题目地址:stack2
这是高手进阶区的第四题了,速度挺快啊,朋友!加油!
废话不说,看看题目先
没有什么特别的内容,那就看看保护机制
root@mypwn:/ctf/work/python/stack2# checksec fcca8ceb507544d1bd9c4a7925907a1d
[*] '/ctf/work/python/stack2/fcca8ceb507544d1bd9c4a7925907a1d'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
开了Canary,其他就没什么了,估计是需要绕过Canary做栈溢出。
先打开ida做下反编译
可以看到,没什么疑问,就是两个函数main和hackhere。
我这里已经把main函数做好了变量重命名:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int nIndexAdd; // eax
unsigned int nTemp; // [esp+18h] [ebp-90h]
unsigned int nChoice; // [esp+1Ch] [ebp-8Ch]
int nNumber; // [esp+20h] [ebp-88h]
unsigned int nCountNumber; // [esp+24h] [ebp-84h]
int nSum; // [esp+28h] [ebp-80h]
unsigned int i; // [esp+2Ch] [ebp-7Ch]
unsigned int k; // [esp+30h] [ebp-78h]
unsigned int l; // [esp+34h] [ebp-74h]
char arrNumbers[100]; // [esp+38h] [ebp-70h]
unsigned int v14; // [esp+9Ch] [ebp-Ch]
v14 = __readgsdword(0x14u);
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
nSum = 0;
puts("***********************************************************");
puts("* An easy calc *");
puts("*Give me your numbers and I will return to you an average *");
puts("*(0 <= x < 256) *");
p