bkth

# the check function is originally written in python and was fed through grumpy which is python to Go transpiler written by Google (open sourced on github)
# the main check function is 2k+~ lines but grumpy code has the somewhat general following pattern:
# grumpy_Op()
# if error:
#   multi line of crap and bailout
# good path
# so we can go faster through it
# it checks for our input first to contain 5 part when split('-') is called
# then each part is checked to be 5 characters
# then it does some basic checking on the parts which are outlined below

bkth

import time
import telnetlib
import sys
import binascii
import struct
import socket

# OOB access inside the ascii art table with \x7f letting us access the first 6 qwords of our input
# overwrite return address on stack to make ESP point to our buffer which jumps to system@plt with the stack setup

bkth

import time
import telnetlib
import sys
import binascii
import struct
import socket

HOST = "127.0.0.1" if len(sys.argv) < 2 else sys.argv[1]
PORT = 1337 if len(sys.argv) < 2 else int(sys.argv[2])
TARGET = (HOST, PORT)

bkth

# the encoding is
# first four bits are the depth in the tree encoded
# next 8 bits is the character encoded
# next X bits is the position in the tree encoded with the depth given by the first four bits


# The file has the following structure
# Each tree node encoded + 4 bits set to zero + each original character encoded by its position in the tree + few bits at the end

bits = []

bkth

#!/usr/bin/python

# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF
# We control 4 bytes every 8 bytes
# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode
# that does one instruction and a short branch to skip the next dword

from unicorn import *
from unicorn.arm_const import *
from keystone import *

bkth

#!/usr/bin/python

from pwn import *
import time


def recv_menu():
    return s.recvuntil('>>> ')