正如上次看到的…

ary@ubuntu:~$ one_gadget libc32
constraints:
  esi is the GOT address of libc
  [esp+0x28] == NULL

这个esi的条件就需要可以去满足…
然后我还发现…
网上的wp他们有的时候是

esi is the address of rw-p area of libc...

我通过cat /proc/xxxx/maps是可以得到这个rw-p的地址…可我做题怎么办…

这篇文章是作者的文章
https://david942j.blogspot.kr/2017/02/project-one-gadget-in-glibc.html

里面说32bit的情况下用one_gadget就很困难…

all 32bit one-gadgets will have a constraint that certain register (usually ebx or esi) points to the GOT area in libc

之后, 又有一句…

This constraint seems really tough, since ebx and esi are callee safe in x86, which means their value will be pop-ed back before a routine returns. While in practice, the value of esi or edi is already be the desired value in main, which was set in __libc_start_main. So this constraint still possible to be satisfied.

意思是说…虽然ebx和esi一般是callee safe的, 就是说调用函数前总会保护现场之类的吧…
然…在__libc_start_main里会把ebx和esi设置成我们想要的值…这样的话…在main函数里使用one_gadget的话就应该能保证这个条件

喔, 这样子…那我把在main里直接使用到的函数的got表修改掉

也有可能不在main里…运气好, 在我走过的函数里…esi一直没被改过, 或者退栈的时候还原回来了

恩..我知道这个意思了
之后再把作者的文章看一下…说是用到了符号执行