5月份就记下来要复现这题…今天才写.

除了Canary.其他的保护全开, 不能改got, 又是堆, 赌五毛是用malloc_hook, free_hook

复现完这题睡觉

功能, 了解一下

Welcome to ASISCTF book library
Enter author name: ary

1. Create a book
2. Delete a book
3. Edit a book
4. Print book detail
5. Change current author name
6. Exit
> 1

Enter book name size: 3
Enter book name (Max 32 chars): ddd

Enter book description size: 4
Enter book description: eee

1. Create a book
2. Delete a book
3. Edit a book
4. Print book detail
5. Change current author name
6. Exit
> 4
ID: 1
Name: ddd
Description: eee
Author: ary

对应的功能函数根据跳转表, 得出(以前的题目这么个性吗, 还是因为开了PIE)

Create - sub_F55
Del - sub_BBD
Edit - sub_E17
Show_Detail - sub_D1F
Change_author - sub_B6D

struct b00ks{
    int id; 
    char * name;
    char * description;
    int desc_size;
};

这个题目中的readn函数存在null byte的Off-By-One

我做这题…还是有点吃力

为了健康作息, 我果断关了IDA

做完这几题之后…读一下Atum的ppt