运行
C伪代码
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
const char *v3; // rdi
setvbuf(stdout, 0LL, 2, 0LL);
v3 = "DEBUG";
if ( !getenv("DEBUG") )
v3 = (const char *)5;
return puts("We meet again on these pwning streets."); // sub_4006F2(v3, 0LL);
sub_40074C(v3);
return puts("Fare thee well."); //sub_4007BB(v3);
return 0LL;
}
int sub_40074C()
{
int result; // eax
char buf; // [rsp+0h] [rbp-590h]
char v2; // [rsp+190h] [rbp-400h]
puts("What say you now?");
read(0, &buf, 0x12CuLL);
if ( !strncmp(&buf, "Everything intelligent is so boring.", 0x24uLL) )
result = sub_400705(&v2);
else
result = puts("What a ho-hum thing to say.");
return result;
}
ssize_t __fastcall sub_400705(void *a1)
{
puts("What an interesting thing to say.\nTell me more.");
read(0, a1, 0x7DAuLL); ///溢出惹
return write(1, "Fascinating.\n", 0xDuLL);
}
寄存器地址
返回sub_74c地址
payload1:得到puts的地址:puts_addr
由puts的地址推导出system和’/bin/sh’的地址
payload2
958
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
