Skip to content

Instantly share code, notes, and snippets.

View bkth's full-sized avatar

Bruno Keith bkth

232 followers · 3 following
View GitHub Profile
@bkth
bkth / objc-rpc.m
Created March 20, 2018 15:11
remote procedure call example in obj-c for macOS services
#import <Foundation/Foundation.h>
#import <Cocoa/Cocoa.h>
@protocol NetStorageXPCObjectHandler
- (void)lock;
- (void)unlock;
- (void)deleteAllResponses;
- (void)dealloc;
@end
@bkth
bkth / macosv9pwn.js
Last active May 8, 2020 03:45
exploit for saelo's challenge v9
// JIT the target function that we will overwrite with our shellcode, even though W ^ X was already in HEAD when I wrote the exploit
// It was not enabled for the release version at the time
function yolo(o) {
var tmp = o ** 2 + o;
tmp *= 17;
tmp += o ** 37;
return tmp;
}
yolo(3);
yolo(4);
@bkth
bkth / Insomnihack pwn arena
Last active April 27, 2020 07:08
Write-ups for the game challenges at Insomni'hack 2018 CTF
As was the case last year, this year's Insomni'hack featured a multi-player game and 3 challenges requiring us to
hack the game in order to get the flags
It was a Unity based game and was written in C#, the core of the game logic was in the Assembly-CSharp.dll and I used dnSpy
(https://github.com/0xd4d/dnSpy) to decompile the DLL and understand the logic and modify the game.
Nightcrawler:
This challenge required us to activate 4 buttons within a 6 second window, the game used a master client architecture
where activating a button would trigger an RPC call to the master client which would keep track of the challenges based
@bkth
bkth / chakragraph.py
Last active August 30, 2018 16:21
quick and dirty prototype to generate a cfg from chakra jit output
import sys
class Node(object):
def __init__(self, name):
self.name = name
self.stmts = []
self.successors = []
@bkth
bkth / doit.py
Created February 21, 2018 10:10
ctf template
#!/usr/local/bin/python2
import time
import telnetlib
import sys
import binascii
import struct
import socket
import random
def randstr(length=10):
@bkth
bkth / server.py
Created January 12, 2018 04:41
server for lfa during 34c3ctf
#!/usr/bin/python
import tempfile
import os
import string
import random
def randstr():
return ''.join(random.choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(10))
@bkth
bkth / grumpcheck.py
Created September 17, 2017 20:03
CSAW_2017_CTF (prophecy, grumpcheck, pilot, scv)
# the check function is originally written in python and was fed through grumpy which is python to Go transpiler written by Google (open sourced on github)
# the main check function is 2k+~ lines but grumpy code has the somewhat general following pattern:
# grumpy_Op()
# if error:
# multi line of crap and bailout
# good path
# so we can go faster through it
# it checks for our input first to contain 5 part when split('-') is called
# then each part is checked to be 5 characters
# then it does some basic checking on the parts which are outlined below
@bkth
bkth / calculator_exploit.py
Last active November 11, 2017 12:42
exploit for bin 300 HITB AMS (calculator)
#!/usr/bin/python
# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF
# We control 4 bytes every 8 bytes
# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode
# that does one instruction and a short branch to skip the next dword
from unicorn import *
from unicorn.arm_const import *
from keystone import *
@bkth
bkth / sakura.py
Created November 6, 2017 04:49
HITCON CTF 2017
from z3 import *
f = open("source.c", "rb")
lines = f.read().split("\n")
input_byte = []
@bkth
bkth / keybase.md
Created October 7, 2017 18:22
keybase.md

Keybase proof

I hereby claim:

  • I am bkth on github.
  • I am bkth (https://keybase.io/bkth) on keybase.
  • I have a public key ASBZHtze7NMvZErOr3XCmUGi5x41XbrfafPY4bJ7fVsfgAo

To claim this, I am signing this object: