int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int seed; // eax
int inputNum; // ebx
char buf[56]; // [rsp+0h] [rbp-50h] BYREF
int choice; // [rsp+38h] [rbp-18h]
int counter; // [rsp+3Ch] [rbp-14h]
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
counter = 2;
do
{
if ( !counter )
break;
choice = printMenu();//打印菜单,1:调用time()函数作为rand->seed并生成一个数对比用户输入,一样则getshell
if ( choice == 1 )
{
--counter;
puts("input num:");
seed = time(0LL);
srand(seed);
inputNum = getInputNumber();//getInputNumber只允许最多输入8个数字(十进制)
if ( inputNum == rand() )//rand()生成的随机数值为10个十进制数,常规输入无法相等
system("/bin/sh");
}
if ( choice == 2 )
{
--counter;
puts("hello from ctfhub");
read(0, buf, 0xD0uLL);//栈溢出,RBP+8处为__libc_start_main;RBP+0x10处为0;RBP+0x18处为main函数地址,其中main中的system调用位于<main+9A>处,末2字节为0xAD2;RSP+0x10处为VDSO基址
}
}
while ( choice != 3 );
return 0;
}
