wustctf2020_number_game
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位 没有pie 可改got 开了canary
unsigned int vulnerable()
{
int v1; // [esp+8h] [ebp-10h] BYREF
unsigned int v2; // [esp+Ch] [ebp-Ch]
v2 = __readgsdword(0x14u);
v1 = 0;
__isoc99_scanf("%d", &v1);
if ( v1 >= 0 || (v1 = -v1, v1 >= 0) )
printf("You lose");
else
shell();
return __readgsdword(0x14u) ^ v2;
}
逻辑很简单,就是让让v1满足条件即可
32位int范围-2147483648~2147483647
涉及负数补码的知识,溢出补码的符号位,也就是
<-2147483648
即可