M Ramdhan d4em0n

## exploit.c
// gcc -static -o exploit2 exploit2.c -lpthread
// NOTE: compiling using uclibc to get small sized binary
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <poll.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/ioctl.h>

## gist:a7e34486f38cce8070751c1b43c97839
opcode: 0xa
if al >= 0x20
    int3()
rdi = eax
rsi = (rdi*8 + rdi)*8
rdx = *(0x10400+rsi)
*(rdx+0x40) = 1

opcode: 0xb
if al >= 0x20

## run.py
from pwn import *
import random
p = 0
while True:
	try:
#		p = process("./blindshot")
		p = remote("pwn01.chal.ctf.westerns.tokyo", 12463)
		libc = ELF("./libc-2.31.so", checksec=False)
		off = 0xb80
		off = 0x8 | off << 4

## exploit.py
from pwn import *
from random import randint

proc_name = "./tcache_king"
context.terminal = "tmux splitw -h -f".split()
#p = process(proc_name, env={"LD_PRELOAD":"./libc6_2.31-0ubuntu9_amd64.so"})
p = remote("128.199.157.172", 20978)
libc = ELF("./libc6_2.31-0ubuntu9_amd64.so")
#p = process(proc_name)
#libc = ELF("/opt/glibc2.31/lib/libc.so.6")

## a.py
from pwn import *
import sys
from math import floor, ceil
from typing import AnyStr

# craft gif: http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html

ASCII_TO_INT: dict = {i.to_bytes(1, 'big'): i for i in range(256)}
INT_TO_ASCII: dict = {i: b for b, i in ASCII_TO_INT.items()}

## exploit.py
from pwn import *

context.terminal = "tmux splitw -h -f".split()
#p = process("./card")
#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
#libc.off_leak = 3889536

#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
p = remote("45.77.72.122", 9777)
libc = ELF("./libc.so.6", checksec=False)

## exploit.py
from pwn import *

context.terminal = "tmux splitw -h -f".split()
#p = process("./card")
#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
#libc.off_leak = 3889536

#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
p = remote("45.77.72.122", 9777)
libc = ELF("./libc.so.6", checksec=False)

## exploit.py
from pwn import *

# NOTE: libc offset might be different, i'm using my local libc instead of
# challenge libc
context.terminal = "tmux splitw -h -f".split()
p = process("./chall")

def goto(n):
	p.sendlineafter("#>", str(n))
	return

## Main.java
import java.lang.Math;
import java.util.ArrayList;

class Point {
    public double x;
    public double y;
    public Point(double x, double y) {
        this.x = x;
        this.y = y;
    }

## main.py
from math import *

#points = [(2,2),(3,4),(4,2),(5,4)]
points = []

def euclid_length(x1,y1,x2,y2):
    return sqrt((x1-x2)**2 + (y1-y2)**2)

def derivx_euclid_length(x1,y1,x2,y2):
    return (x1-x2)/sqrt((x1-x2)**2 + (y1-y2)**2)
	// gcc -static -o exploit2 exploit2.c -lpthread
	// NOTE: compiling using uclibc to get small sized binary
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <fcntl.h>
	#include <poll.h>
	#include <pthread.h>
	#include <unistd.h>
	#include <sys/ioctl.h>
	opcode: 0xa
	if al >= 0x20
	int3()
	rdi = eax
	rsi = (rdi8 + rdi)8
	rdx = *(0x10400+rsi)
	*(rdx+0x40) = 1

	opcode: 0xb
	if al >= 0x20
	from pwn import *
	import random
	p = 0
	while True:
	try:
	# p = process("./blindshot")
	p = remote("pwn01.chal.ctf.westerns.tokyo", 12463)
	libc = ELF("./libc-2.31.so", checksec=False)
	off = 0xb80
	off = 0x8 \| off << 4
	from pwn import *
	from random import randint

	proc_name = "./tcache_king"
	context.terminal = "tmux splitw -h -f".split()
	#p = process(proc_name, env={"LD_PRELOAD":"./libc6_2.31-0ubuntu9_amd64.so"})
	p = remote("128.199.157.172", 20978)
	libc = ELF("./libc6_2.31-0ubuntu9_amd64.so")
	#p = process(proc_name)
	#libc = ELF("/opt/glibc2.31/lib/libc.so.6")
	from pwn import *
	import sys
	from math import floor, ceil
	from typing import AnyStr

	# craft gif: http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html

	ASCII_TO_INT: dict = {i.to_bytes(1, 'big'): i for i in range(256)}
	INT_TO_ASCII: dict = {i: b for b, i in ASCII_TO_INT.items()}
	from pwn import *

	context.terminal = "tmux splitw -h -f".split()
	#p = process("./card")
	#libc = ELF("/opt/glibc2.31/lib/libc-2.31.so", checksec=False)
	#libc.off_leak = 3889536

	#p = process("./card", env={"LD_PRELOAD":"./libc.so.6"})
	p = remote("45.77.72.122", 9777)
	libc = ELF("./libc.so.6", checksec=False)
	from pwn import *

	# NOTE: libc offset might be different, i'm using my local libc instead of
	# challenge libc
	context.terminal = "tmux splitw -h -f".split()
	p = process("./chall")

	def goto(n):
	p.sendlineafter("#>", str(n))
	return
	import java.lang.Math;
	import java.util.ArrayList;

	class Point {
	public double x;
	public double y;
	public Point(double x, double y) {
	this.x = x;
	this.y = y;
	}
	from math import *

	#points = [(2,2),(3,4),(4,2),(5,4)]
	points = []

	def euclid_length(x1,y1,x2,y2):
	return sqrt((x1-x2)2 + (y1-y2)2)

	def derivx_euclid_length(x1,y1,x2,y2):
	return (x1-x2)/sqrt((x1-x2)2 + (y1-y2)2)