I hereby claim:
- I am bkth on github.
- I am bkth (https://keybase.io/bkth) on keybase.
- I have a public key ASBZHtze7NMvZErOr3XCmUGi5x41XbrfafPY4bJ7fVsfgAo
To claim this, I am signing this object:
#import <Foundation/Foundation.h> | |
#import <Cocoa/Cocoa.h> | |
@protocol NetStorageXPCObjectHandler | |
- (void)lock; | |
- (void)unlock; | |
- (void)deleteAllResponses; | |
- (void)dealloc; | |
@end |
// JIT the target function that we will overwrite with our shellcode, even though W ^ X was already in HEAD when I wrote the exploit | |
// It was not enabled for the release version at the time | |
function yolo(o) { | |
var tmp = o ** 2 + o; | |
tmp *= 17; | |
tmp += o ** 37; | |
return tmp; | |
} | |
yolo(3); | |
yolo(4); |
As was the case last year, this year's Insomni'hack featured a multi-player game and 3 challenges requiring us to | |
hack the game in order to get the flags | |
It was a Unity based game and was written in C#, the core of the game logic was in the Assembly-CSharp.dll and I used dnSpy | |
(https://github.com/0xd4d/dnSpy) to decompile the DLL and understand the logic and modify the game. | |
Nightcrawler: | |
This challenge required us to activate 4 buttons within a 6 second window, the game used a master client architecture | |
where activating a button would trigger an RPC call to the master client which would keep track of the challenges based |
import sys | |
class Node(object): | |
def __init__(self, name): | |
self.name = name | |
self.stmts = [] | |
self.successors = [] |
#!/usr/local/bin/python2 | |
import time | |
import telnetlib | |
import sys | |
import binascii | |
import struct | |
import socket | |
import random | |
def randstr(length=10): |
#!/usr/bin/python | |
import tempfile | |
import os | |
import string | |
import random | |
def randstr(): | |
return ''.join(random.choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(10)) |
# the check function is originally written in python and was fed through grumpy which is python to Go transpiler written by Google (open sourced on github) | |
# the main check function is 2k+~ lines but grumpy code has the somewhat general following pattern: | |
# grumpy_Op() | |
# if error: | |
# multi line of crap and bailout | |
# good path | |
# so we can go faster through it | |
# it checks for our input first to contain 5 part when split('-') is called | |
# then each part is checked to be 5 characters | |
# then it does some basic checking on the parts which are outlined below |
#!/usr/bin/python | |
# Exploit for the BIN 300 (calculator) challenge during HITB AMS CTF | |
# We control 4 bytes every 8 bytes | |
# As Thumb instructions are 2 bytes we can make the processor switch instruction set and use a shellcode | |
# that does one instruction and a short branch to skip the next dword | |
from unicorn import * | |
from unicorn.arm_const import * | |
from keystone import * |
from z3 import * | |
f = open("source.c", "rb") | |
lines = f.read().split("\n") | |
input_byte = [] |
I hereby claim:
To claim this, I am signing this object: