pwntools-level-2.5

SangharshaSangharsha
2 min read

Table of contents

Objective:

This level requires you to write an assembly code snippet to meet the following condition to bypass the check, and use the asm API from pwntools to compile the assembly code and complete the challenge. The condition for this challenge is:

Write an `if` statement to set a specific stack memory area.(refer to the `trace` method of the `ASMChallenge` class)

In short:

We have to Make the top of the stack equal to abs(the top of the stack) (Don’t get confused by word when u will see the Code , You will understand it. )

Core code:

return self[self.init_rsp : self.init_rsp + 8] == (
    self.mem_rsp if self.mem_rsp < 0x8000000000000000 else 2**64 - self.mem_rsp
).to_bytes(8, "little")

Solution Code:

from pwn import *

context.arch = "amd64"
context.os = "linux"
context.log_level = "debug"

binary = "/challenge/pwntools-tutorials-level2.5"
p = process(binary)

payload = asm(
    "mov rax, [rsp];"
    "test rax, rax;"
    "jns done;"
    "neg rax;"
    "done:;"
    "mov [rsp], rax;"
)

p.sendafter(b"Please give me your assembly in bytes", payload)
print(p.recvall().decode())

Wanna Go hard? with shell Code?

One shot : (echo -ne "\x48\x8B\x04\x24\x48\x85\xC0\x79\x05\x48\xF7\xD8\x48\x89\x04\x24"; cat) | /challenge/pwntools-tutorials-level2.5

payload = (
    b"\x48\x8B\x04\x24" 
    b"\x48\x85\xC0"         
    b"\x79\x05"              
    b"\x48\xF7\xD8"          
    b"\x48\x89\x04\x24"      
)
AssemblyBytes
mov rax, [rsp]\x48\x8B\x04\x24
test rax, rax\x48\x85\xC0
jns done (jump +5)\x79\x05
neg rax\x48\xF7\xD8
done: mov [rsp], rax\x48\x89\x04\x24

Flag:

0
Subscribe to my newsletter

Read articles from Sangharsha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

noob6t5pwntoolsreverse engineering

Written by

Sangharsha
Sangharsha

Aspiring developer and security enthusiast.