结构

程序逻辑功能

switch ( code )
  {
    case '+':
      stack[*index - 1] += stack[*index];
      --*index;
      goto LABEL_10;
    case '-':
      stack[*index - 1] -= stack[*index];
      --*index;
      goto LABEL_10;
    case 'm':
      stack[1] = stack[*index];
      goto LABEL_10;
    case 'w':
      stack[++*index] = stack[1];
      printf("%x/n", (unsigned int)stack[1]);
      goto LABEL_10;
    case 'p':
      printf("Value: %d\n", (unsigned int)stack[*index]);
      fflush(_bss_start);
      goto LABEL_10;
    case 'n':
      printf("Value: %d\n", (unsigned int)stack[*index]);
      fflush(_bss_start);
      goto LABEL_8;
    case '.':
LABEL_8:
      --*index;
      goto LABEL_10;
    case 'q':
      result = 1LL;
      break;
    default:
LABEL_10:
      result = 0LL;
      break;
  }
  return result;

思路

首先通过 '.' 来控制index到unicros栈帧上，溢出ebp，从而计算safe_stack所在栈的地址，然后覆盖ebp2，从而控制其指向safe_stack，safestack中填充rop和shellcode，从而执行shell