零、参考链接
参考链接 1:必看的参考链接
参考链接 2:ctf-wiki
参考链接 3:文章作者记录了一些有关的调试过程,很不错的文章
参考链接 4:需要一定的基础,我目前看不懂,但有很多源代码,这里留一下
参考链接 5:ctf题
一、实验环境
二、总结
这里我对一些知识点做一个总结,以便以后回来看我能立马看懂
1、FILE文件结构
①:_IO_list_all 链接了所有的 _IO_FLE_plus(参考链接1):
②:_IO_FLE_plus 结构体中包含了 _IO_FILE结构体 与 IO_jump_t指针(参考链接3):
struct _IO_FILE_plus
{
_IO_FILE file;
IO_jump_t *vtable;
}
//32位下的偏移是0x94,而64位下偏移是0xd8 ----vtable
//--------------------- ↓ 这个偏移是个重点 ↓ ---------------------//
//下面引用参考链接1中的代码 ↓
FILE *fp = fopen("./123.txt", "rw");
i64 *vtable_addr = (i64 *) ((i8 *) fp + 0xD8); //64位 0xD8
//--------------------- ↑ 这个偏移是个重点 ↑ ---------------------//
③:_IO_FILE_plus 中的 _IO_FILE 结构体源代码如下(参考链接3):
struct _IO_FILE {
int _flags; /* High-order word is _IO_MAGIC; rest is flags. */
#define _IO_file_flags _flags
/* The following pointers correspond to the C++ streambuf protocol. */
/* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
char* _IO_read_ptr; /* Current read pointer */
char* _IO_read_end; /* End of get area. */
char* _IO_read_base; /* Start of putback+get area. */
char* _IO_write_base; /* Start of put area. */
char* _IO_write_ptr; /* Current put pointer. */
char* _IO_write_end; /* End of put area. */
char* _IO_buf_base; /* Start of reserve area. */
char* _IO_buf_end; /* End of reserve area. */
/* The following fields are used to support backing up and undo. */
char *_IO_save_base; /* Pointer to start of non-current get area. */
char *_IO_backup_base; /* Pointer to first valid character of backup area */
char *_IO_save_end; /* Pointer to end of non-current get area. */
struct _IO_marker *_markers;
struct _IO_FILE *_chain;
int _fileno;
#if 0
int _blksize;
#else
int _flags2;
#endif
_IO_off_t _old_of