M Ramdhan d4em0n

## crasher.c
#define _GNU_SOURCE
#include <err.h>
#include <stdint.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>

## exploit.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <poll.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/syscall.h>

## exploit.c
// gcc -static -o exploit2 exploit2.c -lpthread
// NOTE: compiling using uclibc to get small sized binary
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <poll.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/ioctl.h>

## gist:a7e34486f38cce8070751c1b43c97839
opcode: 0xa
if al >= 0x20
    int3()
rdi = eax
rsi = (rdi*8 + rdi)*8
rdx = *(0x10400+rsi)
*(rdx+0x40) = 1

opcode: 0xb
if al >= 0x20

## run.py
from pwn import *
import random
p = 0
while True:
	try:
#		p = process("./blindshot")
		p = remote("pwn01.chal.ctf.westerns.tokyo", 12463)
		libc = ELF("./libc-2.31.so", checksec=False)
		off = 0xb80
		off = 0x8 | off << 4

## exploit.py
from pwn import *
from random import randint

proc_name = "./tcache_king"
context.terminal = "tmux splitw -h -f".split()
#p = process(proc_name, env={"LD_PRELOAD":"./libc6_2.31-0ubuntu9_amd64.so"})
p = remote("128.199.157.172", 20978)
libc = ELF("./libc6_2.31-0ubuntu9_amd64.so")
#p = process(proc_name)
#libc = ELF("/opt/glibc2.31/lib/libc.so.6")

## a.py
from pwn import *
import sys
from math import floor, ceil
from typing import AnyStr

# craft gif: http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html

ASCII_TO_INT: dict = {i.to_bytes(1, 'big'): i for i in range(256)}
INT_TO_ASCII: dict = {i: b for b, i in ASCII_TO_INT.items()}

## exploit.py
from pwn import *

context.terminal = "tmux splitw -h -f".split()
#p = process("./card")
#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
#libc.off_leak = 3889536

#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
p = remote("45.77.72.122", 9777)
libc = ELF("./libc.so.6", checksec=False)

## exploit.py
from pwn import *

context.terminal = "tmux splitw -h -f".split()
#p = process("./card")
#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
#libc.off_leak = 3889536

#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
p = remote("45.77.72.122", 9777)
libc = ELF("./libc.so.6", checksec=False)

## solve.py
#!/usr/bin/env python3
import gmpy2
import binascii

key = binascii.unhexlify("85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b".replace(":", ""))

def clamp(r):
    return r & 0x0ffffffc0ffffffc0ffffffc0fffffff

def poly_mac(msg, key):
	#define _GNU_SOURCE
	#include <err.h>
	#include <stdint.h>
	#include <linux/bpf.h>
	#include <linux/filter.h>
	#include <stdio.h>
	#include <unistd.h>
	#include <sys/syscall.h>
	#include <asm/unistd_64.h>
	#include <sys/types.h>
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <fcntl.h>
	#include <poll.h>
	#include <pthread.h>
	#include <unistd.h>
	#include <sys/ioctl.h>
	#include <sys/mman.h>
	#include <sys/syscall.h>
	// gcc -static -o exploit2 exploit2.c -lpthread
	// NOTE: compiling using uclibc to get small sized binary
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <fcntl.h>
	#include <poll.h>
	#include <pthread.h>
	#include <unistd.h>
	#include <sys/ioctl.h>
	opcode: 0xa
	if al >= 0x20
	int3()
	rdi = eax
	rsi = (rdi8 + rdi)8
	rdx = *(0x10400+rsi)
	*(rdx+0x40) = 1

	opcode: 0xb
	if al >= 0x20
	from pwn import *
	import random
	p = 0
	while True:
	try:
	# p = process("./blindshot")
	p = remote("pwn01.chal.ctf.westerns.tokyo", 12463)
	libc = ELF("./libc-2.31.so", checksec=False)
	off = 0xb80
	off = 0x8 \| off << 4
	from pwn import *
	from random import randint

	proc_name = "./tcache_king"
	context.terminal = "tmux splitw -h -f".split()
	#p = process(proc_name, env={"LD_PRELOAD":"./libc6_2.31-0ubuntu9_amd64.so"})
	p = remote("128.199.157.172", 20978)
	libc = ELF("./libc6_2.31-0ubuntu9_amd64.so")
	#p = process(proc_name)
	#libc = ELF("/opt/glibc2.31/lib/libc.so.6")
	from pwn import *
	import sys
	from math import floor, ceil
	from typing import AnyStr

	# craft gif: http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html

	ASCII_TO_INT: dict = {i.to_bytes(1, 'big'): i for i in range(256)}
	INT_TO_ASCII: dict = {i: b for b, i in ASCII_TO_INT.items()}
	from pwn import *

	context.terminal = "tmux splitw -h -f".split()
	#p = process("./card")
	#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
	#libc.off_leak = 3889536

	#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
	p = remote("45.77.72.122", 9777)
	libc = ELF("./libc.so.6", checksec=False)
	#!/usr/bin/env python3
	import gmpy2
	import binascii

	key = binascii.unhexlify("85:d6:be:78:57:55:6d:33:7f:44:52:fe:42:d5:06:a8:01:03:80:8a:fb:0d:b2:fd:4a:bf:f6:af:41:49:f5:1b".replace(":", ""))

	def clamp(r):
	return r & 0x0ffffffc0ffffffc0ffffffc0fffffff

	def poly_mac(msg, key):