buuctf pwn babyheap_0ctf_2017

第一次遇到 全开

保护全开，一般是有关堆方面的题

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  char *v4; // [rsp+8h] [rbp-8h]

  v4 = sub_B70();
  while ( 1 )
  {
    sub_CF4(a1, a2);
    switch ( sub_138C() )
    {
      case 1LL:
        a1 = (__int64)v4;
        sub_D48(v4);
        break;
      case 2LL:
        a1 = (__int64)v4;
        sub_E7F(v4);
        break;
      case 3LL:
        a1 = (__int64)v4;
        sub_F50(v4);
        break;
      case 4LL:
        a1 = (__int64)v4;
        sub_1051(v4);
        break;
      case 5LL:
        return 0LL;
      default:
        continue;
    }
  }
}

char *sub_B70()
{
  int fd; // [rsp+4h] [rbp-3Ch]
  char *addr; // [rsp+8h] [rbp-38h]
  unsigned __int64 v3; // [rsp+10h] [rbp-30h]
  __int64 buf[4]; // [rsp+20h] [rbp-20h] BYREF

  buf[3] = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  alarm(0x3Cu);
  puts("===== Baby Heap in 2017 =====");
  fd = open("/dev/urandom", 0);
  if ( fd < 0 || read(fd, buf, 0x10uLL) != 16 )
    exit(-1);
  close(fd);
  addr = (char *)((buf[0] % 0x555555543000uLL + 0x10000) & 0xFFFFFFFFFFFFF000LL);
  v3 = (buf[1] % 0xE80uLL) & 0xFFFFFFFFFFFFFFF0LL;
  if ( mmap(addr, 0x1000uLL, 3, 34, -1, 0LL) != addr )
    exit(-1);
  return &addr[v3];
}

后面还是补充一下堆的学习 目前还没有接触到