int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v4; // [rsp+8h] [rbp-78h] BYREF
__int64 v5; // [rsp+10h] [rbp-70h] BYREF
__int64 v6; // [rsp+18h] [rbp-68h] BYREF
__int64 v7[12]; // [rsp+20h] [rbp-60h] BYREF
v7[11] = __readfsqword(0x28u);
setup(argc, argv, envp);
while ( 1 )
{
v4 = 0LL;
v5 = 0LL;
v6 = 0LL;
memset(v7, 0, 0x50uLL);
printf("Input: ");
if ( __isoc99_scanf("%ld %ld %ld", &v4, &v5, &v6) != 3 )
break;
v7[v6] = v4 + v5;
printf("Result: %ld", v7[v6]);
}
return 0;
}
In the main code, we can write v4+v5 to rbp-0x60+8*v6
PIE protection doesn’t apply in this binary
and there is a function win that prints FLAG
the index to return address is (0x60+0x8 (rbp)) / 8 = 13
so enter 0 (address of win in decimal) 13
and any character to break and cat the flag
