{"id":174,"date":"2022-06-12T16:57:15","date_gmt":"2022-06-12T08:57:15","guid":{"rendered":"http:\/\/162.14.82.114\/?p=174"},"modified":"2022-06-12T17:16:45","modified_gmt":"2022-06-12T09:16:45","slug":"gdb%e8%b0%83%e8%af%95%e5%88%9d%e5%ad%a6","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/174\/06\/12\/2022\/","title":{"rendered":"gdb\u8c03\u8bd5\u521d\u5b66"},"content":{"rendered":"<h1>\u57fa\u7840\u547d\u4ee4<\/h1>\n<p>\u8ddf\u7740b\u7ad9<a href=\"https:\/\/www.bilibili.com\/video\/BV1mr4y1Y7fW?p=1&amp;vd_source=8981ead94b755f367ac539f6ccd37f77\">\u4f60\u60f3\u6709\u591aPWN(\u5f00\u59cb\u66f4\u65b0)<\/a>\u505a\u7684\u4e00\u70b9\u7b14\u8bb0\u3002<\/p>\n<h2>GCC<\/h2>\n<p>GCC \u7f16\u8bd1\u5de5\u5177\u94fe\u5728\u7f16\u8bd1\u4e00\u4e2aC\u6e90\u6587\u4ef6\u65f6\u9700\u8981\u7ecf\u8fc7\u4ee5\u4e0b 4 \u6b65\uff1a<\/p>\n<ul>\n<li>\u9884\u5904\u7406\uff1a\u4e3a\u628a\u5934\u6587\u4ef6\u7684\u4ee3\u7801\u3001\u5b8f\u4e4b\u7c7b\u7684\u5185\u5bb9\u8f6c\u6362\u6210\u751f\u6210\u7684.i\u6587\u4ef6\uff0c\u8fd8\u662fC\u4ee3\u7801\u3002<\/li>\n<li>\u7f16\u8bd1\uff1a\u628a\u9884\u5904\u7406\u540e\u7684.i\u6587\u4ef6\u901a\u8fc7\u7f16\u8bd1\u6210.s\u6587\u4ef6\uff0c\u6c47\u7f16\u8bed\u8a00\u3002<\/li>\n<li>\u6c47\u7f16\uff1a\u5c06\u6c47\u7f16\u8bed\u8a00\u6587\u4ef6\u751f\u6210\u76ee\u6807\u6587\u4ef6.o\u6587\u4ef6\uff0c\u673a\u5668\u7801\u3002<\/li>\n<li>\u94fe\u63a5\uff1a\u5c06\u6bcf\u4e2a\u6e90\u6587\u4ef6\u5bf9\u5e94\u7684.o\u6587\u4ef6\u94fe\u63a5\u8d77\u6765\uff0c\u5c31\u751f\u6210\u4e00\u4e2a\u53ef\u6267\u884c\u7a0b\u5e8f\u6587\u4ef6\u3002\n<ul>\n<li>\u52a8\u6001\u94fe\u63a5\uff1aGCC\u7f16\u8bd1\u65f6\u7684\u9ed8\u8ba4\u9009\u9879\u3002\u52a8\u6001\u662f\u6307\u5728\u5e94\u7528\u7a0b\u5e8f\u8fd0\u884c\u65f6\u624d\u53bb\u52a0\u8f7d\u5916\u90e8\u7684\u4ee3\u7801\u5e93\uff0c\u4e0d\u540c\u7684\u7a0b\u5e8f\u53ef\u4ee5\u5171\u7528\u4ee3\u7801\u5e93\u3002 \u6240\u4ee5\u52a8\u6001\u94fe\u63a5\u751f\u6210\u7684\u7a0b\u5e8f\u6bd4\u8f83\u5c0f\uff0c\u5360\u7528\u8f83\u5c11\u7684\u5185\u5b58\u3002<\/li>\n<li>\u9759\u6001\u94fe\u63a5\uff1a\u94fe\u63a5\u65f6\u4f7f\u7528\u9009\u9879 \u201c--static\u201d\uff0c\u5b83\u5728\u7f16\u8bd1\u9636\u6bb5\u5c31\u4f1a\u628a\u6240\u6709\u7528\u5230\u7684\u5e93\u6253\u5305\u5230\u81ea\u5df1\u7684\u53ef\u6267\u884c\u7a0b\u5e8f\u4e2d\u3002 \u6240\u4ee5\u9759\u6001\u94fe\u63a5\u7684\u4f18\u70b9\u662f\u5177\u6709\u8f83\u597d\u7684\u517c\u5bb9\u6027\uff0c\u4e0d\u4f9d\u8d56\u5916\u90e8\u73af\u5883\uff0c\u4f46\u662f\u751f\u6210\u7684\u7a0b\u5e8f\u6bd4\u8f83\u5927\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">#\u9884\u5904\u7406\u8fc7\u7a0b\u4e2d\uff0c\u5bf9\u6e90\u4ee3\u7801\u6587\u4ef6\u4e2d\u7684\u6587\u4ef6\u5305\u542b (include)\u3001 \u9884\u7f16\u8bd1\u8bed\u53e5 (\u5982\u5b8f\u5b9a\u4e49define\u7b49)\u8fdb\u884c\u5c55\u5f00\uff0c\u751f\u6210 .i \u6587\u4ef6\u3002\ngcc \u2013E hello.c \u2013o hello.i\n#\u7f16\u8bd1\u9636\u6bb5\u628a\u9884\u5904\u7406\u540e\u7684.i\u6587\u4ef6\u901a\u8fc7\u7f16\u8bd1\u6210\u4e3a\u6c47\u7f16\u8bed\u8a00\uff0c\u751f\u6210.s\u6587\u4ef6\uff0c\u5373\u628a\u4ee3\u7801\u4eceC\u8bed\u8a00\u8f6c\u6362\u6210\u6c47\u7f16\u8bed\u8a00\uff0c\u8fd9\u662fGCC\u7f16\u8bd1\u5668\u5b8c\u6210\u7684\u5de5\u4f5c\u3002\ngcc \u2013S hello.i \u2013o hello.s\n#\u6c47\u7f16\u9636\u6bb5\u5c06\u6c47\u7f16\u8bed\u8a00\u6587\u4ef6\u7ecf\u8fc7\u6c47\u7f16\uff0c\u751f\u6210\u76ee\u6807\u6587\u4ef6.o\u6587\u4ef6\uff0c\u6bcf\u4e00\u4e2a\u6e90\u6587\u4ef6\u90fd\u5bf9\u5e94\u4e00\u4e2a\u76ee\u6807\u6587\u4ef6\u3002\u5373\u628a\u6c47\u7f16\u8bed\u8a00\u7684\u4ee3\u7801\u8f6c\u6362\u6210\u673a\u5668\u7801\uff0c\u8fd9\u662fas\u6c47\u7f16\u5668\u5b8c\u6210\u7684\u5de5\u4f5c\u3002\ngcc \u2013c hello.s \u2013o hello.o\n#\u94fe\u63a5\u9636\u6bb5\u5c06\u6bcf\u4e2a\u6e90\u6587\u4ef6\u5bf9\u5e94\u7684\u76ee\u6807.o\u6587\u4ef6\u94fe\u63a5\u8d77\u6765\uff0c\u5c31\u751f\u6210\u4e00\u4e2a\u53ef\u6267\u884c\u7a0b\u5e8f\u6587\u4ef6\uff0c\u8fd9\u662f\u94fe\u63a5\u5668ld\u5b8c\u6210\u7684\u5de5\u4f5c\u3002\ngcc hello.o \u2013o hello\nNX\uff1a-z execstack \/ -z noexecstack (\u5173\u95ed \/ \u5f00\u542f)    #\u4e0d\u8ba9\u6267\u884c\u6808\u4e0a\u7684\u6570\u636e\uff0c\u4e8e\u662fJMP ESP\u5c31\u4e0d\u80fd\u7528\u4e86\nCanary\uff1a-fno-stack-protector \/-fstack-protector \/ -fstack-protector-all #(\u5173\u95ed \/ \u5f00\u542f \/ \u5168\u5f00\u542f)  \u6808\u91cc\u63d2\u5165cookie\u4fe1\u606f\nPIE\uff1a-no-pie \/ -pie      #(\u5173\u95ed \/ \u5f00\u542f)   \u5730\u5740\u968f\u673a\u5316\uff0c\u53e6\u5916\u6253\u5f00\u540e\u4f1a\u6709get_pc_thunk\nRELRO\uff1a-z norelro \/ -z lazy \/ -z now #(\u5173\u95ed \/ \u90e8\u5206\u5f00\u542f \/ \u5b8c\u5168\u5f00\u542f)  \u5bf9GOT\u8868\u5177\u6709\u5199\u6743\u9650<\/code><\/pre>\n<h2>file<\/h2>\n<p>\u7528\u4e8e\u8fa8\u8bc6\u6587\u4ef6\u7c7b\u578b\uff1a<\/p>\n<pre><code class=\"language-bash\">file [-bcLvz][-f &lt;\u540d\u79f0\u6587\u4ef6&gt;][-m &lt;\u9b54\u6cd5\u6570\u5b57\u6587\u4ef6&gt;...][\u6587\u4ef6\u6216\u76ee\u5f55...]\n-b \u3000\u5217\u51fa\u8fa8\u8bc6\u7ed3\u679c\u65f6\uff0c\u4e0d\u663e\u793a\u6587\u4ef6\u540d\u79f0\u3002\n-c \u3000\u8be6\u7ec6\u663e\u793a\u6307\u4ee4\u6267\u884c\u8fc7\u7a0b\uff0c\u4fbf\u4e8e\u6392\u9519\u6216\u5206\u6790\u7a0b\u5e8f\u6267\u884c\u7684\u60c5\u5f62\u3002\n-f   &lt;\u540d\u79f0\u6587\u4ef6&gt; \u3000\u6307\u5b9a\u540d\u79f0\u6587\u4ef6\uff0c\u5176\u5185\u5bb9\u6709\u4e00\u4e2a\u6216\u591a\u4e2a\u6587\u4ef6\u540d\u79f0\u65f6\uff0c\u8ba9file\u4f9d\u5e8f\u8fa8\u8bc6\u8fd9\u4e9b\u6587\u4ef6\uff0c\u683c\u5f0f\u4e3a\u6bcf\u5217\u4e00\u4e2a\u6587\u4ef6\u540d\u79f0\u3002\n-L \u3000\u76f4\u63a5\u663e\u793a\u7b26\u53f7\u8fde\u63a5\u6240\u6307\u5411\u7684\u6587\u4ef6\u7684\u7c7b\u522b\u3002\n-m   &lt;\u9b54\u6cd5\u6570\u5b57\u6587\u4ef6&gt; \u3000\u6307\u5b9a\u9b54\u6cd5\u6570\u5b57\u6587\u4ef6\u3002\n-v \u3000\u663e\u793a\u7248\u672c\u4fe1\u606f\u3002\n-z \u3000\u5c1d\u8bd5\u53bb\u89e3\u8bfb\u538b\u7f29\u6587\u4ef6\u7684\u5185\u5bb9\u3002\n[\u6587\u4ef6\u6216\u76ee\u5f55...] \u8981\u786e\u5b9a\u7c7b\u578b\u7684\u6587\u4ef6\u5217\u8868\uff0c\u591a\u4e2a\u6587\u4ef6\u4e4b\u95f4\u4f7f\u7528\u7a7a\u683c\u5206\u5f00\uff0c\u53ef\u4ee5\u4f7f\u7528shell\u901a\u914d\u7b26\u5339\u914d\u591a\u4e2a\u6587\u4ef6\u3002<\/code><\/pre>\n<h2>ldd<\/h2>\n<p>\u5728linux\u4e2d\uff0c ldd\u662flist, dynamic, dependencies\u7684\u7f29\u5199\uff0c \u610f\u601d\u662f\uff0c \u5217\u51fa\u52a8\u6001\u5e93\u4f9d\u8d56\u5173\u7cfb\u3002<\/p>\n<pre><code class=\"language-bash\">ldd(\u9009\u9879)(\u53c2\u6570)\n--version   \u6253\u5370\u6307\u4ee4\u7248\u672c\u53f7\uff1b\n-v          \u8be6\u7ec6\u4fe1\u606f\u6a21\u5f0f\uff0c\u6253\u5370\u6240\u6709\u76f8\u5173\u4fe1\u606f\uff1b\n-u          \u6253\u5370\u672a\u4f7f\u7528\u7684\u76f4\u63a5\u4f9d\u8d56\uff1b\n-d          \u6267\u884c\u91cd\u5b9a\u4f4d\u548c\u62a5\u544a\u4efb\u4f55\u4e22\u5931\u7684\u5bf9\u8c61\uff1b\n-r          \u6267\u884c\u6570\u636e\u5bf9\u8c61\u548c\u51fd\u6570\u7684\u91cd\u5b9a\u4f4d\uff0c\u5e76\u4e14\u62a5\u544a\u4efb\u4f55\u4e22\u5931\u7684\u5bf9\u8c61\u548c\u51fd\u6570\uff1b\n--help      \u663e\u793a\u5e2e\u52a9\u4fe1\u606f\u3002<\/code><\/pre>\n<p>\u539f\u7406\uff1a<\/p>\n<p>ldd\u4e0d\u662f\u4e00\u4e2a\u53ef\u6267\u884c\u7a0b\u5e8f\uff0c\u800c\u53ea\u662f\u4e00\u4e2ashell\u811a\u672c\u3002<\/p>\n<p>ldd\u80fd\u591f\u663e\u793a\u53ef\u6267\u884c\u6a21\u5757\u7684dependency\uff0c\u5176\u539f\u7406\u662f\u901a\u8fc7\u8bbe\u7f6e\u4e00\u7cfb\u5217\u7684\u73af\u5883\u53d8\u91cf\u3002<\/p>\n<p>ldd\u663e\u793a\u53ef\u6267\u884c\u6a21\u5757\u7684dependency\u7684\u5de5\u4f5c\u539f\u7406\uff0c\u5176\u5b9e\u8d28\u662f\u901a\u8fc7ld-linux.so\uff08elf\u52a8\u6001\u5e93\u7684\u88c5\u8f7d\u5668\uff09\u6765\u5b9e\u73b0\u7684\u3002\u6211\u4eec\u77e5\u9053\uff0cld- linux.so\u6a21\u5757\u4f1a\u5148\u4e8eexecutable\u6a21\u5757\u7a0b\u5e8f\u5de5\u4f5c\uff0c\u5e76\u83b7\u5f97\u63a7\u5236\u6743\uff0c\u56e0\u6b64\u5f53\u4e0a\u8ff0\u7684\u90a3\u4e9b\u73af\u5883\u53d8\u91cf\u88ab\u8bbe\u7f6e\u65f6\uff0cld-linux.so\u9009\u62e9\u4e86\u663e\u793a\u53ef\u6267\u884c\u6a21\u5757\u7684dependency\u3002<\/p>\n<p>\u5b9e\u9645\u4e0a\u53ef\u4ee5\u76f4\u63a5\u6267\u884cld-linux.so\u6a21\u5757\uff0c\u5982\uff1a\/lib\/ld-linux.so.2 --list program\uff08\u8fd9\u76f8\u5f53\u4e8eldd program\uff09<\/p>\n<h2>nm<\/h2>\n<p>nm\u547d\u4ee4\u662flinux\u4e0b\u81ea\u5e26\u7684<strong>\u7279\u5b9a\u6587\u4ef6\u5206\u6790\u5de5\u5177<\/strong>\uff0c\u4e00\u822c\u7528\u6765\u68c0\u67e5\u5206\u6790\u4e8c\u8fdb\u5236\u6587\u4ef6\u3001\u5e93\u6587\u4ef6\u3001\u53ef\u6267\u884c\u6587\u4ef6\u4e2d\u7684\u7b26\u53f7\u8868\uff0c\u8fd4\u56de\u4e8c\u8fdb\u5236\u6587\u4ef6\u4e2d\u5404\u6bb5\u7684\u4fe1\u606f\u3002<\/p>\n<pre><code class=\"language-bash\">nm [-option]\n-A      \u6bcf\u4e2a\u7b26\u53f7\u524d\u663e\u793a\u6587\u4ef6\u540d\n-D      \u663e\u793a\u52a8\u6001\u7b26\u53f7\n-g      \u4ec5\u663e\u793a\u5916\u90e8\u7b26\u53f7\n-r      \u53cd\u5e8f\u663e\u793a\u7b26\u53f7\u8868<\/code><\/pre>\n<h2>hexdump<\/h2>\n<p>hexdump\u662fLinux\u4e0b\u7684\u4e00\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6\u67e5\u770b\u5de5\u5177\uff0c\u5b83\u53ef\u4ee5\u5c06\u4e8c\u8fdb\u5236\u6587\u4ef6\u8f6c\u6362\u4e3aASCII\u3001\u516b\u8fdb\u5236\u3001\u5341\u8fdb\u5236\u3001\u5341\u516d\u8fdb\u5236\u683c\u5f0f\u8fdb\u884c\u67e5\u770b\u3002<\/p>\n<pre><code class=\"language-bash\">hexdump: [-bcCdovx] [-e fmt] [-f fmt_file] [-n length] [-s skip] [file ...]\n-n length           \u53ea\u683c\u5f0f\u5316\u8f93\u5165\u6587\u4ef6\u7684\u524dlength\u4e2a\u5b57\u8282\u3002\n-C                  \u8f93\u51fa\u89c4\u8303\u7684\u5341\u516d\u8fdb\u5236\u548cASCII\u7801\u3002\n-b                  \u5355\u5b57\u8282\u516b\u8fdb\u5236\u663e\u793a\u3002\n-c                  \u5355\u5b57\u8282\u5b57\u7b26\u663e\u793a\u3002\n-d                  \u53cc\u5b57\u8282\u5341\u8fdb\u5236\u663e\u793a\u3002\n-o                  \u53cc\u5b57\u8282\u516b\u8fdb\u5236\u663e\u793a\u3002\n-x                  \u53cc\u5b57\u8282\u5341\u516d\u8fdb\u5236\u663e\u793a\u3002\n-s                  \u4ece\u504f\u79fb\u91cf\u5f00\u59cb\u8f93\u51fa\u3002<\/code><\/pre>\n<h2>objdump<\/h2>\n<p>objdump\u547d\u4ee4\u662fLinux\u4e0b\u7684\u53cd\u6c47\u7f16\u76ee\u6807\u6587\u4ef6\u6216\u8005\u53ef\u6267\u884c\u6587\u4ef6\u7684\u547d\u4ee4<\/p>\n<pre><code class=\"language-bash\">objdump [option] [file]\n-f              \u663e\u793a\u6587\u4ef6\u5934\u4fe1\u606f\n-d              \u5c06\u4ee3\u7801\u6bb5\u53cd\u6c47\u7f16\n-S              \u5c06\u4ee3\u7801\u6bb5\u53cd\u6c47\u7f16\u7684\u540c\u65f6\uff0c\u5c06\u53cd\u6c47\u7f16\u4ee3\u7801\u4e0e\u6e90\u4ee3\u7801\u4ea4\u66ff\u663e\u793a\uff0c\u7f16\u8bd1\u65f6\u9700\u8981\u4f7f\u7528-g\u53c2\u6570\uff0c\u5373\u9700\u8981\u8c03\u8bd5\u4fe1\u606f\uff1b\n-C              \u5c06C++\u7b26\u53f7\u540d\u9006\u5411\u89e3\u6790\n-l              \u53cd\u6c47\u7f16\u4ee3\u7801\u4e2d\u63d2\u5165\u6587\u4ef6\u540d\u548c\u884c\u53f7\n-j section      \u4ec5\u53cd\u6c47\u7f16\u6307\u5b9a\u7684section\n-M intel        \u4ee5intel\u7684\u6c47\u7f16\u5f62\u5f0f\u5448\u73b0\uff0c\u9ed8\u8ba4\u662fAT&amp;T<\/code><\/pre>\n<h2>readelf<\/h2>\n<p>readelf\u547d\u4ee4\uff0c\u4e00\u822c\u7528\u4e8e\u67e5\u770bELF\u683c\u5f0f\u7684\u6587\u4ef6\u4fe1\u606f\uff0c\u5e38\u89c1\u7684\u6587\u4ef6\u5982\u5728Linux\u4e0a\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u52a8\u6001\u5e93(*.so)\u6216\u8005\u9759\u6001\u5e93(*.a) \u7b49\u5305\u542bELF\u683c\u5f0f\u7684\u6587\u4ef6\u3002<\/p>\n<pre><code class=\"language-bash\">readelf (option)(file)\n-a          all \u663e\u793a\u5168\u90e8\u4fe1\u606f\n-h          (elf header)\uff0c\u663e\u793aelf\u6587\u4ef6\u5f00\u59cb\u7684\u6587\u4ef6\u5934\u4fe1\u606f\u3002\n-l          (program headers),segments \u663e\u793a\u7a0b\u5e8f\u5934\uff08\u6bb5\u5934\uff09\u4fe1\u606f(\u5982\u679c\u6709\u6570\u636e\u7684\u8bdd)\u3002\n-S          (section headers),sections \u663e\u793a\u8282\u5934\u4fe1\u606f(\u5982\u679c\u6709\u6570\u636e\u7684\u8bdd)\u3002\n-g          (section groups),\u663e\u793a\u8282\u7ec4\u4fe1\u606f(\u5982\u679c\u6709\u6570\u636e\u7684\u8bdd)\u3002\n-s          (symbols) \u663e\u793a\u7b26\u53f7\u8868\u6bb5\u4e2d\u7684\u9879\uff08\u5982\u679c\u6709\u6570\u636e\u7684\u8bdd\uff09\u3002\n-e          headers \u663e\u793a\u5168\u90e8\u5934\u4fe1\u606f\uff0c\u7b49\u4ef7\u4e8e: -h -l -S \u3002\n-r          relocs \u663e\u793a\u53ef\u91cd\u5b9a\u4f4d\u6bb5\u7684\u4fe1\u606f\u3002\n-d          dynamic \u663e\u793a\u52a8\u6001\u6bb5\u7684\u4fe1\u606f\u3002\n-V          version-info \u663e\u793a\u7248\u672c\u6bb5\u7684\u4fe1\u606f\u3002<\/code><\/pre>\n<h2>ROPgadget<\/h2>\n<p>\u67e5\u627e\u6587\u4ef6\u4e2d\u4e00\u4e9b\u9700\u8981\u7684<code>\u6307\u4ee4<\/code>\u548c<code>\u5b57\u7b26\u4e32<\/code>\u7b49\u3002<\/p>\n<pre><code class=\"language-bash\">ROPgadget --binary \u6587\u4ef6\u540d --only &quot;pop|ret&quot; | grep rdi\nROPgadget --binary \u6587\u4ef6\u540d --only &quot;pop|ret&quot; | grep rsi\nROPgadget --binary \u6587\u4ef6\u540d --only &quot;pop|ret&quot;\nROPgadget --binary \u6587\u4ef6\u540d --sting &#039;\/bin\/sh&#039;\nROPgadget --binary \u6587\u4ef6\u540d --sting &#039;cat flag.txt&#039;\nROPgadget --binary \u6587\u4ef6\u540d --sting &#039;cat flag&#039;\nROPgadget --binary \u6587\u4ef6\u540d --sting &#039;sh&#039;\nROPgadget --binary \u6587\u4ef6\u540d --sting &#039;\/sh&#039;<\/code><\/pre>\n<h1>gdb\u8c03\u8bd5<\/h1>\n<p>GDB \u5168\u79f0\u201cGNU symbolic debugger\u201d\u662f Linux \u4e0b\u5e38\u7528\u7684\u7a0b\u5e8f\u8c03\u8bd5\u5668\u3002\u53d1\u5c55\u81f3\u4eca\uff0cGDB \u5df2\u7ecf\u8fed\u4ee3\u4e86\u8bf8\u591a\u4e2a\u7248\u672c\uff0c\u5f53\u4e0b\u7684 GDB \u652f\u6301\u8c03\u8bd5\u591a\u79cd\u7f16\u7a0b\u8bed\u8a00\u7f16\u5199\u7684\u7a0b\u5e8f\uff0c\u5305\u62ec C\u3001C++\u3001Go\u3001Objective-C\u3001OpenCL\u3001Ada \u7b49\u3002\u5b9e\u9645\u573a\u666f\u4e2d\uff0cGDB \u66f4\u5e38\u7528\u6765\u8c03\u8bd5 C \u548c C++ \u7a0b\u5e8f\u3002<\/p>\n<h2>\u5e38\u7528\u547d\u4ee4<\/h2>\n<table>\n<thead>\n<tr>\n<th>\u547d\u4ee4\u540d\u79f0<\/th>\n<th>\u547d\u4ee4\u7f29\u5199<\/th>\n<th>\u547d\u4ee4\u8bf4\u660e<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>run<\/td>\n<td>r<\/td>\n<td>\u8fd0\u884c\u4e00\u4e2a\u5f85\u8c03\u8bd5\u7684\u7a0b\u5e8f<\/td>\n<\/tr>\n<tr>\n<td>continue<\/td>\n<td>c<\/td>\n<td>\u8ba9\u6682\u505c\u7684\u7a0b\u5e8f\u7ee7\u7eed\u8fd0\u884c<\/td>\n<\/tr>\n<tr>\n<td>next<\/td>\n<td>n<\/td>\n<td>\u8fd0\u884c\u5230\u4e0b\u4e00\u884c<\/td>\n<\/tr>\n<tr>\n<td>step<\/td>\n<td>s<\/td>\n<td>\u5355\u6b65\u6267\u884c\uff0c\u9047\u5230\u51fd\u6570\u4f1a\u8fdb\u5165<\/td>\n<\/tr>\n<tr>\n<td>until<\/td>\n<td>u<\/td>\n<td>\u8fd0\u884c\u5230\u6307\u5b9a\u884c\u505c\u4e0b\u6765<\/td>\n<\/tr>\n<tr>\n<td>finish<\/td>\n<td>fi<\/td>\n<td>\u7ed3\u675f\u5f53\u524d\u8c03\u7528\u51fd\u6570\uff0c\u56de\u5230\u4e0a\u4e00\u5c42\u8c03\u7528\u51fd\u6570\u5904<\/td>\n<\/tr>\n<tr>\n<td>return<\/td>\n<td>return<\/td>\n<td>\u7ed3\u675f\u5f53\u524d\u8c03\u7528\u51fd\u6570\u5e76\u8fd4\u56de\u6307\u5b9a\u503c\uff0c\u5230\u4e0a\u4e00\u5c42\u51fd\u6570\u8c03\u7528\u5904<\/td>\n<\/tr>\n<tr>\n<td>jump<\/td>\n<td>j<\/td>\n<td>\u5c06\u5f53\u524d\u7a0b\u5e8f\u6267\u884c\u6d41\u8df3\u8f6c\u5230\u6307\u5b9a\u884c\u6216\u5730\u5740<\/td>\n<\/tr>\n<tr>\n<td>print<\/td>\n<td>p<\/td>\n<td>\u6253\u5370\u53d8\u91cf\u6216\u5bc4\u5b58\u5668\u503c<\/td>\n<\/tr>\n<tr>\n<td>backtrace<\/td>\n<td>bt<\/td>\n<td>\u67e5\u770b\u5f53\u524d\u7ebf\u7a0b\u7684\u8c03\u7528\u5806\u6808<\/td>\n<\/tr>\n<tr>\n<td>frame<\/td>\n<td>f<\/td>\n<td>\u5207\u6362\u5230\u5f53\u524d\u8c03\u7528\u7ebf\u7a0b\u7684\u6307\u5b9a\u5806\u6808<\/td>\n<\/tr>\n<tr>\n<td>thread<\/td>\n<td>thread<\/td>\n<td>\u5207\u6362\u5230\u6307\u5b9a\u7ebf\u7a0b<\/td>\n<\/tr>\n<tr>\n<td>break<\/td>\n<td>b<\/td>\n<td>\u6dfb\u52a0\u65ad\u70b9<\/td>\n<\/tr>\n<tr>\n<td>tbreak<\/td>\n<td>tb<\/td>\n<td>\u6dfb\u52a0\u4e34\u65f6\u65ad\u70b9<\/td>\n<\/tr>\n<tr>\n<td>delete<\/td>\n<td>d<\/td>\n<td>\u5220\u9664\u65ad\u70b9<\/td>\n<\/tr>\n<tr>\n<td>enable<\/td>\n<td>enable<\/td>\n<td>\u542f\u7528\u67d0\u4e2a\u65ad\u70b9<\/td>\n<\/tr>\n<tr>\n<td>disable<\/td>\n<td>disable<\/td>\n<td>\u7981\u7528\u67d0\u4e2a\u65ad\u70b9<\/td>\n<\/tr>\n<tr>\n<td>watch<\/td>\n<td>watch<\/td>\n<td>\u76d1\u89c6\u67d0\u4e00\u4e2a\u53d8\u91cf\u6216\u5185\u5b58\u5730\u5740\u7684\u503c\u662f\u5426\u53d1\u751f\u53d8\u5316<\/td>\n<\/tr>\n<tr>\n<td>list<\/td>\n<td>l<\/td>\n<td>\u663e\u793a\u6e90\u7801<\/td>\n<\/tr>\n<tr>\n<td>info<\/td>\n<td>i<\/td>\n<td>\u67e5\u770b\u65ad\u70b9 \/ \u7ebf\u7a0b\u7b49\u4fe1\u606f<\/td>\n<\/tr>\n<tr>\n<td>ptype<\/td>\n<td>ptype<\/td>\n<td>\u67e5\u770b\u53d8\u91cf\u7c7b\u578b<\/td>\n<\/tr>\n<tr>\n<td>disassemble<\/td>\n<td>dis<\/td>\n<td>\u67e5\u770b\u6c47\u7f16\u4ee3\u7801<\/td>\n<\/tr>\n<tr>\n<td>set args<\/td>\n<td>set args<\/td>\n<td>\u8bbe\u7f6e\u7a0b\u5e8f\u542f\u52a8\u547d\u4ee4\u884c\u53c2\u6570<\/td>\n<\/tr>\n<tr>\n<td>show args<\/td>\n<td>show args<\/td>\n<td>\u67e5\u770b\u8bbe\u7f6e\u7684\u547d\u4ee4\u884c\u53c2\u6570<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>gdb .\/<\/h2>\n<pre><code class=\"language-bash\">gdb .\/[\u7a0b\u5e8f\u540d] \ngdb .\/a\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type &quot;show copying&quot;\nand &quot;show warranty&quot; for details.\nThis GDB was configured as &quot;x86_64-linux-gnu&quot;.\nType &quot;show configuration&quot; for configuration details.\nFor bug reporting instructions, please see:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\nFind the GDB manual and other documentation resources online at:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\nFor help, type &quot;help&quot;.\nType &quot;apropos word&quot; to search for commands related to &quot;word&quot;...\nReading symbols from .\/a...(no debugging symbols found)...done.<\/code><\/pre>\n<blockquote>\n<p>\u6ca1\u8f93\u5165\u72b6\u6001\u4e0b Tab \u53ef\u4ee5\u67e5\u770b\u6240\u6709\u547d\u4ee4<\/p>\n<\/blockquote>\n<h2>run<\/h2>\n<pre><code class=\"language-bash\">(gdb) run\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a\ninput:\nabc\nabc[Inferior 1 (process 39) exited normally]<\/code><\/pre>\n<h2>start<\/h2>\n<pre><code class=\"language-bash\">(gdb) start\nTemporary breakpoint 1 at 0x555555400912\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a\nTemporary breakpoint 1, 0x0000555555400912 in main ()<\/code><\/pre>\n<h2>i r<\/h2>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202206121658279.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202206121658279.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220611152539032\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-assembly\">(gdb) i r\nrax            0x55555540090e   93824990841102\nrbx            0x0      0\nrcx            0x5555554009a0   93824990841248\nrdx            0x7fffffffdcd8   140737488346328\nrsi            0x7fffffffdcc8   140737488346312\nrdi            0x1      1\nrbp            0x7fffffffdbe0   0x7fffffffdbe0\nrsp            0x7fffffffdbe0   0x7fffffffdbe0\nr8             0x7ffff7dced80   140737351839104\nr9             0x7ffff7dced80   140737351839104\nr10            0x2      2\nr11            0xf      15\nr12            0x555555400780   93824990840704\nr13            0x7fffffffdcc0   140737488346304\nr14            0x0      0\nr15            0x0      0\nrip            0x555555400912   0x555555400912 &lt;main+4&gt;\neflags         0x246    [ PF ZF IF ]\ncs             0x33     51\nss             0x2b     43\nds             0x0      0\nes             0x0      0\nfs             0x0      0\ngs             0x0      0<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202206121658281.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202206121658281.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20220610195551065\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>disassemble $rip<\/h2>\n<pre><code class=\"language-assembly\">(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   %rbp\n   0x000055555540090f &lt;+1&gt;:     mov    %rsp,%rbp\n=&gt; 0x0000555555400912 &lt;+4&gt;:     sub    $0x20,%rsp\n   0x0000555555400916 &lt;+8&gt;:     mov    %fs:0x28,%rax\n   0x000055555540091f &lt;+17&gt;:    mov    %rax,-0x8(%rbp)\n   0x0000555555400923 &lt;+21&gt;:    xor    %eax,%eax\n   0x0000555555400925 &lt;+23&gt;:    movq   $0x0,-0x18(%rbp)\n   0x000055555540092d &lt;+31&gt;:    movq   $0x0,-0x10(%rbp)\n   0x0000555555400935 &lt;+39&gt;:    lea    0xe8(%rip),%rdi        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    callq  0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    -0x18(%rbp),%rax\n   0x0000555555400945 &lt;+55&gt;:    mov    %rax,%rdi\n   0x0000555555400948 &lt;+58&gt;:    mov    $0x0,%eax\n   0x000055555540094d &lt;+63&gt;:    callq  0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    -0x18(%rbp),%rax\n   0x0000555555400956 &lt;+72&gt;:    mov    %rax,%rdi\n   0x0000555555400959 &lt;+75&gt;:    mov    $0x0,%eax\n   0x000055555540095e &lt;+80&gt;:    callq  0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzbl -0x10(%rbp),%eax\n   0x0000555555400967 &lt;+89&gt;:    cmp    $0x61,%al\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    0x20069e(%rip),%rdi        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   callq  0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    $0x0,%eax\n   0x000055555540097c &lt;+110&gt;:   mov    -0x8(%rbp),%rdx\n   0x0000555555400980 &lt;+114&gt;:   xor    %fs:0x28,%rdx\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   callq  0x555555400720 &lt;__stack_chk_fail@plt&gt;\n---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---\u3001\n#\u8f6c\u6362\u6210intel\u6c47\u7f16\u683c\u5f0f\uff1a\n(gdb) set disassembly-flavor intel\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n=&gt; 0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;<\/code><\/pre>\n<h2>b *\uff0ci b\uff0cr\uff0cd<\/h2>\n<pre><code class=\"language-assembly\">(gdb) b *0x0000555555400916\nBreakpoint 3 at 0x555555400916\n(gdb) i b\nNum     Type           Disp Enb Address            What\n3       breakpoint     keep y   0x0000555555400916 &lt;main+8&gt;\n(gdb) r\nThe program being debugged has been started already.\nStart it from the beginning? (y or n) y\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a\n\nBreakpoint 3, 0x0000555555400916 in main ()\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n   0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n=&gt; 0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n(gdb) d 3\n(gdb) i b\nNo breakpoints or watchpoints.<\/code><\/pre>\n<h2>disable enable<\/h2>\n<pre><code class=\"language-assembly\">(gdb) b *0x0000555555400916\nBreakpoint 2 at 0x555555400916\n(gdb) i b\nNum     Type           Disp Enb Address            What\n2       breakpoint     keep y   0x0000555555400916 &lt;main+8&gt;\n(gdb) disable b 2\n(gdb) i b\nNum     Type           Disp Enb Address            What\n2       breakpoint     keep n   0x0000555555400916 &lt;main+8&gt;\n(gdb) enable b 2\n(gdb) i b\nNum     Type           Disp Enb Address            What\n2       breakpoint     keep y   0x0000555555400916 &lt;main+8&gt;<\/code><\/pre>\n<h2>ni si finish<\/h2>\n<pre><code class=\"language-assembly\">hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gdb .\/a\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type &quot;show copying&quot;\nand &quot;show warranty&quot; for details.\nThis GDB was configured as &quot;x86_64-linux-gnu&quot;.\nType &quot;show configuration&quot; for configuration details.\nFor bug reporting instructions, please see:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\nFind the GDB manual and other documentation resources online at:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\nFor help, type &quot;help&quot;.\nType &quot;apropos word&quot; to search for commands related to &quot;word&quot;...\nReading symbols from .\/a...(no debugging symbols found)...done.\n(gdb) start\nTemporary breakpoint 1 at 0x912\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a\n\nTemporary breakpoint 1, 0x0000555555400912 in main ()\n(gdb) disassble $rip\nUndefined command: &quot;disassble&quot;.  Try &quot;help&quot;.\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n=&gt; 0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---\n   0x0000555555400990 &lt;+130&gt;:   leave\n   0x0000555555400991 &lt;+131&gt;:   ret\nEnd of assembler dump.\n(gdb) b *0x000055555540093c\nBreakpoint 2 at 0x55555540093c\n(gdb) start\nThe program being debugged has been started already.\nStart it from the beginning? (y or n) y\nTemporary breakpoint 3 at 0x555555400912\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a\n\nTemporary breakpoint 3, 0x0000555555400912 in main ()\n(gdb) c\nContinuing.\n\nBreakpoint 2, 0x000055555540093c in main ()\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n   0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n=&gt; 0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---q\nQuit\n(gdb) ni\ninput:\n0x0000555555400941 in main ()\n(gdb) start\nThe program being debugged has been started already.\nStart it from the beginning? (y or n) y\nTemporary breakpoint 4 at 0x555555400912\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a\n\nTemporary breakpoint 4, 0x0000555555400912 in main ()\n(gdb) c\nContinuing.\n\nBreakpoint 2, 0x000055555540093c in main ()\n(gdb) si\n0x0000555555400710 in puts@plt ()\n(gdb) disassemble $rip\nDump of assembler code for function puts@plt:\n=&gt; 0x0000555555400710 &lt;+0&gt;:     jmp    QWORD PTR [rip+0x200892]        # 0x555555600fa8\n   0x0000555555400716 &lt;+6&gt;:     push   0x0\n   0x000055555540071b &lt;+11&gt;:    jmp    0x555555400700\nEnd of assembler dump.\n(gdb) finish\nRun till exit from #0  0x0000555555400710 in puts@plt ()\ninput:\n0x0000555555400941 in main ()\n(gdb) disassemble  $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n   0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n=&gt; 0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---\n   0x0000555555400990 &lt;+130&gt;:   leave\n   0x0000555555400991 &lt;+131&gt;:   ret\nEnd of assembler dump.<\/code><\/pre>\n<h1>\u5c0f\u77e5\u8bc6\u70b9<\/h1>\n<h2>BYTE WORD DWORD QWORD<\/h2>\n<blockquote>\n<p>BYTE      8<\/p>\n<p>WORD   16<\/p>\n<p>DWORD   32<\/p>\n<p>QWORD   64<\/p>\n<\/blockquote>\n<h2>print  x\/  set<\/h2>\n<pre><code class=\"language-assembly\">hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gdb .\/a\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type &quot;show copying&quot;\nand &quot;show warranty&quot; for details.\nThis GDB was configured as &quot;x86_64-linux-gnu&quot;.\nType &quot;show configuration&quot; for configuration details.\nFor bug reporting instructions, please see:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\nFind the GDB manual and other documentation resources online at:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\nFor help, type &quot;help&quot;.\nType &quot;apropos word&quot; to search for commands related to &quot;word&quot;...\nReading symbols from .\/a...(no debugging symbols found)...done.\n(gdb) start\nTemporary breakpoint 1 at 0x912\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a\n\nTemporary breakpoint 1, 0x0000555555400912 in main ()\n(gdb) i r\nrax            0x55555540090e   93824990841102\nrbx            0x0      0\nrcx            0x5555554009a0   93824990841248\nrdx            0x7fffffffdcd8   140737488346328\nrsi            0x7fffffffdcc8   140737488346312\nrdi            0x1      1\nrbp            0x7fffffffdbe0   0x7fffffffdbe0\nrsp            0x7fffffffdbe0   0x7fffffffdbe0\nr8             0x7ffff7dced80   140737351839104\nr9             0x7ffff7dced80   140737351839104\nr10            0x2      2\nr11            0xf      15\nr12            0x555555400780   93824990840704\nr13            0x7fffffffdcc0   140737488346304\nr14            0x0      0\nr15            0x0      0\nrip            0x555555400912   0x555555400912 &lt;main+4&gt;\neflags         0x246    [ PF ZF IF ]\ncs             0x33     51\nss             0x2b     43\nds             0x0      0\nes             0x0      0\nfs             0x0      0\ngs             0x0      0\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n=&gt; 0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n   0x0000555555400990 &lt;+130&gt;:   leave\n   0x0000555555400991 &lt;+131&gt;:   ret\nEnd of assembler dump.\n(gdb) b *0x0000555555400963\nBreakpoint 2 at 0x555555400963\n(gdb) c\nContinuing.\ninput:\naaaaa\n\nBreakpoint 2, 0x0000555555400963 in main ()\n(gdb) x\/20i $rip\n=&gt; 0x555555400963 &lt;main+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x555555400967 &lt;main+89&gt;:    cmp    al,0x61\n   0x555555400969 &lt;main+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x55555540096b &lt;main+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x555555400972 &lt;main+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x555555400977 &lt;main+105&gt;:   mov    eax,0x0\n   0x55555540097c &lt;main+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x555555400980 &lt;main+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x555555400989 &lt;main+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x55555540098b &lt;main+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n   0x555555400990 &lt;main+130&gt;:   leave\n   0x555555400991 &lt;main+131&gt;:   ret\n   0x555555400992:      nop    WORD PTR cs:[rax+rax*1+0x0]\n   0x55555540099c:      nop    DWORD PTR [rax+0x0]\n   0x5555554009a0 &lt;__libc_csu_init&gt;:    push   r15\n   0x5555554009a2 &lt;__libc_csu_init+2&gt;:  push   r14\n   0x5555554009a4 &lt;__libc_csu_init+4&gt;:  mov    r15,rdx\n   0x5555554009a7 &lt;__libc_csu_init+7&gt;:  push   r13\n   0x5555554009a9 &lt;__libc_csu_init+9&gt;:  push   r12\n   0x5555554009ab &lt;__libc_csu_init+11&gt;: lea    r12,[rip+0x2003de]        # 0x555555600d90\n(gdb) x\/20b $rbp-0x10\n0x7fffffffdbd0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00\n0x7fffffffdbd8: 0x00    0xcb    0x22    0xba    0x58    0x60    0xea    0x40\n0x7fffffffdbe0: 0xa0    0x09    0x40    0x55\n(gdb) set *0x7fffffffdbd0=0x61\n(gdb) i r\nrax            0x5      5\nrbx            0x0      0\nrcx            0x0      0\nrdx            0x0      0\nrsi            0x61616161       1633771873\nrdi            0x555555602260   93824992944736\nrbp            0x7fffffffdbe0   0x7fffffffdbe0\nrsp            0x7fffffffdbc0   0x7fffffffdbc0\nr8             0x7ffff7fe94c0   140737354044608\nr9             0x7ffff7fe94c0   140737354044608\nr10            0x555555602010   93824992944144\nr11            0x246    582\nr12            0x555555400780   93824990840704\nr13            0x7fffffffdcc0   140737488346304\nr14            0x0      0\nr15            0x0      0\nrip            0x555555400963   0x555555400963 &lt;main+85&gt;\neflags         0x206    [ PF IF ]\ncs             0x33     51\nss             0x2b     43\nds             0x0      0\nes             0x0      0\nfs             0x0      0\ngs             0x0      0\n(gdb) x\/20b $rbp-0x10\n0x7fffffffdbd0: 0x61    0x00    0x00    0x00    0x00    0x00    0x00    0x00\n0x7fffffffdbd8: 0x00    0xcb    0x22    0xba    0x58    0x60    0xea    0x40\n0x7fffffffdbe0: 0xa0    0x09    0x40    0x55\n(gdb) ni\n0x0000555555400967 in main ()\n(gdb) i r\nrax            0x61     97\nrbx            0x0      0\nrcx            0x0      0\nrdx            0x0      0\nrsi            0x61616161       1633771873\nrdi            0x555555602260   93824992944736\nrbp            0x7fffffffdbe0   0x7fffffffdbe0\nrsp            0x7fffffffdbc0   0x7fffffffdbc0\nr8             0x7ffff7fe94c0   140737354044608\nr9             0x7ffff7fe94c0   140737354044608\nr10            0x555555602010   93824992944144\nr11            0x246    582\nr12            0x555555400780   93824990840704\nr13            0x7fffffffdcc0   140737488346304\nr14            0x0      0\nr15            0x0      0\nrip            0x555555400967   0x555555400967 &lt;main+89&gt;\neflags         0x206    [ PF IF ]\ncs             0x33     51\nss             0x2b     43\nds             0x0      0\nes             0x0      0\nfs             0x0      0\ngs             0x0      0\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n   0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n=&gt; 0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n   0x0000555555400990 &lt;+130&gt;:   leave\n   0x0000555555400991 &lt;+131&gt;:   ret\nEnd of assembler dump.\n(gdb) ni\n0x0000555555400969 in main ()\n(gdb) ni\n0x000055555540096b in main ()\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n   0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n=&gt; 0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n   0x0000555555400990 &lt;+130&gt;:   leave\n   0x0000555555400991 &lt;+131&gt;:   ret\nEnd of assembler dump.\n(gdb) ni\n0x0000555555400972 in main ()\n(gdb) si\n0x00005555554008ef in func ()\n(gdb) disassemble $rip\nDump of assembler code for function func:\n=&gt; 0x00005555554008ef &lt;+0&gt;:     push   rbp\n   0x00005555554008f0 &lt;+1&gt;:     mov    rbp,rsp\n   0x00005555554008f3 &lt;+4&gt;:     sub    rsp,0x10\n   0x00005555554008f7 &lt;+8&gt;:     mov    QWORD PTR [rbp-0x8],rdi\n   0x00005555554008fb &lt;+12&gt;:    mov    rax,QWORD PTR [rbp-0x8]\n   0x00005555554008ff &lt;+16&gt;:    mov    rdi,rax\n   0x0000555555400902 &lt;+19&gt;:    call   0x555555400730 &lt;system@plt&gt;\n   0x0000555555400907 &lt;+24&gt;:    mov    eax,0x0\n   0x000055555540090c &lt;+29&gt;:    leave\n   0x000055555540090d &lt;+30&gt;:    ret\nEnd of assembler dump.\n(gdb) c\nContinuing.\n$ whoami\nhack\n$ exit\naaaaa[Inferior 1 (process 50) exited normally]<\/code><\/pre>\n<h1>\u7f16\u8bd1\u621032\u4f4d\u7a0b\u5e8f\u518dpwn<\/h1>\n<h2>\u5148\u5b89\u88c5\u9002\u914d\u5e93<\/h2>\n<pre><code class=\"language-bash\">sudo apt-get install gcc-multilib g++-multilib module-assistant<\/code><\/pre>\n<h2>\u7f16\u8bd1<\/h2>\n<pre><code class=\"language-bash\">gcc -m32<\/code><\/pre>\n<pre><code class=\"language-assembly\">hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ ls\na  question_1.c  question_1.s  question_1_x64\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gcc -m32 question_1.c\nquestion_1.c: In function \u2018main\u2019:\nquestion_1.c:22:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(a);\n  ^~~~\n  fgets\nquestion_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]\n  printf(a);\n         ^\n\/tmp\/cc7EtBTh.o: In function `main&#039;:\nquestion_1.c:(.text+0xea): warning: the `gets&#039; function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ ls\na  a.out  question_1.c  question_1.s  question_1_x64\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gdb .\/a.out\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type &quot;show copying&quot;\nand &quot;show warranty&quot; for details.\nThis GDB was configured as &quot;x86_64-linux-gnu&quot;.\nType &quot;show configuration&quot; for configuration details.\nFor bug reporting instructions, please see:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\nFind the GDB manual and other documentation resources online at:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\nFor help, type &quot;help&quot;.\nType &quot;apropos word&quot; to search for commands related to &quot;word&quot;...\nReading symbols from .\/a.out...(no debugging symbols found)...done.\n(gdb) start\nTemporary breakpoint 1 at 0x738\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/a.out\n\nTemporary breakpoint 1, 0x56555738 in main ()\n(gdb) disassemble $eip\nDump of assembler code for function main:\n   0x56555729 &lt;+0&gt;:     lea    ecx,[esp+0x4]\n   0x5655572d &lt;+4&gt;:     and    esp,0xfffffff0\n   0x56555730 &lt;+7&gt;:     push   DWORD PTR [ecx-0x4]\n   0x56555733 &lt;+10&gt;:    push   ebp\n   0x56555734 &lt;+11&gt;:    mov    ebp,esp\n   0x56555736 &lt;+13&gt;:    push   ebx\n   0x56555737 &lt;+14&gt;:    push   ecx\n=&gt; 0x56555738 &lt;+15&gt;:    sub    esp,0x20\n   0x5655573b &lt;+18&gt;:    call   0x565555a0 &lt;__x86.get_pc_thunk.bx&gt;\n   0x56555740 &lt;+23&gt;:    add    ebx,0x1878\n   0x56555746 &lt;+29&gt;:    mov    eax,gs:0x14\n   0x5655574c &lt;+35&gt;:    mov    DWORD PTR [ebp-0xc],eax\n   0x5655574f &lt;+38&gt;:    xor    eax,eax\n   0x56555751 &lt;+40&gt;:    mov    DWORD PTR [ebp-0x1c],0x0\n   0x56555758 &lt;+47&gt;:    mov    DWORD PTR [ebp-0x18],0x0\n   0x5655575f &lt;+54&gt;:    mov    DWORD PTR [ebp-0x14],0x0\n   0x56555766 &lt;+61&gt;:    mov    DWORD PTR [ebp-0x10],0x0\n   0x5655576d &lt;+68&gt;:    sub    esp,0xc\n   0x56555770 &lt;+71&gt;:    lea    eax,[ebx-0x1738]\n   0x56555776 &lt;+77&gt;:    push   eax\n   0x56555777 &lt;+78&gt;:    call   0x56555510 &lt;puts@plt&gt;\n   0x5655577c &lt;+83&gt;:    add    esp,0x10\n   0x5655577f &lt;+86&gt;:    sub    esp,0xc\n   0x56555782 &lt;+89&gt;:    lea    eax,[ebp-0x1c]\n   0x56555785 &lt;+92&gt;:    push   eax\n   0x56555786 &lt;+93&gt;:    call   0x565554f0 &lt;gets@plt&gt;\n   0x5655578b &lt;+98&gt;:    add    esp,0x10\n   0x5655578e &lt;+101&gt;:   sub    esp,0xc\n   0x56555791 &lt;+104&gt;:   lea    eax,[ebp-0x1c]\n   0x56555794 &lt;+107&gt;:   push   eax\n   0x56555795 &lt;+108&gt;:   call   0x565554e0 &lt;printf@plt&gt;\n   0x5655579a &lt;+113&gt;:   add    esp,0x10\n   0x5655579d &lt;+116&gt;:   movzx  eax,BYTE PTR [ebp-0x14]\n   0x565557a1 &lt;+120&gt;:   cmp    al,0x61\n   0x565557a3 &lt;+122&gt;:   jne    0x565557b7 &lt;main+142&gt;\n   0x565557a5 &lt;+124&gt;:   sub    esp,0xc\n   0x565557a8 &lt;+127&gt;:   lea    eax,[ebx+0x50]\n   0x565557ae &lt;+133&gt;:   push   eax\n---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---q\nQuit\n(gdb) b *0x5655579d\nBreakpoint 2 at 0x5655579d\n(gdb) c\nContinuing.\ninput:\naaaaaaa\n\nBreakpoint 2, 0x5655579d in main ()\n(gdb) x\/20i $eip\n=&gt; 0x5655579d &lt;main+116&gt;:       movzx  eax,BYTE PTR [ebp-0x14]\n   0x565557a1 &lt;main+120&gt;:       cmp    al,0x61\n   0x565557a3 &lt;main+122&gt;:       jne    0x565557b7 &lt;main+142&gt;\n   0x565557a5 &lt;main+124&gt;:       sub    esp,0xc\n   0x565557a8 &lt;main+127&gt;:       lea    eax,[ebx+0x50]\n   0x565557ae &lt;main+133&gt;:       push   eax\n   0x565557af &lt;main+134&gt;:       call   0x565556fe &lt;func&gt;\n   0x565557b4 &lt;main+139&gt;:       add    esp,0x10\n   0x565557b7 &lt;main+142&gt;:       mov    eax,0x0\n   0x565557bc &lt;main+147&gt;:       mov    edx,DWORD PTR [ebp-0xc]\n   0x565557bf &lt;main+150&gt;:       xor    edx,DWORD PTR gs:0x14\n   0x565557c6 &lt;main+157&gt;:       je     0x565557cd &lt;main+164&gt;\n   0x565557c8 &lt;main+159&gt;:       call   0x56555850 &lt;__stack_chk_fail_local&gt;\n   0x565557cd &lt;main+164&gt;:       lea    esp,[ebp-0x8]\n   0x565557d0 &lt;main+167&gt;:       pop    ecx\n   0x565557d1 &lt;main+168&gt;:       pop    ebx\n   0x565557d2 &lt;main+169&gt;:       pop    ebp\n   0x565557d3 &lt;main+170&gt;:       lea    esp,[ecx-0x4]\n   0x565557d6 &lt;main+173&gt;:       ret\n   0x565557d7 &lt;__x86.get_pc_thunk.ax&gt;:  mov    eax,DWORD PTR [esp]\n(gdb) x\/20b $ebp-0x14\n0xffffcd04:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00\n0xffffcd0c:     0x00    0xb0    0xb5    0xbd    0x30    0xcd    0xff    0xff\n0xffffcd14:     0x00    0x00    0x00    0x00\n(gdb) p $ebp-0x14\n$1 = (void *) 0xffffcd04\n(gdb) set *0xffffcd04=0x61\n(gdb) ni\n0x565557a1 in main ()\n(gdb) ni\n0x565557a3 in main ()\n(gdb) x\/20i $eip\n=&gt; 0x565557a3 &lt;main+122&gt;:       jne    0x565557b7 &lt;main+142&gt;\n   0x565557a5 &lt;main+124&gt;:       sub    esp,0xc\n   0x565557a8 &lt;main+127&gt;:       lea    eax,[ebx+0x50]\n   0x565557ae &lt;main+133&gt;:       push   eax\n   0x565557af &lt;main+134&gt;:       call   0x565556fe &lt;func&gt;\n   0x565557b4 &lt;main+139&gt;:       add    esp,0x10\n   0x565557b7 &lt;main+142&gt;:       mov    eax,0x0\n   0x565557bc &lt;main+147&gt;:       mov    edx,DWORD PTR [ebp-0xc]\n   0x565557bf &lt;main+150&gt;:       xor    edx,DWORD PTR gs:0x14\n   0x565557c6 &lt;main+157&gt;:       je     0x565557cd &lt;main+164&gt;\n   0x565557c8 &lt;main+159&gt;:       call   0x56555850 &lt;__stack_chk_fail_local&gt;\n   0x565557cd &lt;main+164&gt;:       lea    esp,[ebp-0x8]\n   0x565557d0 &lt;main+167&gt;:       pop    ecx\n   0x565557d1 &lt;main+168&gt;:       pop    ebx\n   0x565557d2 &lt;main+169&gt;:       pop    ebp\n   0x565557d3 &lt;main+170&gt;:       lea    esp,[ecx-0x4]\n   0x565557d6 &lt;main+173&gt;:       ret\n   0x565557d7 &lt;__x86.get_pc_thunk.ax&gt;:  mov    eax,DWORD PTR [esp]\n   0x565557da &lt;__x86.get_pc_thunk.ax+3&gt;:        ret\n   0x565557db &lt;__x86.get_pc_thunk.ax+4&gt;:        xchg   ax,ax\n(gdb) c\nContinuing.\n$ whoami\nhack<\/code><\/pre>\n<h1>\u4f5c\u4e1a<\/h1>\n<pre><code class=\"language-bash\">gcc -m32 question_1.c -fno-omit-frame-pointer -o question_1_x86_esp\ngcc question_1.c -fno-omit-frame-pointer -o question_1_x64_esp<\/code><\/pre>\n<pre><code class=\"language-bash\">hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gcc -m32 question_1.c -fno-omit-frame-pointer -o question_1_x86_esp\nquestion_1.c: In function \u2018main\u2019:\nquestion_1.c:22:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(a);\n  ^~~~\n  fgets\nquestion_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]\n  printf(a);\n         ^\n\/tmp\/ccfZI7oo.o: In function `main&#039;:\nquestion_1.c:(.text+0xea): warning: the `gets&#039; function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ ls\na  a.out  question_1.c  question_1.s  question_1_x64  question_1_x86_esp\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gdb .\/question_1_x86_esp\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type &quot;show copying&quot;\nand &quot;show warranty&quot; for details.\nThis GDB was configured as &quot;x86_64-linux-gnu&quot;.\nType &quot;show configuration&quot; for configuration details.\nFor bug reporting instructions, please see:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\nFind the GDB manual and other documentation resources online at:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\nFor help, type &quot;help&quot;.\nType &quot;apropos word&quot; to search for commands related to &quot;word&quot;...\nReading symbols from .\/question_1_x86_esp...(no debugging symbols found)...done.\n(gdb) start\nTemporary breakpoint 1 at 0x738\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/question_1_x86_esp\n\nTemporary breakpoint 1, 0x56555738 in main ()\n(gdb) disassemble $eip\nDump of assembler code for function main:\n   0x56555729 &lt;+0&gt;:     lea    ecx,[esp+0x4]\n   0x5655572d &lt;+4&gt;:     and    esp,0xfffffff0\n   0x56555730 &lt;+7&gt;:     push   DWORD PTR [ecx-0x4]\n   0x56555733 &lt;+10&gt;:    push   ebp\n   0x56555734 &lt;+11&gt;:    mov    ebp,esp\n   0x56555736 &lt;+13&gt;:    push   ebx\n   0x56555737 &lt;+14&gt;:    push   ecx\n=&gt; 0x56555738 &lt;+15&gt;:    sub    esp,0x20\n   0x5655573b &lt;+18&gt;:    call   0x565555a0 &lt;__x86.get_pc_thunk.bx&gt;\n   0x56555740 &lt;+23&gt;:    add    ebx,0x1878\n   0x56555746 &lt;+29&gt;:    mov    eax,gs:0x14\n   0x5655574c &lt;+35&gt;:    mov    DWORD PTR [ebp-0xc],eax\n   0x5655574f &lt;+38&gt;:    xor    eax,eax\n   0x56555751 &lt;+40&gt;:    mov    DWORD PTR [ebp-0x1c],0x0\n   0x56555758 &lt;+47&gt;:    mov    DWORD PTR [ebp-0x18],0x0\n   0x5655575f &lt;+54&gt;:    mov    DWORD PTR [ebp-0x14],0x0\n   0x56555766 &lt;+61&gt;:    mov    DWORD PTR [ebp-0x10],0x0\n   0x5655576d &lt;+68&gt;:    sub    esp,0xc\n   0x56555770 &lt;+71&gt;:    lea    eax,[ebx-0x1738]\n   0x56555776 &lt;+77&gt;:    push   eax\n   0x56555777 &lt;+78&gt;:    call   0x56555510 &lt;puts@plt&gt;\n   0x5655577c &lt;+83&gt;:    add    esp,0x10\n   0x5655577f &lt;+86&gt;:    sub    esp,0xc\n   0x56555782 &lt;+89&gt;:    lea    eax,[ebp-0x1c]\n   0x56555785 &lt;+92&gt;:    push   eax\n   0x56555786 &lt;+93&gt;:    call   0x565554f0 &lt;gets@plt&gt;\n   0x5655578b &lt;+98&gt;:    add    esp,0x10\n   0x5655578e &lt;+101&gt;:   sub    esp,0xc\n   0x56555791 &lt;+104&gt;:   lea    eax,[ebp-0x1c]\n   0x56555794 &lt;+107&gt;:   push   eax\n   0x56555795 &lt;+108&gt;:   call   0x565554e0 &lt;printf@plt&gt;\n   0x5655579a &lt;+113&gt;:   add    esp,0x10\n   0x5655579d &lt;+116&gt;:   movzx  eax,BYTE PTR [ebp-0x14]\n   0x565557a1 &lt;+120&gt;:   cmp    al,0x61\n   0x565557a3 &lt;+122&gt;:   jne    0x565557b7 &lt;main+142&gt;\n   0x565557a5 &lt;+124&gt;:   sub    esp,0xc\n   0x565557a8 &lt;+127&gt;:   lea    eax,[ebx+0x50]\n   0x565557ae &lt;+133&gt;:   push   eax\n---Type &lt;return&gt; to continue, or q &lt;return&gt; to quit---q\nQuit\n(gdb) b *0x5655579d\nBreakpoint 2 at 0x5655579d\n(gdb) c\nContinuing.\ninput:\naaaaa\n\nBreakpoint 2, 0x5655579d in main ()\n(gdb) x\/20i $eip\n=&gt; 0x5655579d &lt;main+116&gt;:       movzx  eax,BYTE PTR [ebp-0x14]\n   0x565557a1 &lt;main+120&gt;:       cmp    al,0x61\n   0x565557a3 &lt;main+122&gt;:       jne    0x565557b7 &lt;main+142&gt;\n   0x565557a5 &lt;main+124&gt;:       sub    esp,0xc\n   0x565557a8 &lt;main+127&gt;:       lea    eax,[ebx+0x50]\n   0x565557ae &lt;main+133&gt;:       push   eax\n   0x565557af &lt;main+134&gt;:       call   0x565556fe &lt;func&gt;\n   0x565557b4 &lt;main+139&gt;:       add    esp,0x10\n   0x565557b7 &lt;main+142&gt;:       mov    eax,0x0\n   0x565557bc &lt;main+147&gt;:       mov    edx,DWORD PTR [ebp-0xc]\n   0x565557bf &lt;main+150&gt;:       xor    edx,DWORD PTR gs:0x14\n   0x565557c6 &lt;main+157&gt;:       je     0x565557cd &lt;main+164&gt;\n   0x565557c8 &lt;main+159&gt;:       call   0x56555850 &lt;__stack_chk_fail_local&gt;\n   0x565557cd &lt;main+164&gt;:       lea    esp,[ebp-0x8]\n   0x565557d0 &lt;main+167&gt;:       pop    ecx\n   0x565557d1 &lt;main+168&gt;:       pop    ebx\n   0x565557d2 &lt;main+169&gt;:       pop    ebp\n   0x565557d3 &lt;main+170&gt;:       lea    esp,[ecx-0x4]\n   0x565557d6 &lt;main+173&gt;:       ret\n   0x565557d7 &lt;__x86.get_pc_thunk.ax&gt;:  mov    eax,DWORD PTR [esp]\n(gdb) x\/20b $ebp-0x14\n0xffffccf4:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00\n0xffffccfc:     0x00    0x2a    0x9f    0xbf    0x20    0xcd    0xff    0xff\n0xffffcd04:     0x00    0x00    0x00    0x00\n(gdb) set *0xffffccf4=0x61\n(gdb) c\nContinuing.\n$ whoami\nhack\n$ exit\naaaaa[Inferior 1 (process 126) exited normally]\n(gdb) q\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gcc question_1.c -fno-omit-frame-pointer -o question_1_x64_esp\nquestion_1.c: In function \u2018main\u2019:\nquestion_1.c:22:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(a);\n  ^~~~\n  fgets\nquestion_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]\n  printf(a);\n         ^\n\/tmp\/cc5FEGz8.o: In function `main&#039;:\nquestion_1.c:(.text+0xc4): warning: the `gets&#039; function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ ls\na  a.out  question_1.c  question_1.s  question_1_x64  question_1_x64_esp  question_1_x86_esp\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gdb .\/question_1_x64_esp\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type &quot;show copying&quot;\nand &quot;show warranty&quot; for details.\nThis GDB was configured as &quot;x86_64-linux-gnu&quot;.\nType &quot;show configuration&quot; for configuration details.\nFor bug reporting instructions, please see:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\nFind the GDB manual and other documentation resources online at:\n&lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\nFor help, type &quot;help&quot;.\nType &quot;apropos word&quot; to search for commands related to &quot;word&quot;...\nReading symbols from .\/question_1_x64_esp...(no debugging symbols found)...done.\n(gdb) start\nTemporary breakpoint 1 at 0x912\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1\/question_1_x64_esp\n\nTemporary breakpoint 1, 0x0000555555400912 in main ()\n(gdb) disassemble $rip\nDump of assembler code for function main:\n   0x000055555540090e &lt;+0&gt;:     push   rbp\n   0x000055555540090f &lt;+1&gt;:     mov    rbp,rsp\n=&gt; 0x0000555555400912 &lt;+4&gt;:     sub    rsp,0x20\n   0x0000555555400916 &lt;+8&gt;:     mov    rax,QWORD PTR fs:0x28\n   0x000055555540091f &lt;+17&gt;:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000555555400923 &lt;+21&gt;:    xor    eax,eax\n   0x0000555555400925 &lt;+23&gt;:    mov    QWORD PTR [rbp-0x18],0x0\n   0x000055555540092d &lt;+31&gt;:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000555555400935 &lt;+39&gt;:    lea    rdi,[rip+0xe8]        # 0x555555400a24\n   0x000055555540093c &lt;+46&gt;:    call   0x555555400710 &lt;puts@plt&gt;\n   0x0000555555400941 &lt;+51&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400945 &lt;+55&gt;:    mov    rdi,rax\n   0x0000555555400948 &lt;+58&gt;:    mov    eax,0x0\n   0x000055555540094d &lt;+63&gt;:    call   0x555555400750 &lt;gets@plt&gt;\n   0x0000555555400952 &lt;+68&gt;:    lea    rax,[rbp-0x18]\n   0x0000555555400956 &lt;+72&gt;:    mov    rdi,rax\n   0x0000555555400959 &lt;+75&gt;:    mov    eax,0x0\n   0x000055555540095e &lt;+80&gt;:    call   0x555555400740 &lt;printf@plt&gt;\n   0x0000555555400963 &lt;+85&gt;:    movzx  eax,BYTE PTR [rbp-0x10]\n   0x0000555555400967 &lt;+89&gt;:    cmp    al,0x61\n   0x0000555555400969 &lt;+91&gt;:    jne    0x555555400977 &lt;main+105&gt;\n   0x000055555540096b &lt;+93&gt;:    lea    rdi,[rip+0x20069e]        # 0x555555601010 &lt;sh&gt;\n   0x0000555555400972 &lt;+100&gt;:   call   0x5555554008ef &lt;func&gt;\n   0x0000555555400977 &lt;+105&gt;:   mov    eax,0x0\n   0x000055555540097c &lt;+110&gt;:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555400980 &lt;+114&gt;:   xor    rdx,QWORD PTR fs:0x28\n   0x0000555555400989 &lt;+123&gt;:   je     0x555555400990 &lt;main+130&gt;\n   0x000055555540098b &lt;+125&gt;:   call   0x555555400720 &lt;__stack_chk_fail@plt&gt;\n   0x0000555555400990 &lt;+130&gt;:   leave\n   0x0000555555400991 &lt;+131&gt;:   ret\nEnd of assembler dump.\n(gdb) b *0x0000555555400963\nBreakpoint 2 at 0x555555400963\n(gdb) c\nContinuing.\ninput:\naaaaa\n\nBreakpoint 2, 0x0000555555400963 in main ()\n(gdb) x\/20b $rbp-0x10\n0x7fffffffdbb0: 0       0       0       0       0       0       0       0\n0x7fffffffdbb8: 0       -63     -87     121     26      14      97      -2\n0x7fffffffdbc0: -96     9       64      85\n(gdb) x\/20x $rbp-0x10\n0x7fffffffdbb0: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00\n0x7fffffffdbb8: 0x00    0xc1    0xa9    0x79    0x1a    0x0e    0x61    0xfe\n0x7fffffffdbc0: 0xa0    0x09    0x40    0x55\n(gdb) set *0x7fffffffdbb0=0x61\n(gdb) c\nContinuing.\n$ whoami\nhack\n$ exit\naaaaa[Inferior 1 (process 142) exited normally]\n(gdb) q<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u57fa\u7840\u547d\u4ee4 \u8ddf\u7740b\u7ad9\u4f60\u60f3\u6709\u591aPWN(\u5f00\u59cb\u66f4\u65b0)\u505a\u7684\u4e00\u70b9\u7b14\u8bb0\u3002 GCC GCC \u7f16\u8bd1\u5de5\u5177\u94fe\u5728\u7f16\u8bd1\u4e00\u4e2aC\u6e90\u6587\u4ef6\u65f6\u9700\u8981 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":175,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19],"tags":[],"class_list":["post-174","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-and-protest","category-pwn"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=174"}],"version-history":[{"count":3,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/174\/revisions"}],"predecessor-version":[{"id":178,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/174\/revisions\/178"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media\/175"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=174"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}