# blazectf
I only solved the two magic challenges during this competition.
## magic-re
This was a pretty straightforward challenge that you don't need to understand the binary to do. IDA decompiler threw a weird error but let me see the code after decompiling the scanf function, although the decompiled code was faulty. I noticed it waslooping through your input string and doing a magic function and strcatting the output to a string at 0x31338000, and after several loops of this it compared the value there to some static values at a buffer at 0x3133a000. I didn't even look at the magic function and just decided to bruteforce the flag char by char, as since it was looping through your input in order you could just compare the string at 0x31338000 to the first few chars at 0x3133a000, breaking in gdb every time it did a strcat.

I used the script attached to kind of manually bruteforce the flag with gdb scripting-- the length of the output kept changing and I couldn't figure out why, so I just used x/700xw to print a bunch of values at each location, and compared the first few bytes of each output. This was annoying because some null bytes at the end were printed with 0x31338000 and I didn't know how much to truncate and didn't feel like parsing the output either, so I had to change the number of bytes I wanted to compare. One way to fix this is to write a parser for the x/xw output or just use x/xs. The flag is blaze{^_^ONE_BYTE_INSTRUCTION_FLAG_IZ_CLASSY_AND_FUN_B]}
## magic-pwn
It's pretty obvious we need to understand the magic function, and the overall binary, for this one :(. It seems it mmaps some executable memory at 0x31337000 and copies some code over (it copies one pop or push instruction of your choice and executes it in a sort of sandbox with a stack at 0x3133a000 and saves the registers for the next iteration of the code). Basically what I did was change this code to shellcode after doing some hackery with pop esp and changing the exit GOT to point to where it takes input for the instruction execution and the mmap function to point right after the memcpys in order to avoid weird errors.

How do you accomplish this though? It seemed difficult, but I realized the pop esp instruction would be key. I could push esp on stack and unalign esp to read the first x bytes of esp into the bottom x bytes of an arbitrary register. I could dec that value, push it back on the stack aligned with some other byte and shift esp again before pop esp to change esp to whatever I wanted. I did this to change esp to 0x804xxxx, byte by byte misaligned. But I also used this method to store the address of the places I wanted to edit the functions with and also 0x31337000 (to return to that area to do my shellcode) in other registers, allowing me to loop infinitely after changing both exit and mmap GOT functions to places within the binary. I then overwrote strcat with the address of just a ret instruction so it wouldn't overflow the mmap'ed area with trash data and cause a segfault by writing past the end of the mmap'ed area. Now I had true infinite looping, and just wrote shellcode byte by byte using misaligned pushing to esp after the end of the mmap'ed code, then overwriting the jmp address at the end of the code at 0x31337000 to jmp to my shellcode and get a shell.