simple_rop_2 is fixed in a hacky way

388b2519 · GovanifY · 4355b0ad · 388b2519 · 388b2519
Commit 388b2519 authored 5 years ago by GovanifY
--- a/chals/simple_rop_2/setup.py
+++ b/chals/simple_rop_2/setup.py
@@ -3,14 +3,16 @@ import os
 import sys
                    # chals_out/chal_name/team_name so 3
 sys.path.insert(1, os.path.join(sys.path[0], '../../..'))
-from libchals import *
-from pwn import *
+import shutil
+from libchals import write_junk_calls, write_junk_body, fail_test
+from pwn import context, ELF, ROP, p64

 context.log_level = 'error'
 FNULL = open(os.devnull, 'w')

+def make_binary():
    # junk code generation
-write_junk_calls("main.c", 31, 2)
+    write_junk_calls("main.c", 31, 2, reset=True)
    write_junk_calls("main.c", 22)
    write_junk_body("main.c", 16)

@@ -18,7 +20,6 @@ subprocess.call("make", stdout=FNULL, stderr=FNULL)



-from pwn import *
    # input correction
    elf = ELF("simple_rop_2")
    rop = ROP(elf)
@@ -48,10 +49,21 @@ try:
    except Exception as e:
        output = str(e.output)
    if not flag in output:
-    fail_test()
-
+        return -1
+    else:
+        return 0

+while True:
+    shutil.copy("main.c", "main.c.org")
+    if(make_binary()==0):
+        break
+    else:
+        #fail_test()
+        # unstable binary simple_rop_2, retrying entropy until
+        # rng jesus is happy
+        shutil.copy("main.c.org", "main.c")
 os.remove("main.c")
+os.remove("main.c.org")
 os.remove("Makefile")
 os.remove("setup.py")
 # solution

--- a/libchals.py
+++ b/libchals.py
@@ -10,7 +10,10 @@ Some limitations:
    You must write junk code from bottom to top, aka first junk calls,
    then junk definition, from the bottom up.
 """
+
+HASH_ROUND=-1
 def rng(index):
+    global HASH_ROUND
    BUF_SIZE = 65536 
    sha2 = hashlib.sha256()

@@ -21,6 +24,8 @@ def rng(index):
                break
            sha2.update(data)
    hash_final=bytes.fromhex(sha2.hexdigest())
+    for i in range(0, HASH_ROUND):
+        hash_final=bytes.fromhex(hashlib.sha256(hash_final).hexdigest())
    rng=hash_final[index]
    return rng

@@ -226,7 +231,14 @@ VAR_NAME=(VAR_NAME/VAR_NAME)*2;

 fun_names=[]
 junk_called=0
-def write_junk_body(fd, line):
+def write_junk_body(fd, line, reset=False):
+    global junk_called
+    global fun_names 
+    global HASH_ROUND
+    if(reset==True):
+        fun_names=[]
+        junk_called=0
+        HASH_ROUND+=1
    # junk generator!!
    dont_gen_name=False
    junk_count=rng(0)%len(junk)
@@ -240,9 +252,15 @@ def write_junk_body(fd, line):
        write_line(fd, line,
                junk[junk_to_add].replace("FUNCTION_NAME",fun_names[i]))

-def write_junk_calls(fd, line, count=-1):
+def write_junk_calls(fd, line, count=-1, reset=False):
    # junk generator!!
    global junk_called
+    global fun_names 
+    global HASH_ROUND
+    if(reset==True):
+        fun_names=[]
+        junk_called=0
+        HASH_ROUND+=1 
    junk_count=rng(0)%len(junk)
    if(count==-1):
        count=junk_count+1