Barakat · February 9, 2020 21:04
diff --git a/year3000.py b/year3000.py
 import base64
 import struct

 from pwn import *

 def parse_x64(filename):
 	with open(filename, 'rb') as fp:
 		fp.seek(0x820)
 		character = fp.read(1)
 		fp.seek(0x819)
 		size = fp.read(1)
 		fp.seek(0x1010)
 		rand = fp.read(8)
 		return bytes(character * struct.unpack('B', size)[0]) + rand

 def parse_x86(filename):
 	with open(filename, 'rb') as fp:
 		fp.seek(0x668)
 		character = fp.read(1)
 		fp.seek(0x661)
 		size = fp.read(1)
 		fp.seek(0x1008)
 		rand = fp.read(4)
 		return bytes(character * struct.unpack('B', size)[0]) + rand


 def parse(filename):
 	with open(filename, 'rb') as fp:
 		fp.seek(4)
 		if fp.read(1) == '\x01':
 			return parse_x86(filename)
 		return parse_x64(filename)

 conn = remote('re.ctf.nullcon.net', 1234)

 while True:
 	r = conn.recvline().strip()
 	print(r)
 	if r.startswith('hackim20'):
 		break
 	conn.recvuntil('> ')
 	conn.sendline(base64.b64encode(parse(r)))

 	print(conn.recvline())

 conn.close()
	import base64
	import struct

	from pwn import *

	def parse_x64(filename):
	with open(filename, 'rb') as fp:
	fp.seek(0x820)
	character = fp.read(1)
	fp.seek(0x819)
	size = fp.read(1)
	fp.seek(0x1010)
	rand = fp.read(8)
	return bytes(character * struct.unpack('B', size)[0]) + rand

	def parse_x86(filename):
	with open(filename, 'rb') as fp:
	fp.seek(0x668)
	character = fp.read(1)
	fp.seek(0x661)
	size = fp.read(1)
	fp.seek(0x1008)
	rand = fp.read(4)
	return bytes(character * struct.unpack('B', size)[0]) + rand


	def parse(filename):
	with open(filename, 'rb') as fp:
	fp.seek(4)
	if fp.read(1) == '\x01':
	return parse_x86(filename)
	return parse_x64(filename)

	conn = remote('re.ctf.nullcon.net', 1234)

	while True:
	r = conn.recvline().strip()
	print(r)
	if r.startswith('hackim20'):
	break
	conn.recvuntil('> ')
	conn.sendline(base64.b64encode(parse(r)))

	print(conn.recvline())

	conn.close()