代码在这里。
#include <stdio.h>
#define NUM 0x11a
int data = NUM;
int main(int argc, char * argv[])
{
struct{
unsigned long memoryAddress;
char array[50];
} locals;
locals.memoryAddress= 2;
scanf("%lx", &locals.memoryAddress);
scanf("%49s", locals.array);
printf(locals.array);
data += 5;
printf("\n%d\n", data);
if(data != NUM + 0x5){
printf("Print me!\n");
}
return 0;
}
我应该得到 "Print me!"
. 这是格式字符串攻击,我用 %n
和gdb。
那么如何才能得到数据的内存地址来覆盖它呢?