我可是会飞的啊 主要方向:re,pwn

[Pico CTF] pwn-homework writeup:一次有趣虚拟化分析之旅

原文出处:先知社区(若*风):《PicoCTF homework wp:一次有趣代码虚拟化分析之旅》:https://xz.aliyun.com/t/15354?time__1311=GqjxnD2DyGGQitD%2FD0eH%3Di%3DBgciDuGOoD 前言 时隔多日的又一次虚拟化代码分析

selph Published on 2024-09-05

栈溢出练习:ROP Emporium

1 前言 我第一次做这套练习是在初学pwn的时候,隐约记得当时做了一半放弃是卡在了fluff上,当时很复杂,没耐心搞懂bextr和xlat指令就放弃了,现在回过头来,补全当初 这套练习非常适合新手用于栈溢出的学习练习和查缺补漏,关于栈溢出的8个情况,从最基础的覆盖返回地址,到rop,到利用一些机制完

selph Published on 2024-08-09

[HTB] pwn - Restaurant

经典的栈溢出基础题 analysis: checksec:没有Canary和PIE pwn_restaurant ➤ checksec restaurant

selph Published on 2024-05-24

[HTB] gamepwn - LightningFast

[HTB] gamepwn - LightningFast 这是个网络程序,问题来自于客户端请求包可以篡改 analysis & exploit: 抓包看到游戏走的是HTTP流量,配置Proxifier+Burp进行中间人流量修改,修改分数提交的请求即可,整个流程的数据交互如下: 这个修改的请求:

selph Published on 2024-05-24

[HTB] pwn - Bad grades

简单的题也有很多小细节上的知识收获 analysis: checksec:无PIE,其他全开 Bad grades ➤ checksec bad_grades [*] '/mnt/c/Users/selph/Downloads/HTB/pwn/Bad grades/bad_grades' A

selph Published on 2024-05-23

[HTB] gamepwn - CubeMadness1~2

CubeMadness1:直接修改内存 dw 目标是获取20个cubes,但是场地总共就6个,所以就是CE改数值即可 搜到三个值,直接改成20,出现flag: HTB{CU83_M4DN355_UNM4DD3N3D} CubeMadness2:修改加密内存 <

selph Published on 2024-05-19

[HTB] pwn - Execute

analysis: shellcode题: .text:00000000000012ED ; int __fastcall main(int argc, const char **argv, const char **envp) .text:00000000000012ED

selph Published on 2024-05-18

[TBTL CTF 2024] re - Floopowder(Frida Hook 巧解算法问题)

analysis 分析的时候先别陷入细节,先看整体逻辑: __int64 __fastcall main(int a1, char **a2, char **a3) { int i; // [rsp+0h] [rbp-20h] int j; // [rsp+4h] [rbp-1Ch] i

selph Published on 2024-05-17

[HTB] re - Simple Encryptor

analysis: int __fastcall main(int argc, const char **argv, const char **envp) { char v3; // al char tmp_byte; // [rsp+7h] [rbp-39h] unsigned int

selph Published on 2024-05-09

osu!gaming CTF 2024 (2 pwn)

前言 比赛总共4个pwn,做了2个,剩下1个没看,1个没懂 pwn - betterthanu 题目分析 给出了源码: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <stdint.h> FILE *flag

selph Published on 2024-03-05

[技能兴鲁2023 决赛 职工组]re-ezalgorithm

附件给了个exe,是pyinstaller打包的结果,没操作过这种程序,赛场上也没做出来,现在再来做一做(输在了没准备工具上) 环境准备 解包需要两个工具 pyinstxtractor.py:exe -> pyc github地址:extremecoders-re/pyinstxtractor: P

selph Published on 2023-11-30

[Pico CTF 2022]pwn-basic-file-exploit

题目分析 只给了个源码.c文件:应该只是逻辑问题 #include <stdio.h> #include <stdlib.h> #include <stdbool.h> #include <string.h> #include <stdint.h> #include <ctype.h> #inclu

selph Published on 2023-11-07

[Pico CTF 2021]pwn-Unsubscriptions Are Free

题目分析 给出了程序和源码 ➜ pwn-Unsubscriptions Are Free pwn checksec vuln [*] '/home/selph/Downloads/PicoCTF/pwn-Unsubscriptions Are Free/vuln' Arch: i3

selph Published on 2023-11-07

[Pico CTF 2021]pwn-Here's a Libc

题目分析 无PIE,有NX,无Canary,一眼疑似栈溢出 [*] "/home/selph/Downloads/PicoCTF/pwn-Here's a LIBC/vuln" Arch: amd64-64-little RELRO: Partial RELRO

selph Published on 2023-11-07

[Pico CTF 2021]pwn-Cache Me Outside

题目分析 题目给了三个文件,libc版本是2.27,其中给了个makefile: ➜ pwn-Cache Me Outside cat Makefile all: gcc -Xlinker -rpath=./ -Wall -m64 -pedantic -no-pie --std=gnu99 -

selph Published on 2023-11-03
Previous Next