为什么需要stack pivoting 当stack overflow的空间不足时 怎么实现stack pivoting 通过将ebp覆盖成构造的fake_ebp，然后利用leave_ret这个gadget将esp劫持到fake_ebp的地址上，从而实现栈的迁移 为什么是leave ret leave: mov esp , ebp; pop ebp; ret: pop eip 实现过程 首先程序有stack overflow漏洞，我们将栈覆盖成下面的样子 执行完mov esp , ebp后 接着就是pop ebp，执行完后如图 由于esp是栈顶指针，当pop ebp后，栈顶的元素被弹给了ebp，所以esp应当向下移4个字节，也就是一个单位 下一步通过read()函数的ret来把内容输入到fake_ebp1地址上，这里主要是要将fake_ebp2的地址给到fake_ebp1的地址上 下一步就来到了leave_ret，也就是重复上方的mov esp,ebp pop ebp和pop eip mov esp,ebp 后 接着pop ebp，由于fake_...

Stack Smashing 当canary被覆盖后，会call到__stack_chk_fail打印argv[0]这个指针指向的字符串，默认是程序的名字，如果我们把它覆盖为其他的地址时，它就会把其他内存地址的信息给打印出来 Example:wdb2018_guess Analyze Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) This is GUESS FLAG CHALLENGE! Please type your guessing flag 123 You should take more effort to get six sence, and one more challenge!! Please type your guessing flag 以上是程序开启的一些保护和大概的流程 main __int64 __fastcall main(__int64 a1, char ...

axb_2019_fmt32 Involved Knowledge format string Checksec Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) Program Hello,I am a computer Repeater updated. After a lot of machine learning,I know that the essence of man is a reread machine! So I'll answer whatever you say! Please tell me:123 Repeater:123 Analyze main int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { char s[257]; // ...

Description 今天做题的时候遇到一个$n = p^2*q$这么一个情况的题，记录一下 Attack 简而言之，我们只需要注意是针对$n = p^2q$的情况，$\phi_n=p(p-1)*(q-1)$就行了其他的攻击步骤照常

这道题记录一个疑问 Involved Knowledge RSA Private key decryption Topic public.key -----BEGIN PUBLIC KEY----- MIIBJDANBgkqhkiG9w0BAQEFAAOCAREAMIIBDAKCAQMlsYv184kJfRcjeGa7Uc/4 3pIkU3SevEA7CZXJfA44bUbBYcrf93xphg2uR5HCFM+Eh6qqnybpIKl3g0kGA4rv tcMIJ9/PP8npdpVE+U4Hzf4IcgOaOmJiEWZ4smH7LWudMlOekqFTs2dWKbqzlC59 NeMPfu9avxxQ15fQzIjhvcz9GhLqb373XDcn298ueA80KK6Pek+3qJ8YSjZQMrFT +EJehFdQ6yt6vALcFc4CB1B6qVCGO7hICngCjdYpeZRNbGM/r6ED5Nsozof1oMbt Si8mZEJ/Vlx3gathkUVtlxx/+jlScjdM7AFV5fkRi...

Involved Knowledge RSA Shared prime number Topic public1.pub -----BEGIN PUBLIC KEY----- MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAQAma/gXML+bivU20mJu55PZ SjNAE6S0PQ2WV5sYIA7ZLbJ6lshW8cfohErN0TUIv+6O+hXSMFd4wrv27+f6akPE qeNL6LWjKqcnC9I03vbyYDZuLkfeoPwM9UHIuRUfU/l/LDOCkjkOkHN5SMufg66y OGc4wLDi9f8sET4QMerAVF/HZ7acpYYCu8QoWnOSy9KiVzKQMzKkaL+WcN2sbLsA 61zjixv7ybMHDmcyMKHb5VbfPsqMW19roYLV5luY3SlrhTogmyGg19Q3k7hYW3ca Jc7WLEbPD/OnlHMDLArNUYMyB9t0CdLNZZCHE6pbiMaNGS+rwGcqxHbWC...

Involved Knowledge RSA Adjacent Element Description import hashlib import sympy from Crypto.Util.number import * flag = 'GWHT{******}' secret = '******' assert(len(flag) == 38) half = len(flag) / 2 flag1 = flag[:half] flag2 = flag[half:] secret_num = getPrime(1024) * bytes_to_long(secret) p = sympy.nextprime(secret_num) q = sympy.nextprime(p) N = p * q e = 0x10001 F1 = bytes_to_long(flag1) F2 = bytes_to_long(flag2) c1 = F1 + F2 c2 = pow(F1, 3) + pow(F2, 3) assert(c2 <...