https://dirtycow.cn/tag/FlareOn3/ https://dirtycow.cn/31.html 2023-10-19T16:00:39+08:00 思路：使用exeinfo查壳是一个无壳32位的程序image-20230409204347007.png直接上ida直接看main函数将用户的输入保存到buffer[]使用sub_401260函数处理buffer[] Str1指向处理之后sub_401260的返回值最后比较Str1和Str2的值image-20230410083548517.png跟进sub_401260函数查看瞅一眼代码 发现很眼熟 看着像base64继续往下看image-20230410090133409.png看到了byte_413000 双击进去查看发现了对base64的编码表进行了修改image-20230410090457886.png到这里题目的逻辑已经很清晰了直接写脚本跑flagexp：import base64 def main(): string1 = "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/" string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" encode = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q" print(base64.b64decode(encode.translate(str.maketrans(string1,string2)))) if __name__ =="__main__": main()flag：flag{sh00ting_phish_in_a_barrel@flare-on.com}