pwntools-level-2.0

SangharshaSangharsha
2 min read

Table of contents

Objective :

To write an assembly code snippet to meet the following condition to bypass the check, and use the asm API from pwntools to compile the assembly code and complete the challenge. The condition for this challenge is:

rax = 0x12345678

Core Source code:

def trace(self):
    self.start()
    return self.rax == 0x12345678
// AND 

for i in md.disasm(self.asm, self.CODE_ADDR):
            print("0x%x:\t%-6s\t%s" % (i.address, i.mnemonic, i.op_str))
        print("--------------------------------------")

        try:
            won = self.trace()
        except Exception as e:
            print(f"ERROR: {e}")
            won = False

        if won:
            print(open("/flag").read())
        else:
            print("Sorry, no flag :(.")
            print_exit()
        return won

What’s happening:

  • It need code to gets executed and starts the emulator (self.start())emu_start(begin=0x400000, until=0x400000 + payload_len)

  • After it finishes, the emulator checks if rax == 0x12345678.

  • If true → flag.

  • If not, or if your code crashes → no flag.

  • It checks RAX and No expectation of program flow, no expectation of returns, no expectation of clean exit — we just have to set RAX to win.

Solution:

from pwn import *

def print_lines(io):
    info("Printing io received lines")
    while True:
        try:
            line = io.recvline()
            success(line.decode())
        except EOFError:
            break
# Set architecture, os and log level
context(arch="amd64", os="linux", log_level="info")
# Path to the binary
challenge_path = "/challenge/pwntools-tutorials-level2.0"
p = process(challenge_path)
payload = asm("mov rax, 0x12345678")
p.sendafter("Please give me your assembly in bytes", payload)
# Print output
print_lines(p)

Flag:

I thought why int3 didn’t worked and asked for AI as my first payload was this payload = asm("mov rax, 0x12345678;int3") and gave me a short answer that’s No interrupt handling defined.

as well ret also doesn’t work here because ret need’s stack to work.

0
Subscribe to my newsletter

Read articles from Sangharsha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

pwntoolsreverse engineering

Written by

Sangharsha
Sangharsha

Aspiring developer and security enthusiast.