000000000401C40 0000002B C Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!! .rodata:0000000000401C70 00000035 C Dragon say: HaHa! you were supposed to have a normal .rodata:0000000000401CA8 00000039 C RPG game, but I have changed it! you have no weapon and .rodata:0000000000401CE8 00000021 C skill! you could not defeat me ! .rodata:0000000000401D10 00000041 C That's sound terrible! you meet final boss!but you level is ONE! .rodata:0000000000401D58 00000027 C Wizard: I will help you! USE YOU SPELL .rodata:0000000000401D80 00000026 C What should your character's name be: .rodata:0000000000401DA6 00000010 C Hei! What's up! .rodata:0000000000401DB6 00000017 C Creating a new player. .rodata:0000000000401DD0 00000050 C we are wizard, we will give you hand, you can not defeat dragon by yourself ... .rodata:0000000000401E20 00000020 C we will tell you two secret ... .rodata:0000000000401E40 00000011 C secret[0] is %x\n .rodata:0000000000401E51 00000011 C secret[1] is %x\n .rodata:0000000000401E62 00000014 C do not tell anyone .rodata:0000000000401E76 00000014 C The End.....Really? .eh_frame:0000000000401F57 00000006 C ;*3$\"
没有看到flag和system 之类的 ,没有头绪
WriteUP
浙公网安备 33010602011771号