Last active
December 15, 2017 09:17
-
-
Save KSHMK/a0705e406f27038572901fc5ab0d2379 to your computer and use it in GitHub Desktop.
Flagy WriteUp PIC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
#context.log_level = 'debug' | |
SEED=0 | |
def Set6b33(R0): | |
global SEED | |
K = R0 | |
T = R0 | |
for i in range(K): | |
r9 = (((i << 0x17) & 0x7ffffff)) | |
r9 = (r9 >> 0x17) | |
if r9 == 1: | |
T += 1 | |
SEED = T | |
def Rand(): | |
global SEED | |
SEED = (SEED * 0x1C64E6D & 0x7FFFFFF)+0x3039 | |
return SEED >> 0x10 & 0xff | |
Set6b33(0xa443) # BECAUSE FLAG START WITH CR{ | |
""" | |
int to 9bits byte middle endian | |
""" | |
def int2mid(inp): | |
X = inp >> 18 & 0x1ff | |
Y = inp >> 9 & 0x1ff | |
Z = inp >> 0 & 0x1ff | |
return [Y, X, Z] | |
""" | |
convert 9bits byte to 8bts byte | |
: encode client's packet | |
args: | |
inp -> list | bytearray | |
return: | |
list | |
todo: make 3bytes align | |
""" | |
def conv928(inp): | |
binary = '' | |
for p in inp: | |
binary += '{:09b}'.format(p) | |
result = [] | |
for i in xrange(0, len(binary), 8): | |
tmp = int(binary[i:i+8].ljust(8, '0'), 2) | |
result.append(tmp) | |
return result | |
""" | |
convert 8bits byte to 9bits byte | |
: decode server's packet | |
args: | |
inp -> list | bytearray | |
""" | |
def conv829(inp): | |
binary = '' | |
for p in inp: | |
binary += '{:08b}'.format(p) | |
result = [] | |
for i in xrange(0, len(binary), 9): | |
tmp = int(binary[i:i+9].ljust(9, '0'), 2) | |
result.append(tmp) | |
return result | |
def rv(): | |
r= conv829(bytearray(s.recv())) | |
print ''.join(p8(t) for t in r) | |
return r | |
def s9(dat): | |
dat = conv928(bytearray(dat+'\n')) | |
s.send(bytearray(dat)) | |
RANDKEY = [] | |
for i in range(0x21): | |
RANDKEY.append(Rand()) | |
s = remote('43.224.34.200',14200) | |
s.recv() | |
s.sendline(bytearray(conv928(RANDKEY))) | |
K= s.recv() | |
KEY = conv829(bytearray(K)) | |
FLAG = "" | |
for i in range(len(RANDKEY)): | |
FLAG += chr(RANDKEY[i] ^ KEY[i]) | |
print FLAG | |
s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment