Skip to content

Instantly share code, notes, and snippets.

Created September 30, 2019 08:40
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
PwnThyBytes 2019 CTF - unconventional
echo pass | TRACE=trace1 time gdb -x -batch ./unconventional >/dev/null
~1 minute
import gdb, re, os
gdb.execute('break *0x40542f')
f = open(os.environ["TRACE"], "w")
while True:
for reg in "rax rbx rsp rdi rsi rdx rcx".split():
out = gdb.execute('p/x $%s' % reg, to_string=True).strip()
f.write("%s: " % reg + out + "\n")
out = gdb.execute('info registers eflags', to_string=True).strip()
f.write("flags: " + out + "\n")
out = gdb.execute('x /i $pc', to_string=True).rstrip('\n')
f.write(out + "\n")
gdb.execute('stepi', to_string=False)
import gdb, re, os, sys
bp = [
0x403eae, 0x4041fc, 0x404562, 0x4048c0,
0x404c1e, 0x404f7c, 0x4052da
gdb.execute('break *0x40542f')
gdb.execute('hbreak *0x403eae')
while True:
pc = gdb.selected_frame().pc()
if pc in bp:
rbx = int(gdb.parse_and_eval('$rbx'))
print("%08x" % rbx, file=sys.stderr, end="")
if pc == bp[-1]:
gdb.execute('si', to_string=False)
from __future__ import print_function, division
from subprocess import Popen, PIPE
def get(s):
p = Popen(
"gdb -x ./unconventional -batch",
stderr=PIPE, stdout=PIPE, stdin=PIPE, shell=True)
out, err = p.communicate(s)
return err.strip()
target = int("7f7f7f805bdbd764fecac28069b5bd908ac68ad861819da67ffffffe", 16)
res = [0] * 32
for i in xrange(32):
for j in xrange(8):
s = list("\x00" * 32)
s[i] = chr(1 << j)
s = "".join(s)
h = get(s)
v = int(h, 16)
print("%2d %d:" % (i, j), h.replace("0", "."))
if target & v:
res[i] |= 1 << j
print(`"".join(map(chr, res))`)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment