Stack Smashing 当canary被覆盖后，会call到__stack_chk_fail打印argv[0]这个指针指向的字符串，默认是程序的名字，如果我们把它覆盖为其他的地址时，它就会把其他内存地址的信息给打印出来 Example:wdb2018_guess Analyze Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) This is GUESS FLAG CHALLENGE! Please type your guessing flag 123 You should take more effort to get six sence, and one more challenge!! Please type your guessing flag 以上是程序开启的一些保护和大概的流程 main __int64 __fastcall main(__int64 a1, char ...

axb_2019_fmt32 Involved Knowledge format string Checksec Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) Program Hello,I am a computer Repeater updated. After a lot of machine learning,I know that the essence of man is a reread machine! So I'll answer whatever you say! Please tell me:123 Repeater:123 Analyze main int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { char s[257]; // ...

Description 今天做题的时候遇到一个$n = p^2*q$这么一个情况的题，记录一下 Attack 简而言之，我们只需要注意是针对$n = p^2q$的情况，$\phi_n=p(p-1)*(q-1)$就行了其他的攻击步骤照常

这道题记录一个疑问 Involved Knowledge RSA Private key decryption Topic public.key -----BEGIN PUBLIC KEY----- MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQMlsYv184kJfRcjeGa7Uc/4 3pIkU3SevEA7CZXJfA44bUbBYcrf93xphg2uR5HCFM+Eh6qqnybpIKl3g0kGA4rv tcMIJ9/PP8npdpVE+U4Hzf4IcgOaOmJiEWZ4smH7LWudMlOekqFTs2dWKbqzlC59 NeMPfu9avxxQ15fQzIjhvcz9GhLqb373XDcn298ueA80KK6Pek+3qJ8YSjZQMrFT +EJehFdQ6yt6vALcFc4CB1B6qVCGO7hICngCjdYpeZRNbGM/r6ED5Nsozof1oMbt Si8mZEJ/Vlx3gathkUVtlxx/+jlScjdM7AFV5fkRi...

Involved Knowledge RSA Shared prime number Topic public1.pub -----BEGIN PUBLIC KEY----- MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAQAma/gXML+bivU20mJu55PZ SjNAE6S0PQ2WV5sYIA7ZLbJ6lshW8cfohErN0TUIv+6O+hXSMFd4wrv27+f6akPE qeNL6LWjKqcnC9I03vbyYDZuLkfeoPwM9UHIuRUfU/l/LDOCkjkOkHN5SMufg66y OGc4wLDi9f8sET4QMerAVF/HZ7acpYYCu8QoWnOSy9KiVzKQMzKkaL+WcN2sbLsA 61zjixv7ybMHDmcyMKHb5VbfPsqMW19roYLV5luY3SlrhTogmyGg19Q3k7hYW3ca Jc7WLEbPD/OnlHMDLArNUYMyB9t0CdLNZZCHE6pbiMaNGS+rwGcqxHbWC...

Involved Knowledge RSA Adjacent Element Description import hashlib import sympy from Crypto.Util.number import * flag = 'GWHT{******}' secret = '******' assert(len(flag) == 38) half = len(flag) / 2 flag1 = flag[:half] flag2 = flag[half:] secret_num = getPrime(1024) * bytes_to_long(secret) p = sympy.nextprime(secret_num) q = sympy.nextprime(p) N = p * q e = 0x10001 F1 = bytes_to_long(flag1) F2 = bytes_to_long(flag2) c1 = F1 + F2 c2 = pow(F1, 3) + pow(F2, 3) assert(c2 <...

Involved Knowledge retlibc The leak of the write function checksec Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 开启了NX，不能写入shellcode，一般这种情况下我们就往ROP上面考虑了 Running Program Input: 123(用户输入) Hello, World! Analyze main int __cdecl main(int argc, const char **argv, const char **envp) { vulnerable_function(argc, argv, envp); return write(1, "Hello, World!\n", 0xEuLL); } 执行vulnerable_function函数，然后输出Hello World! 我...