Jinmo Jinmo

## README.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              3 stars
            
          
                Jinmo
                / README.md
            
            
              Last active
              December 3, 2018 07:13
            
              
                Christmas CTF 2016 Writeups
              
          
    yumyum

https://gist.github.com/Jinmo/c7f9413eeb70a5e4abb4147a339d3733

Wireless(BONUS)

https://gist.github.com/Jinmo/4000c04460b45acea15626b734f570ea

Who Did File Transfer? (BONUS)

https://gist.github.com/Jinmo/cf7705694dc4e6fe917befead8bccc63

HFS+ Volume Creation Time

  
## mario.py
import itertools
import struct

# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

# Rotate right: 0b1001 --> 0b1100
ror = lambda val, r_bits, max_bits: \

## jni_all.h
/*
 * Copyright (c) 1996, 1998, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *

## README.md

      
              1 file
            
          
              0 forks
            
          
              3 comments
            
          
              9 stars
            
          
                Jinmo
                / README.md
            
            
              Created
              August 7, 2017 01:02
            
              
                Working on it
              
          
    Disassembler

Let's make disassembler, easier.
1. Template parser

Template with simplicity, let's keep it simple.
mov $reg, $reg


## i-hate-heap-leak.c
/*
first malloc(16)        : 0x1a61450
eh.. and malloc(-1)     : (nil)
second malloc(16)       : 0x7fe57c0008c0
FYI, libc.so address is : 0x7fe5837dc000
let's calculate!        : 0x7fe580000000
*/

#include <stdio.h>
#include <stdlib.h>

## malloc.mmap.c
// How to call munmap(0x414141410000, 0x20000)
// : the hard way
// tested on 64bit ubuntu

#define SIZE 0x20000

int main() {
    long long chunk[3];
    long long target;
    target = 0x414141410000LL;

## bpfparser.py
import struct
from z3 import *

d = open('bpf', 'rb').read() # bpf binary path
clss = [
'LD', 'LDX', 'ST', 'STX', 'ALU', 'JMP', 'RET', 'MISC'
]
imm = lambda x: '$' + hex(x)
abs = {
	0: 0x1337

## nope.c
#include <stdio.h>
#include <stdlib.h>

long buf[] = {0, 0, (long)buf, (long)buf};

int size = 200; // non-fastbin size

int main() {
    setvbuf(stdin, 0, 2, 0);
    setvbuf(stdout, 0, 2, 0);

## literal.py
from ast import parse, iter_fields, AST

class NotAllowedException(Exception):
    def __init__(self, cls):
        self.cls = cls
        pass

    def __str__(self):
        return '%r is not allowed for execution' % self.cls

## gong-fu semi auto.py
# spectogram
s = '''1100110101100111111111011101111111011110110010001
0011001010011111111000100010000000100001001101111
1010001000110000101011101011101011110101111110111
0100010001010010101111011101100110001100000000111
1000111100000010010010111010111111010110100000011
0010100100110100101011011001110111000110010110110
0010000101100001011111001000101011100100101101001'''.split('\n')
print ''.join([chr(int(''.join([s[j][i] for j in range(7)]),2)) for i in range(len(s[0]))])
print len(s[0])
	import itertools
	import struct

	# Rotate left: 0b1001 --> 0b0011
	rol = lambda val, r_bits, max_bits: \
	(val << r_bits%max_bits) & (2**max_bits-1) \| \
	((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

	# Rotate right: 0b1001 --> 0b1100
	ror = lambda val, r_bits, max_bits: \
	/*
	* Copyright (c) 1996, 1998, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	/*
	first malloc(16) : 0x1a61450
	eh.. and malloc(-1) : (nil)
	second malloc(16) : 0x7fe57c0008c0
	FYI, libc.so address is : 0x7fe5837dc000
	let's calculate! : 0x7fe580000000
	*/

	#include <stdio.h>
	#include <stdlib.h>
	// How to call munmap(0x414141410000, 0x20000)
	// : the hard way
	// tested on 64bit ubuntu

	#define SIZE 0x20000

	int main() {
	long long chunk[3];
	long long target;
	target = 0x414141410000LL;
	import struct
	from z3 import *

	d = open('bpf', 'rb').read() # bpf binary path
	clss = [
	'LD', 'LDX', 'ST', 'STX', 'ALU', 'JMP', 'RET', 'MISC'
	]
	imm = lambda x: '$' + hex(x)
	abs = {
	0: 0x1337
	#include <stdio.h>
	#include <stdlib.h>

	long buf[] = {0, 0, (long)buf, (long)buf};

	int size = 200; // non-fastbin size

	int main() {
	setvbuf(stdin, 0, 2, 0);
	setvbuf(stdout, 0, 2, 0);
	from ast import parse, iter_fields, AST

	class NotAllowedException(Exception):
	def __init__(self, cls):
	self.cls = cls
	pass

	def __str__(self):
	return '%r is not allowed for execution' % self.cls
	# spectogram
	s = '''1100110101100111111111011101111111011110110010001
	0011001010011111111000100010000000100001001101111
	1010001000110000101011101011101011110101111110111
	0100010001010010101111011101100110001100000000111
	1000111100000010010010111010111111010110100000011
	0010100100110100101011011001110111000110010110110
	0010000101100001011111001000101011100100101101001'''.split('\n')
	print ''.join([chr(int(''.join([s[j][i] for j in range(7)]),2)) for i in range(len(s[0]))])
	print len(s[0])