AD-world

攻防世界刷题笔记

new-easypwn

checksec:

1
2
3
4
5
6
7
briteny@localhost:/mnt/d/111/practice$ checksec hello
[*] '/mnt/d/111/practice/hello'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled

IDA:

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  int v3; // eax

  sub_B56(a1, a2, a3);
  while ( 1 )
  {
    while ( 1 )
    {
      v3 = sub_C32();
      if ( v3 != 2 )
        break;
      sub_1003();
    }
    if ( v3 > 2 )
    {
      if ( v3 == 3 )
      {
        sub_10EB();
      }
      else if ( v3 == 4 )
      {
        sub_CCE();
      }
      else
      {
LABEL_13:
        printf("bad choice!");
      }
    }
    else
    {
      if ( v3 != 1 )
        goto LABEL_13;
      sub_E13();
    }
  }
}

sub_B56()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int sub_B56()
{
  void *v0; // rax
  int i; // [rsp+Ch] [rbp-4h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  signal(14, (__sighandler_t)handler);
  LODWORD(v0) = alarm(0x3Cu);
  for ( i = 0; i <= 3; ++i )
  {
    qword_2020F8[4 * i] = 0LL;
    *((_BYTE *)&unk_2020E0 + 32 * i) = 0;
    v0 = &unk_2020EB;
    *((_BYTE *)&unk_2020EB + 32 * i) = 0;
  }
  return (int)v0;
}

sub_C32()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
int sub_C32()
{
  char buf[24]; // [rsp+0h] [rbp-20h] BYREF
  unsigned __int64 v2; // [rsp+18h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("-------PhoneRecord-----------");
  puts("-------1.Add Record----------");
  puts("-------2.Delete Record-------");
  puts("-------3.Show Record---------");
  puts("-------4.Edit Record---------");
  printf("your choice>>");
  read(0, buf, 0xAuLL);
  return atoi(buf);
}

sub_1003()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
unsigned __int64 sub_1003()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("input index:");
  __isoc99_scanf("%d", &v1);
  if ( v1 > 3 )
  {
    puts("bad index!");
  }
  else
  {
    free((void *)qword_2020F8[4 * (int)v1]);
    *((_BYTE *)&unk_2020EB + 32 * (int)v1) = 0;
    *((_BYTE *)&unk_2020E0 + 32 * (int)v1) = 0;
    dword_2020C0[v1] = 0;
    puts("delete sucess!");
  }
  return __readfsqword(0x28u) ^ v2;
}

sub_10EB()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
unsigned __int64 sub_10EB()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("input index:");
  __isoc99_scanf("%d", &v1);
  if ( v1 <= 3 && *((_BYTE *)&unk_2020EB + 32 * (int)v1) )
  {
    printf("number:");
    printf((const char *)&unk_2020E0 + 32 * (int)v1);
    printf("\nname:%s\n", (const char *)&unk_2020E0 + 32 * (int)v1 + 11);
    printf("des:%s\n", *((const char **)&qword_2020F8 + 4 * (int)v1));
  }
  else
  {
    puts("bad index!");
  }
  return __readfsqword(0x28u) ^ v2;
}

sub_CCE()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
unsigned __int64 sub_CCE()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  printf("input index:");
  __isoc99_scanf("%d", &v1);
  if ( v1 > 3 )
  {
    puts("bad index!");
  }
  else
  {
    printf("phone number:");
    __isoc99_scanf("%s", (char *)&unk_2020E0 + 32 * (int)v1);
    printf("name:");
    __isoc99_scanf("%s", (char *)&unk_2020E0 + 32 * (int)v1 + 11);
    printf("des info:");
    read(0, (void *)qword_2020F8[4 * (int)v1], (int)dword_2020C0[v1]);
  }
  return __readfsqword(0x28u) ^ v2;
}

sub_E13()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
unsigned __int64 sub_E13()
{
  unsigned int v1; // [rsp+8h] [rbp-18h] BYREF
  int i; // [rsp+Ch] [rbp-14h]
  _BYTE *v3; // [rsp+10h] [rbp-10h]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  v1 = 0;
  printf("phone number:");
  __isoc99_scanf("%s", (char *)&unk_2020E0 + 32 * dword_2020BC);
  printf("name:");
  __isoc99_scanf("%s", (char *)&unk_2020E0 + 32 * dword_2020BC + 11);
  if ( (unsigned int)dword_2020BC > 3 )
  {
    printf("full!");
  }
  else
  {
    printf("input des size:");
    __isoc99_scanf("%d", &v1);
    if ( v1 <= 0x80 )
    {
      dword_2020C0[dword_2020BC] = v1;
      v3 = malloc((int)v1);
      printf("des info:");
      for ( i = 0; i <= (int)v1; ++i )
      {
        read(0, &v3[i], 1uLL);
        if ( v3[i] == 10 )
        {
          v3[i] = 0;
          break;
        }
      }
      qword_2020F8[4 * dword_2020BC++] = v3;
    }
  }
  return __readfsqword(0x28u) ^ v4;
}
CTF_PWN > Personal_wp
AD-world
http://example.com/ADWORLD/
作者
briteny-pwn
发布于
2025年3月9日
许可协议