cscg22-gearboy

CSCG 2022 Challenge 'Gearboy'
git clone https://git.sinitax.com/sinitax/cscg22-gearboy
Log | Files | Refs | sfeed.txt

wrapper.py (52901B)

      1from pwn import *
      2import tempfile
      3import base64
      4import os
      5import subprocess
      6
      7print("""tXtXS%XS%@%@t@tXStXtXt%XtXtXtXtXtXtXt%XtXtXtXtXtXtXtXtX;XtXtXtXtXtXtXtXtXt@t@StXt@tXtXtXtXtXtXtXtX%X
      8tX%XtXtX%SX%X%XtX%X%X%@%XtXt@%@S%S%S@%X%X%X%X%X%X%X%X%S%XSt@tXtX%X%X%@t@%8%@t@SS%X%8%@X%@%XSS%X%X%Xt
      9;St%SXtStX;S%S%SSSSS%@;%tS;%%%t%S;@ttt%%%St%%S;%%S;t%St%%t%StSt%%t%%S;%S%%St%tt%SXt%S;XtXSt%X%%X@t%%
     1088@8X88888888888@8X8@88888@8@@X8888@8X8X888@888@888@888@8@8888@@888@88X@8888@8@8@8X@8@8888@X88888888
     1188S@S8@8X@X@X8@@@88888@8@8@@@888@888@888@8@8@888@@888888@@88@8X88@8@8@X88@88X8X88@88S88@@@8@@8888@X@
     128888888t8:8:8;8:8;8%8;88888%8;8X8S8S@888X8%@;8t8@888@8X8S8%@%@t8t8%8X@%@8@8888@t8;8888@8@%@X8@8S8%8t
     13888888S8:8:8:8;8:8S8;8;@S8%8:8t888;8t@888%8:8;8t8;8%8XX8%S :8 8 8888%888888@@888888888@8@8@88888@88t
     148%@%8@:88.8:8%8;888;8:8t8t8.8;8;8.888t8.8;88.8X8;8t8:88@  t@8:8.@8:8X @X8@X888X.t@8888888@8@@@@@8@88
     1588:@:8@.88 888%8;8:888888;8;88.8.8;8@t88%X;88.8t8;@:8SX88X888:888@S:88888888:88888888888888888888888
     16888@@.8@.88.8%8t8:8t888888.@;88 888.8@:S8SX.88.8:8.8.88@S @88:88888@ 88888@88.8S8X@8@88S8@8888888888
     17888:8@:8@:88;8;8:888;88;%8;8@:88:8t@;88 8;8@.88 8.X;8St@888@88@88@88888@8@8X 8@88888.8:8888888888888
     188%88%8@:8X:88:8:8;8%8;8@:8X.8@:88:8tX.888@%88%8888 8t8888888888888888888X88%8@@88S88S@88X8888888888S
     1988t8%8.@:8@:88.8%8%8tX:8X:8@:8@.8@:8:8tX88%8%8;@:S8;8%;888@88@8X888888888X@tSt@X8XX88@888X8888888888
     2088888.88@;8@:8@%8;8:8;8:8@:8@:8@.88:8;8t888:8;8;@8t@.88@888888@8@8.888@X8X@8%8888 X 8.8S:88888888888
     2188@;8@t8:8:8@:88:8:8:88@;8@:88:88tX8888@888XS@8t888@88888888SX8:88@%8X88X;8X@888 888X 8X8@.888888888
     228%8%8:@.8:@:8@;88.8:8t8:8:8@:8t888S%%XSXSSX%S88888t8888@888888.8X@88@888@8@888X8@88S8@8888@.88888888
     2388:8.8%@:8;X:8@:88.888.88X;88 @8tX  8;8888@88tX8888;8@88888X88S88:88%88SX8.8888%888X88.8@888X88X8888
     24888@%8888t8t8:8@.8@t8.88888888t @ @  X  S8@.8;88S 88.8;S8@88@XX@;8888X888888%8.88@8X888@8XXXX88888%;
     25888tX:X88%8;8@;8@.88.8888;8X.  :8% @8888S:8  8S   @X@8S@88888888:@88@8888888888%8S@88888:88888888888
     268%8%88.8 @.@:8@:8X.8@t8;8S.88SX   X   X;:8S88888 888%@:S88@8X8.tX888888888@88XX88..88X88;@t@8888888%
     2788:X:8%8;88.@:8@;8@.88.8;@  8 8 88S888    88888888 8X8;X888888%:X888888%:888@@88X@.8X88 8X@888888X88
     2888t88X%8%8.8:X;8@;8@:8@%@888888 @88 88888@8888%88888@8;@8888:X8@8888X@@%%8X888@%tXXX88@@@@88888S8888
     2988888t8.8:8;8;8:88 8X.8X. 8@8888X8X8@8X88888@@88888@88t@88888X888888@8t88X8@@@8888@88%S888888@@X8888
     3088X8:8.888;8:8;X 8@:8@X@8888888 8;%SS8X8888888888888S8S@8X88X:888888888888@8@8  8@@8S888@888X888t888
     3188t88 8;8t8:@:8;8.8@:8@888@88888SX:;8;.8 88888888888@8@@88888X8S:@@888888888@8888@X 8@88;8@8St8888X.
     32888 8888:8%8:8:8%S:8@8@S888@8888 8 8S X%8888@8888888X8X@888888X88X88888888888%8S@@8;8SX@8SS%88@8X888
     3388SX88:8888:8:X88.8.8@8S 88888X88888 88S888888888888X8@8888@888888%8X8X8888; 8@X@@X8X88S888t8XX88888
     34888%8 8;8;88.8:S88.S;X8 888@8%88888 8888@@888888888888888@888888XX;%S88S@%X88%8:88@88@888.X8888@8888
     35888:%8.8;8;88.8%@ @:8S8S8888SX888888888888@88888888X88X8@8X8888@88@888;tS88:% tX8@888XX@ 8X888888888
     36888@S88888@:88:888S8X@8888@@888 88S8 8888888888@8888@@X888888888888@888X8@888@X 888@@8888%888888888:
     3788888:X88.8@.8@:8@%8888.888@88888888888888@8@8888S@88X88S888:8:8t8SSXS8@88888888X8@8@888%888888X888@
     38888.88 8%Xt8@.8X;@8@8888 X88888888888888888888X%88888X@@8888@8888@8888S8X8@8S8@888X8888@888888X88888
     3988X@;88t@t8.8X;X@8@@8@8%%8S 888888888888888:XX  X@@88@@@8@8888888888888t8%8:8:8%8:8S88888888888X8t8%
     4088888:88.8SX:8X8X8@X88@8t.:88S8888888888X8S  .8XX@88@@@@@@XX8@888@t8t@.8;8:8:8;8:8;8%8%8;X:S88t8:8:8
     41888;8@:8@%8:@8X@@X@@88@8 8t..8%SX88 8888t:%@;%@X8@88@@@@@@@@X@@88S8.8:@.8%8:8:8:X;8;8;8:888:8:8.8.8;
     428X88%88%88@888X@@X88X88@S88St:@SSX 8XXX8888 8@@88888@@@X@@@@@@8888S@.@:8:8:8:8:8:8;8%8:8:8t8;@:8:8:8
     4388;8t8;@88888@@XX88X888S8@:%%;8X@t;88888:;;S@X@888@@88X@@@@X@@@@@888X.8%@;8:@:8:8:@88:8:8t8;8:8;8.8:
     4488888X@S8888@@@@@88@88888@S S;.tS%.%X%;.:S888@8888@@88X@@@@@X@X@8@8S8X%8%8:8:8:X:8:8.8:@:8;8;888S8;8
     458S8.t%; X:8@X@@X@X88@@88X8@%@;;;;8;..:.t8X8@@8888@@@88@@@@@@@@@X@X88S8888:8t8:8:8:8%8.8.8:8:8;8S8%8:
     4688%X. 8  tS8S@X@@@88@8@88X88X:;;t@% %.@X@@@888@@@@@@X88X8@@@@@@@8@@88888;@;8:8:8%@%@:88X;8:8%8t8t8.8
     47X;; 8888 8 8888@@88@@8XX88XX8St:%@@:X8@8888888888888@88X8@@@@@@@@88S8X8:8:8:8:8t8t8;8;@t8:8%8:8:8:8:
     48;888@88888  88S888@@X@8@@X8888SS@8888888@@8888@@@@@@@@8@8888@@@@@@888888.8%8.888%8:8:8t8;8;8:888;8.8
     49 X8888X88@88 @@8@@@X@@@@@@@@@88@888X@8@@@@@X@@@@@X@X@8@88@88@@@@@8@@888%@88 88888;8.@:8:8:8:888%8.8:
     50t@888888888 8XX@@@@@X@@@@@@88X88X@@@@@@@@@@@@@XX@888@888@@@@@@@@@@@X@88888;8:888%8;@;8:8;8;8t8%8:8t8
     51 8@8 88X 88@X8@@@@@X@@@@@@@88@88X@@@@@@@@@@@88S.8@S S@t8@@@@@@@@X@@@88XS8X;88@t88.@:8%8:8t8S8t8:8;8%
     52@8%888SS888S88@X@@88@@888888@8888888@@@X@@S8t 8:8 8 888S8X@@@@@@@@8X8@@@X%8:@S8%@8%888%88888:%888888
     538@ 88%S@@XS8@8@@@@8X8@888888888888@@888888.S;8XS888@8  t;X8@@@@@@@8S.@@8@@X88@@8@XSt%@Xt@S;XX@%@@%Xt
     54SSSt;888@XS%XXSSXSSSSSSS%XXSSSSSSSXXXSXX;t%888888888888 8.8@@@@88..SXXSSXXSSSSSXSXXXXXXSXSSXXSSXXXSS
     55SSS8888@XX@XXSXSSSSSSSSSSSSXSSXSXSSXXSSSSXX8X888XX88888 8888@88 @:XXXXSSSSSSSSSSSSSSSSXSSXSSSSSSXSXS
     56SSSSX@XXXSXSSXSXSXSXSSSSSSXSSSSSSXSXXSSSX8S.X8S8 8888XSS8%8:@ 8%SXXSSSXXSXSSSSSSSSXSSSSXSSSSSSSSSXSX
     57XSXSXSXSSXSXSSXSXSXSXS%SSSSXSSSSSSXSSXSXSSS888S@S8  888SS8@SSXSSSSXSSSSSXSXSXSXSXSXXXSXSXXXXSSSSSXSS
     58XSSXSSSXSSXSXSSXSSSXSSSSSSXSS%SSXSSXSXSXSSX@88888:%888XSX8SSSSSSXSSSSSSSSSSSSSXXXXSSXSXSSXSXXXXXSSXX
     59XSXSXSXSXSSSXSXSSXSSXS%SSSSXSSSSSXSSXSSXSXSX@@@@@X@@@@X@XXSXSSSSSXSSSSSSXSSSSSSSSSXSSXSXSSXSXSXXXXSS
     60XSSSSXSSXSXSSXSSXSXSSSSSSSXSSSSSSSXSSXSSXSSSSSXX@@X@XX@XXSXSSXSXSSXSSSSSXSSSS%SSXSSXSSXSXSSSSXSSSSXS
     61XSXSXSXSSXSXSSXSSXSXSS%SSSSXSSSXSXSXSSXSSXSSSSSSXXXSXXXSSXSSXSXSSSSSSSSSSXSSSSSSXSXSXSSXSXSXSXSXSXSX
     62SSSSSSSSSSSSSSSSSSSSSSS%SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSXSXSSSSSSSSSXSSSSSSSSSSSSSSXSSSSSSSSSSSSXSSSSS
     63SSSSSSXSSXSSXSSXSSXSSSSSS8tXXS8tSSXSSXSXSSSSSSSSSSXSSXSXSSSXSSSXSSSXSXSXXXSSSSSSSSSSXSSSXSSSSSSSSSSS
     64tt;ttttttttttttttttttttt;;%ttt:t%tttttttt%tt;ttt%tttttttt%tttttttt%tt%ttt%ttttt%tt%ttt%tttt%t%t%tt%t
     65               .                                                                                    
     66""")
     67
     68
     69print("\n\n\n\nYou Know What Really Grinds My Gears? Your Gearboy Exploit!")
     70
     71try:
     72    print("Please provide base64 encoded gameboy file")
     73    gb_b64 = input("> ")
     74
     75    filename_gb = '/tmp/%s.gb' % os.getpid()
     76    fd = open(filename_gb, "wb")
     77    fd.write(base64.b64decode(gb_b64))
     78    fd.close()
     79
     80    print("Please provide base64 encoded gameboy state")
     81    state_b64 = input("> ")
     82
     83    filename_state = '/tmp/%s.state' % os.getpid()
     84    fd = open(filename_state, "wb")
     85    fd.write(base64.b64decode(state_b64))
     86    fd.close()
     87
     88
     89    p = process(f"gdbserver localhost:1234 /home/ctf/gearboy/platforms/linux/gearboy {filename_gb} {filename_state}", shell=True)
     90    p.interactive()
     91
     92except Exception as e:
     93    print("Something went wrong: %s" % e)
     94    exit(-1)