pwnable.xyz
-
rwsr - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 15. 19:13
Prob Info Code int __cdecl main(int argc, const char **argv, const char **envp) { const char *v3; // rdi int v4; // eax char *s; // ST10_8 setup(); v3 = "Read Write Sleep Repeat."; puts("Read Write Sleep Repeat."); do { while ( 1 ) { while ( 1 ) { print_menu(v3); v4 = read_ulong(); if ( v4 != 1 ) break; printf("Addr: ", argv); v3 = (const char *)read_ulong(); puts(v3); } if ( v4 != 2 ) break; pr..
-
fclose - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 15. 04:14
Prob Info Code int __cdecl main(int argc, const char **argv, const char **envp) { setup(); printf("> ", argv); read(0, &input, 0x404uLL); fclose(&input); return 0; } 간단하게 input이라는 전역변수에 0x400바이트 입력받고 fclose로 input을 닫는다. .bss:0000000000601260 public input .bss:0000000000601260 ; FILE input .bss:0000000000601260 input FILE ; DATA XREF: main+1F↑o .bss:0000000000601260 ; main+30↑o .bss:0000000000601..
-
message - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 15. 04:08
Prob Info Code int __cdecl main(int argc, const char **argv, const char **envp) { char *v3; // rsi unsigned int v4; // eax char v6; // [rsp+10h] [rbp-30h] unsigned __int64 v7; // [rsp+38h] [rbp-8h] v7 = __readfsqword(0x28u); setup(); puts("Message taker."); printf("Message: ", argv); v3 = &v6; _isoc99_scanf("%s", &v6); getchar(); while ( 1 ) { while ( 1 ) { print_menu(); printf("> ", v3); v4 = g..
-
UAF - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 13. 22:22
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { Game *v3; // rsi const char *v4; // rdi __int64 savedregs; // [rsp+10h] [rbp+0h] setup(); initialize_game(); printf("Name: ", argv); v3 = cur; v4 = 0LL; read(0, cur, 0x7FuLL); while ( 1 ) { print_menu(v4, v3); read_int32(); switch ( (unsigned int)&savedregs ) { case 0u: return 0; case 1u: ((void (*)(void))cur->f_calc)()..
-
iape - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 13. 21:10
Prob Info 이 문제는 코딩하기가 귀찮은 문제였다. setup 함수에 alarm(0xB4u) 이렇게 알람을 길게 주는 문제는 익스 시간이 길다고 생각하면 된다. int __cdecl main(int argc, const char **argv, const char **envp) { char *v3; // rsi const char *v4; // rdi int v5; // eax char s; // [rsp+10h] [rbp-400h] setup(); v3 = 0LL; v4 = &s; memset(&s, 0, 0x400uLL); while ( 1 ) { while ( 1 ) { print_menu(v4, v3); v5 = read_int32(); if ( v5 != 1 ) break; printf("d..
-
J-U-M-P - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 13. 19:56
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { unsigned __int8 v3; // [rsp+2Fh] [rbp-11h] __int64 v4; // [rsp+30h] [rbp-10h] void *v5; // [rsp+38h] [rbp-8h] setup(); v4 = gen_canary(); puts("Jump jump\nThe Mac Dad will make you jump jump\nDaddy Mac will make you jump jump\nThe Daddy makes you J-U-M-P\n"); v5 = &loc_BA0; while ( 1 ) { print_menu(); printf("> ", argv)..
-
SUS - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 13. 19:38
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { const char *v3; // rdi int v4; // eax setup(); v3 = "SUS - Single User Storage."; puts("SUS - Single User Storage."); while ( 1 ) { while ( 1 ) { print_menu(v3); v3 = "> "; printf("> ", argv); v4 = read_int32(); if ( v4 != 1 ) break; create_user(); } if ( v4 x/10gx $rbp-0x1060 0x7ffe689a66f0: 0x000000000078d010 0x000000..
-
fspoo - pwnable.xyzWrite-ups/pwnable.xyz 2020. 2. 13. 18:58
Prob Info int __cdecl main(int argc, const char **argv, const char **envp) { setup(); printf("Name: "); read(0, &cmd[0x30], 0x1Fu); vuln(); return 0; } cmd라는 전역변수에 0x30바이트 이후부터 0x1f만큼 데이터를 받는다. unsigned int vuln() { int v1; // [esp+8h] [ebp-10h] unsigned int v2; // [esp+Ch] [ebp-Ch] v2 = __readgsdword(0x14u); while ( 1 ) { while ( 1 ) { printf(&cmd[32]); puts("1. Edit name.\n2. Prep msg.\n3. Pri..