cscg22-gearboy

CSCG 2022 Challenge 'Gearboy'
git clone https://git.sinitax.com/sinitax/cscg22-gearboy
Log | Files | Refs | sfeed.txt

notes (1127B)


      1attack load state file functionality (use invalid state for unintended behavior)
      2
      3see Gearboy/src/GearboyCore.cpp GearBoy::LoadState:
      4- control memory, process, video, input, audio
      5
      6- OOP on Memory::GetWRAM1 using m_iCurrentWRAMBank
      7
      8- try negative offset binary search until it doesnt crash
      9 => should give start of program code (test with docker upload & gui for testing)
     10
     11- overwrite pointer in got to free with one gadget for libc
     12
     13- can overwrite pointer in opcode CPG function table from Processor class
     14
     15... lots of time spent trying to find way of leaking both base and libc ...
     16
     17- we can try calling emu_save_ram on the wrapper python script location!
     18
     19... because of heavy optimization and headless patch those functions cant be called ...
     20
     21- if the arguments are still loaded in the right registers we could just jump
     22there anyways!
     23
     24.. nope, only control rdi and we need the memory read from to still be correct ...
     25
     26.. first run in docker has same behavior, can abuse for heap offsets ! ..
     27
     28.. remember that tagged images dont refresh, so pull them to be up-to-date
     29with remote or even better try to match tags ..