close(stdout)
→ nop
free
→ printf
do not sleep, just put value directly
Flag: ASIS{f18b0b4f1bc6c8af21a4a53ef002f9a2}
def rol(x, n, bits=32):
return (0xffffffff & (x << n)) | ((x & (0xffffffff << (bits - n))) >> (bits - n))
ans = 0xf1d833fd
return bytes.fromhex(hex(rol(ans ^ 0x64198234, 14))[2:])[::-1]
It's writing itself!
def bswap(n, bits=32):
ns = bytes.fromhex(hex(n)[2:].rjust(bits // 8, '0'))
return int(ns[::-1].hex(), 16)
def rol(x, n, bits=32):
return (0xffffffff & (x << n)) | ((x & (0xffffffff << (bits - n))) >> (bits - n))
a = 0xca9d63fe
a ^= 0x13373389
a = rol(a, 7)
a ^= 0xe5e5e5e5
a = bswap(a)
a ^= 0x3a29e87f
a = bswap(a)
a ^= 0x36478241
return bytes.fromhex(hex(a)[2:])[::-1]
nop jump 🤪
Decrypt code in .data
XORing with 0xcafebabe
Simply sum
Delete debugging protection
nop sleep
in got.plt!
sub_401560("8.8.8.8", 4343i64, &unk_408088);
0x00001234
Write ip somewhere else in .data
Change exponent to 1
Increase iteration count
Fix entry point to 0x1060
Change called function in main to one at 0x12c4
Nop conditional jumps
Change ctr call
Nop reboot
dart --disassemble solidartnost.jit
Change expected hash for 3rd question
wait...
Change device to /dev/LUL
Disable integrity check
Make __fxstat
to return info about stdin(0)
spbctf{1_am_the_m1gh7y_p4tch3r}