oin

writeup


luck_guy

<p>[TOC]</p> <h1>🌓分析</h1> <p>获取flag的地方在get_flag()函数里</p> <p><img src="https://pic.imgdb.cn/item/63761baa16f2c2beb16ff5ab.png" alt="" /> </p> <p>由于本身它rand不具有确定性,所以我们可以patch程序直接跳转到case 4再跳转到case 5,最后跳转到case 1即可拿到flag</p> <p><img src="https://pic.imgdb.cn/item/63761e3f16f2c2beb174dc43.png" alt="" /> </p> <p><img src="https://pic.imgdb.cn/item/63761e7116f2c2beb1752004.png" alt="" /> </p> <p><img src="https://pic.imgdb.cn/item/63761ebf16f2c2beb1759e51.png" alt="" /> </p> <p><img src="https://pic.imgdb.cn/item/63761ef616f2c2beb175ea44.png" alt="" /> </p> <p>最后就可以获取到flag了</p> <p><img src="https://pic.imgdb.cn/item/63761f4716f2c2beb176598d.png" alt="" /></p> <h1>🌓附件</h1> <p>patch前: <a href="https://cowtransfer.com/s/95ff6151eeca4e">https://cowtransfer.com/s/95ff6151eeca4e</a> patch后: <a href="https://cowtransfer.com/s/93bf4585f4f240">https://cowtransfer.com/s/93bf4585f4f240</a></p>

页面列表

ITEM_HTML