- 文件
链接:https://pan.baidu.com/s/1yBSjjoSosYH6alFL8kI_uQ
提取码:d10s
- EXP
import os
#flag = "flag{96c69646-8184-4363-8de9-73f7398066c1}"
addr_l = [0x5655619c, 0x5655622a, 0x565562b8, 0x56556344, 0x565563d0, 0x5655645c, 0x565564e8, 0x56556574, 0x56556602, 0x5655668e, 0x5655671c, 0x565567a6,\
0x56556834, 0x565568c2, 0x5655694e, 0x565569da, 0x56556a64, 0x56556aee, 0x56556b7a, 0x56556c06, 0x56556c94, 0x56556d20, 0x56556daa, 0x56556e34,\
0x56556ec2, 0x56556f4e, 0x56556fda, 0x56557064, 0x565570f0, 0x5655717a, 0x56557208, 0x56557292, 0x5655731e, 0x565573ac, 0x5655743a, 0x565574c4,\
0x56557552, 0x565575de, 0x5655766c, 0x565576fa, 0x56557784, 0x56557810, 0x5655789c]
flag = ""
for addr in addr_l:
with open('script', 'w') as f:
temp = """break *{0} if $pc == {1}
commands
silent
printf "blogg9ggg"
continue
end
run""".format(hex(addr), hex(addr))
f.write(temp)
f.close()
i = 32
while(i <= 127):
tflag = flag + chr(i)
with open('in', 'w') as f:
f.write(tflag)
f.close()
os.system("gdb ./Petition -batch -x script > log < in")
ok = False
with open("log") as f:
temp = f.read()
if(temp.find("blogg9ggg") != -1):
ok = True
f.close()
if(ok == True):
flag += chr(i)
break
i += 1
print(flag)
