#include <stdio.h>
#include <stdlib.h>
int main(int argc, char * argv[])
{   
    FILE *fp; 
    char *msg = "hello_file";
    char *buf = malloc(100);
    read(0, buf, 100);
    fp = fopen("key.txt", "rw");
    // 设置 flag 绕过 check
    fp->_flags &= ~8;
    fp->_flags |= 0x800;
    // _IO_write_base write数据的起始地址， _IO_write_ptr  write数据的终止地址
    fp->_IO_write_base = msg;
    fp->_IO_write_ptr = msg + 6;
    //绕过检查
    fp->_IO_read_end = fp->_IO_write_base;
    // write 的目的 文件描述符， 1 --> 标准输出
    fp->_fileno = 1;
    fwrite(buf, 1, 100, fp);
    return 0;
}

  #include <stdio.h>
#include <stdlib.h>
int main(int argc, char * argv[])
{   
    FILE *fp; 
    char msg[100];
    char *buf = malloc(100);
    fp = fopen("key.txt", "rw");
    // 设置 flag 绕过 check
    fp->_flags &= ~4;
    // _IO_buf_base buffer 的起始地址， _IO_buf_end  buffer 的终止地址
    // fread 先把数据读入 [_IO_buf_base, _IO_buf_end] 形成的 buffer
    // 然后复制到目的 buffer
    fp->_IO_buf_base = msg;
    fp->_IO_buf_end = msg + 100;
    // 设置 文件描述符， 0---> stdin, 从标准输入读数据
    fp->_fileno = 0;
    fread(buf, 1, 6, fp);
    
    puts(msg);
    puts(buf);
    return 0;
}

 #include <stdio.h>
#include <stdlib.h>
int global_val = 0xaabbccdd;
int main(int argc, char * argv[])
{   
    FILE *fp; 
    int var;
    fp = stdin;
    fp->_flags &= ~4;
    fp->_IO_buf_base = stdout;
    fp->_IO_buf_end = stdout + 100;
    scanf("%d",&var);
    
    printf("0x%x\n", global_val);
    return 0;
}

 #include <stdio.h>
#include <stdlib.h>
int main(int argc, char * argv[])
{   
    FILE *fp; 
    char *msg = "hello_stdout";
    char *buf = malloc(100);
    fp = stdout;
    // 设置 flag 绕过 check
    fp->_flags &= ~8;
    fp->_flags |= 0x800;
    // _IO_write_base write数据的起始地址， _IO_write_ptr  write数据的终止地址
    fp->_IO_write_base = msg;
    fp->_IO_write_ptr = msg + 12;
    //绕过检查
    fp->_IO_read_end = fp->_IO_write_base;
    // write 的目的 文件描述符， 1 --> 标准输出
    fp->_fileno = 1;
    puts("<----->this is append on msg ");
    return 0;
}