第一次遇到 全开
保护全开,一般是有关堆方面的题
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char *v4; // [rsp+8h] [rbp-8h]
v4 = sub_B70();
while ( 1 )
{
sub_CF4(a1, a2);
switch ( sub_138C() )
{
case 1LL:
a1 = (__int64)v4;
sub_D48(v4);
break;
case 2LL:
a1 = (__int64)v4;
sub_E7F(v4);
break;
case 3LL:
a1 = (__int64)v4;
sub_F50(v4);
break;
case 4LL:
a1 = (__int64)v4;
sub_1051(v4);
break;
case 5LL:
return 0LL;
default:
continue;
}
}
}
char *sub_B70()
{
int fd; // [rsp+4h] [rbp-3Ch]
char *addr; // [rsp+8h] [rbp-38h]
unsigned __int64 v3; // [rsp+10h] [rbp-30h]
__int64 buf[4]; // [rsp+20h] [rbp-20h] BYREF
buf[3] = __readfsqword(0x28u);
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(_bss_start, 0LL, 2, 0LL);
alarm(0x3Cu);
puts("===== Baby Heap in 2017 =====");
fd = open("/dev/urandom", 0);
if ( fd < 0 || read(fd, buf, 0x10uLL) != 16 )
exit(-1);
close(fd);
addr = (char *)((buf[0] % 0x555555543000uLL + 0x10000) & 0xFFFFFFFFFFFFF000LL);
v3 = (buf[1] % 0xE80uLL) & 0xFFFFFFFFFFFFFFF0LL;
if ( mmap(addr, 0x1000uLL, 3, 34, -1, 0LL) != addr )
exit(-1);
return &addr[v3];
}
后面还是补充一下堆的学习 目前还没有接触到
![buuctf pwn jarvisoj_fm[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)