Instantly share code, notes, and snippets.

Embed
What would you like to do?
Crackme (285pt) with valgrind
#!/usr/bin/python -u
#-*- coding:utf-8 -*-
# Let's exploit easy and quick!
# 1) apt install valgrind
# 2) use callgrind to find instruction count
flag = '' # H4PPyW1THC0nCTF!
n = 0
while True:
n += 1
total_call_count = {}
for i in charset:
cmd = "(sleep 0.5;echo '" + flag + i + "';)|valgrind --tool=callgrind --dump-instr=yes --callgrind-out-file=temp/call_count ./crackme 2>&1"
res = os.popen(cmd).read()
call_count = res.split("Collected : ")[1].split()[0]
call_count = int(call_count)
# total_call_count { 'call_count': [occured_count, occured_by], ... }
if not total_call_count.get(call_count):
total_call_count[call_count] = [1, [i]]
else:
total_call_count[call_count][0] += 1
total_call_count[call_count][1].append(i)
print(n, i, call_count)
# get lowest/highest idx,
idx_call_count = total_call_count.keys()
idx_call_count.sort()
highest_count_idx = idx_call_count[-1]
lowest_count_idx = idx_call_count[0]
# get highest idx
flag_char = total_call_count[highest_count_idx][1][0]
flag += flag_char
print(n, total_call_count, highest_count_idx, flag)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment