pwnable.xyz7 (Pwnable.xyz) two gargets Canary : ✓ NX : ✓ PIE : ✘ Fortify : ✘ RelRO : Partial first, check the security options, PIE isn’t enabled. int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { int int32; // eax char s[32]; // [rsp+10h] [rbp-40h] BYREF _QWORD v5[2]; // [rsp+30h] [rbp-20h] BYREF __int64 v6; // [rsp+40h] [rbp-10h] unsigned __int64 v7; // [rsp+48h] [rbp-8h] v7 = __readfsqword(0x28u); setup.. 2022. 1. 14. (Pwnable.xyz) xor int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { int v3; // [rsp+Ch] [rbp-24h] __int64 v4; // [rsp+10h] [rbp-20h] BYREF __int64 v5; // [rsp+18h] [rbp-18h] BYREF __int64 v6[2]; // [rsp+20h] [rbp-10h] BYREF v6[1] = __readfsqword(0x28u); puts("The Poopolator"); setup(); while ( 1 ) { v6[0] = 0LL; printf(format); v3 = _isoc99_scanf("%ld %ld %ld", &v4, &v5, v6); if ( !v4 .. 2022. 1. 14. (Pwnable.xyz) note writeup int __cdecl main(int argc, const char **argv, const char **envp) { int int32; // eax setup(argc, argv, envp); puts("Note taking 101."); while ( 1 ) { while ( 1 ) { while ( 1 ) { print_menu(); int32 = read_int32(); if ( int32 != 1 ) break; edit_note(); } if ( int32 != 2 ) break; edit_desc(); } if ( !int32 ) break; puts("Invalid"); } return 0; } It looks like a heap challenge. There are notable fu.. 2022. 1. 12. (Pwnable.xyz) misalignment writeup int __cdecl main(int argc, const char **argv, const char **envp) { __int64 s[20]; // [rsp+10h] [rbp-A0h] BYREF s[19] = __readfsqword(0x28u); setup(); memset(s, 0, 0x98uLL); *(&s[1] + 7) = 0xDEADBEEFLL; while ( _isoc99_scanf("%ld %ld %ld", &s[4], &s[5], &s[6]) == 3 && s[6] = -7 ) { s[s[6] + 7] = s[4] + s[5]; printf("Result: %ld\\n", s[s[6] + 7]); } if ( *(&s[1] + 7) == 0xB000000B5LL ) win(); retu.. 2022. 1. 11. 이전 1 2 다음