Inf0 - wp
https://dirtycow.cn/tag/wp/
-
[GFCTF 2021]wordy wp
https://dirtycow.cn/216.html
2024-02-28T19:51:00+08:00
思路:64位elf,无壳直接使用ida打开,查看主函数image-20240228183956816.png映入眼帘就是一个CODE XREF和一大堆数据,这肯定是花指令尝试去除花指令image-20240228185207078.png发现有多出了一个花指令继续重复去除花指令image-20240228185359264.png发现疑似flag的字符这种重复的操作直接交给idapython这些字符前面都有FF C0,写脚本通过这两个关键字找出字符image-20240228185943670.pngexp:start_addr = 0x1135
end_addr = 0x3000
for i in range(start_addr, end_addr):
if ida_bytes.get_byte(i) == 0xFF and ida_bytes.get_byte(i+1) == 0xC0:
print(chr(ida_bytes.get_byte(i+3)), end="")运行结果:hello world!
There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,because you have only one life and one chance to do all the things you want to do.
May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others'shoes.If you feel that it hurts you,it probably hurts the other person, too.
GFCTF{u_are2wordy}
You find Flag, Congratulation!总结:考点:花指令idapythonflag:GFCTF{u_are2wordy}
-
[ACTF新生赛2020]Universe_final_answer wp
https://dirtycow.cn/209.html
2024-02-26T20:45:00+08:00
思路:查看程序主函数image-20240226204044046.png使sub_860函数返回true就能获得flag跟进去查看image-20240226204238539.png看到这么规律的计算就知道要拿z3秒了exp:from z3 import *
v1,v2, v3, v4, v5, v6, v7, v8, v9, v11 = Ints('v1 v2 v3 v4 v5 v6 v7 v8 v9 v11')
solver = Solver()
solver.add(v1 < 128)
solver.add(v2 < 128)
solver.add(v3 < 128)
solver.add(v4 < 128)
solver.add(v5 < 128)
solver.add(v6 < 128)
solver.add(v7 < 128)
solver.add(v8 < 128)
solver.add(v9 < 128)
solver.add(v11 < 128)
solver.add(-85 * v9 + 58 * v8 + 97 * v6 + v7 + -45 * v5 + 84 * v4 + 95 * v2 - 20 * v1 + 12 * v3 == 12613)
solver.add(30 * v11 + -70 * v9 + -122 * v6 + -81 * v7 + -66 * v5 + -115 * v4 + -41 * v3 + -86 * v1 - 15 * v2 - 30 * v8 == -54400)
solver.add(-103 * v11 + 120 * v8 + 108 * v7 + 48 * v4 + -89 * v3 + 78 * v1 - 41 * v2 + 31 * v5 - (v6 *64) - 120 * v9 == -10283)
solver.add(71 * v6 + (v7 * 128) + 99 * v5 + -111 * v3 + 85 * v1 + 79 * v2 - 30 * v4 - 119 * v8 + 48 * v9 - 16 * v11 == 22855)
solver.add(5 * v11 + 23 * v9 + 122 * v8 + -19 * v6 + 99 * v7 + -117 * v5 + -69 * v3 + 22 * v1 - 98 * v2 + 10 * v4 == -2944)
solver.add(-54 * v11 + -23 * v8 + -82 * v3 + -85 * v2 + 124 * v1 - 11 * v4 - 8 * v5 - 60 * v7 + 95 * v6 + 100 * v9 == -2222)
solver.add(-83 * v11 + -111 * v7 + -57 * v2 + 41 * v1 + 73 * v3 - 18 * v4 + 26 * v5 + 16 * v6 + 77 * v8 - 63 * v9 == -13258)
solver.add(81 * v11 + -48 * v9 + 66 * v8 + -104 * v6 + -121 * v7 + 95 * v5 + 85 * v4 + 60 * v3 + -85 * v2 + 80 * v1 == -1559)
solver.add(101 * v11 + -85 * v9 + 7 * v6 + 117 * v7 + -83 * v5 + -101 * v4 + 90 * v3 + -28 * v1 + 18 * v2 - v8 == 6308)
solver.add(99 * v11 + -28 * v9 + 5 * v8 + 93 * v6 + -18 * v7 + -127 * v5 + 6 * v4 + -9 * v3 + -93 * v1 + 58 * v2 == -1697)
if solver.check() == sat:
print (solver.model())
flag = [70,48,117,82,84,121,95,55,119,64]
for i in flag:
print(chr(i), end="")右移可以使用乘法代替flag:actf{F0uRTy_7w@_42}