Skip to content

Instantly share code, notes, and snippets.

View bkth's full-sized avatar

Bruno Keith bkth

232 followers · 3 following
View GitHub Profile
@bkth
bkth / chakragraph.py
Last active August 30, 2018 16:21
quick and dirty prototype to generate a cfg from chakra jit output
import sys
class Node(object):
def __init__(self, name):
self.name = name
self.stmts = []
self.successors = []
@bkth
bkth / Insomnihack pwn arena
Last active April 27, 2020 07:08
Write-ups for the game challenges at Insomni'hack 2018 CTF
As was the case last year, this year's Insomni'hack featured a multi-player game and 3 challenges requiring us to
hack the game in order to get the flags
It was a Unity based game and was written in C#, the core of the game logic was in the Assembly-CSharp.dll and I used dnSpy
(https://github.com/0xd4d/dnSpy) to decompile the DLL and understand the logic and modify the game.
Nightcrawler:
This challenge required us to activate 4 buttons within a 6 second window, the game used a master client architecture
where activating a button would trigger an RPC call to the master client which would keep track of the challenges based
@bkth
bkth / objc-rpc.m
Created March 20, 2018 15:11
remote procedure call example in obj-c for macOS services
#import <Foundation/Foundation.h>
#import <Cocoa/Cocoa.h>
@protocol NetStorageXPCObjectHandler
- (void)lock;
- (void)unlock;
- (void)deleteAllResponses;
- (void)dealloc;
@end
@bkth
bkth / doit.py
Created February 21, 2018 10:10
ctf template
#!/usr/local/bin/python2
import time
import telnetlib
import sys
import binascii
import struct
import socket
import random
def randstr(length=10):
@bkth
bkth / macosv9pwn.js
Last active May 8, 2020 03:45
exploit for saelo's challenge v9
// JIT the target function that we will overwrite with our shellcode, even though W ^ X was already in HEAD when I wrote the exploit
// It was not enabled for the release version at the time
function yolo(o) {
var tmp = o ** 2 + o;
tmp *= 17;
tmp += o ** 37;
return tmp;
}
yolo(3);
yolo(4);
@bkth
bkth / server.py
Created January 12, 2018 04:41
server for lfa during 34c3ctf
#!/usr/bin/python
import tempfile
import os
import string
import random
def randstr():
return ''.join(random.choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(10))
@bkth
bkth / sakura.py
Created November 6, 2017 04:49
HITCON CTF 2017
from z3 import *
f = open("source.c", "rb")
lines = f.read().split("\n")
input_byte = []
@bkth
bkth / keybase.md
Created October 7, 2017 18:22
keybase.md

Keybase proof

I hereby claim:

  • I am bkth on github.
  • I am bkth (https://keybase.io/bkth) on keybase.
  • I have a public key ASBZHtze7NMvZErOr3XCmUGi5x41XbrfafPY4bJ7fVsfgAo

To claim this, I am signing this object:

@bkth
bkth / doit.py
Last active October 3, 2017 21:11
securimag's new year challenge, oversight from the author the git repo was publicly exposed so dirty script to rebuild the trees and get the sources
import os
import subprocess
def run_cmd(s):
return subprocess.check_output(s.split())
@bkth
bkth / sniper.py
Created September 21, 2017 00:14
pointers sniper
import time
import telnetlib
import sys
import binascii
import struct
import socket
def info(s):
print "[*] %s" % s