From 32c1a47905b5dd571dbe1697e469c35b72b9f41c Mon Sep 17 00:00:00 2001
From: haskal <haskal@awoo.systems>
Date: Sun, 26 Jul 2020 02:54:33 -0400
Subject: [PATCH] fix source language

---
 2020/3kctf/babym1ps/README.md | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/2020/3kctf/babym1ps/README.md b/2020/3kctf/babym1ps/README.md
index f14f8d3..23e48c8 100644
--- a/2020/3kctf/babym1ps/README.md
+++ b/2020/3kctf/babym1ps/README.md
@@ -22,7 +22,7 @@ you can manually reverse for the password, it's not super complicated but just t
 with using angr, i used angr.
 
 
-```
+```python
 # idk what this is, it's not important
 p.hook(0x00400550, angr.SIM_PROCEDURES["stubs"]["Nop"]())
 # shim other functions
@@ -47,7 +47,7 @@ main based on the parameters and how they're used. i also recorded the values re
 of PRNG, probably `rand()` during a concrete execution and added a custom SimProcedure for that. the
 rest is straightforward
 
-```
+```python
 # call main
 st = p.factory.call_state(0x004005e0)
 sm = p.factory.simulation_manager(st)
@@ -62,7 +62,7 @@ be leaked by the `printf()` call for the username, since that will keep printing
 a null byte. the LSB of the cookie is always null, but by providing an overwrite of 1 char into the
 cookie we can leak the whole thing. just remember to set the null back with the next overwrite.
 
-```
+```python
 log.info("performing stack leak")
 p.send("A" * 129)
 name = p.recvuntil("your pass")
@@ -134,7 +134,7 @@ now it turns out the challenge author did it in 3 gadgets but weh. this also wor
 
 and here's the code
 
-```
+```python
 log.info("performing attack")
 
 pwd = b"dumbasspassword"
@@ -180,3 +180,12 @@ were run on a real MIPS board).
 
 the typical mitigation for this is to add additional ROP steps to call `sleep()` with a small value
 -- kernel context switching will flush the caches and then you'll be all set.
+
+## last word
+
+it's kinda ironic to me how the challenge is named such that it appears to be a `baby`-type
+challenge but then it also only got 3 solves. i wouldn't say it's not fairly straightforward once
+you get into it, but for me personally having to find gadgets by hand was a major time sink, and it
+sucks that the ghidra scripts mostly failed to find stuff even though there _are_ lots of useful
+gadgets in the binary. i mean c'mon it's static libc, of course there are useful gadgets.  
+🦈✨