Loading... # 题目分析 ![image.png](http://81.68.153.233/usr/uploads/2023/05/1773421886.png) 开了 `NX` ![image.png](http://81.68.153.233/usr/uploads/2023/05/675694201.png) ```C int survey() { char output[56]; // [esp+10h] [ebp-E8h] BYREF size_t nbytes; // [esp+48h] [ebp-B0h] size_t size; // [esp+4Ch] [ebp-ACh] char comment[80]; // [esp+50h] [ebp-A8h] BYREF int age; // [esp+A0h] [ebp-58h] BYREF void *chunk; // [esp+A4h] [ebp-54h] char reason[80]; // [esp+A8h] [ebp-50h] BYREF nbytes = 0x3C; size = 80; LABEL_2: memset(comment, 0, sizeof(comment)); chunk = malloc(0x3Cu); printf("\nPlease enter your name: "); fflush(stdout); read(0, chunk, nbytes); printf("Please enter your age: "); fflush(stdout); __isoc99_scanf("%d", &age); printf("Why did you came to see this movie? "); fflush(stdout); read(0, reason, size); fflush(stdout); printf("Please enter your comment: "); fflush(stdout); read(0, comment, nbytes); ++cnt; printf("Name: %s\n", (const char *)chunk); printf("Age: %d\n", age); printf("Reason: %s\n", reason); printf("Comment: %s\n\n", comment); fflush(stdout); sprintf(output, "%d comment so far. We will review them as soon as we can", cnt); // 注意到这里向output数组中输入了 54个字节外加cnt,如果cnt为三位数时,这里会将溢出一个字节覆盖nbytes puts(output); puts(&s); fflush(stdout); if ( cnt > 199 ) { puts("200 comments is enough!"); fflush(stdout); exit(0); } while ( 1 ) { printf("Would you like to leave another comment? <y/n>: "); fflush(stdout); read(0, &choice, 3u); if ( choice == 89 || choice == 121 ) { free(chunk); goto LABEL_2; } if ( choice == 78 || choice == 110 ) break; puts("Wrong choice."); fflush(stdout); } puts("Bye!"); return fflush(stdout); } ``` 最后修改:2023 年 05 月 23 日 © 允许规范转载 打赏 赞赏作者 赞 0 如果觉得我的文章对你有用,请随意赞赏