update 6.2.5

2025-06-24 04:05:03 +07:00 · 2017-12-06 17:19:49 +08:00
parent f635c36e5f
commit 7b743fc91e
4 changed files with 326 additions and 5 deletions
--- a/src/writeup/6.2.5_re_picoctf2014_baleful/baleful_unpack
+++ b/src/writeup/6.2.5_re_picoctf2014_baleful/baleful_unpack
--- a/src/writeup/6.2.5_re_picoctf2014_baleful/exp_pin.py
+++ b/src/writeup/6.2.5_re_picoctf2014_baleful/exp_pin.py
@ -0,0 +1,23 @@
+import os
+
+def get_count(flag):
+    cmd = "echo " + "\"" + flag + "\"" + " | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack"
+    os.system(cmd)
+    with open("inscount.out") as f:
+        count = int(f.read().split(" ")[1])
+    return count
+
+charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-+*'"
+
+flag = list("A" * 30)
+p_count = get_count("".join(flag))
+for i in range(30):
+    for c in charset:
+        flag[i] = c
+        print("".join(flag))
+        count = get_count("".join(flag))
+        print("count: ", count)
+        if count != p_count:
+            break
+    p_count = count
+print("password: ", "".join(flag))
--- a/src/writeup/6.2.5_re_picoctf2014_baleful/exp_pin_len.py
+++ b/src/writeup/6.2.5_re_picoctf2014_baleful/exp_pin_len.py
@ -0,0 +1,21 @@
+import os
+
+def get_count(flag):
+    cmd = "echo " + "\"" + flag + "\"" + " | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack"
+    os.system(cmd)
+    with open("inscount.out") as f:
+        count = int(f.read().split(" ")[1])
+    return count
+
+flag = "A"
+p_count = get_count(flag)
+for i in range(50):
+    flag += "A"
+    count = get_count(flag)
+    print("count: ", count)
+    diff = count - p_count
+    print("diff: ", diff)
+    if diff != 794:
+        break
+    p_count = count
+print("length of password: ", len(flag))