题目
题目本身比较神奇,当时看到这道题的时候还懵了一下,一下子没有太好的思路,不过后两天还有考试所以也没太静下心来想,今天刚考完了再来看这道题感觉其实难度并不是很大。
题目给出了一个二进制文件,本能的checksec:
[*] '/home/vagrant/ctf/contests/googlectf-2017/inst_prof/inst_prof'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
partial relro,很有意思,不过其实根本没卵用,233.
看看逻辑:
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
if ( write(1, "initializing prof...", 0x14uLL) == 20 )
{
sleep(5u);
alarm(0x1Eu);
if ( write(1, "ready\n", 6uLL) == 6 )
{
while ( 1 )
do_test();
}
}
exit(0);
}
main函数很显然,就是死循环执行do_test,再看do_test
int do_test()
{
char *v0; // rbx@1
char v1; // al@1
unsigned __int64 v2; // r12@1
unsigned __int64 buf; // [sp+8h] [bp-18h]@1
v0 = (char *)alloc_page();
*(_QWORD *)v0 = *(_QWORD *)"¦";
*((_DWORD *)v0 + 2) &#