mrT4ntr4/999_bottles_solve.py

## 999_bottles_solve.py
#Writeup : https://ctftime.org/writeup/17193

flag = ""
i=1
for x in range(1,1000):
    gdb.execute('set python print-stack full')
    gdb.execute('set confirm off')
    gdb.execute('file {:03}.c.out'.format(x))
    gdb.execute('b *main')
    gdb.execute('run < test')
    gdb.execute('record')
    gdb.execute('fin')
    gdb.execute('reverse-step')
    ret_addr = str(gdb.parse_and_eval('$eip')).split()[0]
    cmp_addr = str(hex(int(ret_addr,16)-67))
    print(ret_addr)
    print("CMP : "+ cmp_addr)
    gdb.execute('b *'+ cmp_addr)
    gdb.execute('run < test')
    gdb.execute('c')
    flag += chr(int(str(gdb.parse_and_eval('$eax')),16))
    print("FLAG : "+flag)
    gdb.execute('del {}-{}'.format(i,i+1))
    i+=2
	#Writeup : https://ctftime.org/writeup/17193

	flag = ""
	i=1
	for x in range(1,1000):
	gdb.execute('set python print-stack full')
	gdb.execute('set confirm off')
	gdb.execute('file {:03}.c.out'.format(x))
	gdb.execute('b *main')
	gdb.execute('run < test')
	gdb.execute('record')
	gdb.execute('fin')
	gdb.execute('reverse-step')
	ret_addr = str(gdb.parse_and_eval('$eip')).split()[0]
	cmp_addr = str(hex(int(ret_addr,16)-67))
	print(ret_addr)
	print("CMP : "+ cmp_addr)
	gdb.execute('b *'+ cmp_addr)
	gdb.execute('run < test')
	gdb.execute('c')
	flag += chr(int(str(gdb.parse_and_eval('$eax')),16))
	print("FLAG : "+flag)
	gdb.execute('del {}-{}'.format(i,i+1))
	i+=2