Skip to content

Instantly share code, notes, and snippets.

@Boot-Error

Boot-Error/eternal_game_exploit.py

Last active March 22, 2020 11:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Boot-Error/8d0f39d2fe8505e4ebba071dbb4f5411 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Boot-Error/8d0f39d2fe8505e4ebba071dbb4f5411 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
eternal_game_exploit.py
from pwn import *
import hlextend
# high score + 1 from the game
HIGH_SCORE = 653086069891774904466108141306028536722619133805
# the proof taken by plauing game with initial multiplier of 6 because it is
# the first character in the high score number taken as string
SIGNATURE = "1ec356a3f23437e5350a1288a270bf221af33ec1c8b7d5147738e532534fb0b1ee5678e1cbba120b27b1d20c3ac5c2479be7b139b9181ead93fc841a50f8237b"
def gen_proof(secret_length=8):
sha = hlextend.new('sha512')
# the data to append is HIGH_SCORE + 1 and truncating the first digit as we
# already have the signature with the first character
# The secret_length is unknown but it seems it is not necessary in
# signature derivation
sha.extend(str(HIGH_SCORE)[1:],
'6',
secret_length,
SIGNATURE,
raw=False)
print("[*} Computed Hash ", sha.hexdigest(), ' with secret_length ',
secret_length)
return sha.hexdigest()
def run(conn, ss):
# select claim price
conn.send(b'2\n')
# send high score
conn.send(bytes(str(HIGH_SCORE)) + b'\n')
proof = gen_proof(secret_length=ss)
print(conn.recv())
# send the crafted proof
conn.send(bytes(proof))
print(conn.recv())
conn.send(b'\n')
print(conn.recv())
if __name__ == "__main__":
conn = remote("challenges.tamuctf.com", "8812")
# trying with different secret size, TODO figure this out
for i in range(1, 20):
run(conn, i)
conn.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment