Bien Pham kungfulon

## CryptoUnlocker.py
#!/usr/bin/env python3

import sys
import struct
import glob
import os
import tempfile
import subprocess

PRIVATE_KEY_PATH = '/tmp/private_key.pem'

## RezExtractor.cpp
#include <iostream>
#include <fstream>
#include <algorithm>
#include <experimental/filesystem>
#include <cstdlib>

using namespace std;

typedef unsigned int DWORD;
typedef unsigned char BYTE;

## ida_1491.txt
// Source: https://github.com/vdisasm/ScyllaHideForIda7
// Patch win32_user.dll
unsigned char pattern[6] =
{
  0x49, 0x83, 0xFB, 0x02, // cmp     r11, 2
  0x72, 0x20              // jb      +0x20
};

unsigned char JmpRel = 0xEB;

## +writeup.md

      
              5 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                kungfulon
                / +writeup.md
            
            
              Last active
              January 7, 2020 06:55
            
          
    acm01

Use dynamic programming:
ans[i] = 0 # i < 4
ans[i] = ans[i - 1] + (i - 1) * (i - 1) // 4 - (i - (i // 2 + 1)) # i >= 4
acm02


## hash.cpp
class Hash {
public:
    Hash(const std::string &s) : hash1(s.size() + 1), hash2(s.size() + 1) {
        if (base == -1) {
            base = genBase(minBase, mod);
            pow1.push_back(1);
            pow2.push_back(1);
        }

        while (pow1.size() <= s.size()) {

## rps.py
#!/usr/bin/env python3

from pwn import *
import ctypes

context.os = 'linux'
context.arch = 'amd64'

LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc-2.27.so')

## stage_1_2.py
#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'

b = ELF('./sandboxd')
l = ELF('./libc-2.31.so')
context.terminal = ['tmux', 'sp', '-h', '-p', '80']

## secret_keeper.py
#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'
context.terminal = ['tmux', 'sp', '-v', '-p', '90']

b = ELF('./secret_keeper')
l = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')

## ex.py
#!/usr/bin/env python3

from pwn import *

context.os = 'linux'
context.arch = 'amd64'
context.terminal = ['tmux', 'new-window']

l = ELF('./libc-2.31.so')

## csgo.md

      
              2 files
            
          
              0 forks
            
          
              0 comments
            
          
              5 stars
            
          
                kungfulon
                / csgo.md
            
            
              Created
              September 6, 2021 07:30
            
              
                ALLES! CTF 2021 - 🔥 Counter Strike: Squirrel Offensive
              
          
    🔥 Counter Strike: Squirrel Offensive

This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug.
UAF by resizing array in sort compare function

The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort:
// v: VM, o: array object, func: compare func
	#!/usr/bin/env python3

	import sys
	import struct
	import glob
	import os
	import tempfile
	import subprocess

	PRIVATE_KEY_PATH = '/tmp/private_key.pem'
	#include <iostream>
	#include <fstream>
	#include <algorithm>
	#include <experimental/filesystem>
	#include <cstdlib>

	using namespace std;

	typedef unsigned int DWORD;
	typedef unsigned char BYTE;
	// Source: https://github.com/vdisasm/ScyllaHideForIda7
	// Patch win32_user.dll
	unsigned char pattern[6] =
	{
	0x49, 0x83, 0xFB, 0x02, // cmp r11, 2
	0x72, 0x20 // jb +0x20
	};

	unsigned char JmpRel = 0xEB;
	class Hash {
	public:
	Hash(const std::string &s) : hash1(s.size() + 1), hash2(s.size() + 1) {
	if (base == -1) {
	base = genBase(minBase, mod);
	pow1.push_back(1);
	pow2.push_back(1);
	}

	while (pow1.size() <= s.size()) {
	#!/usr/bin/env python3

	from pwn import *
	import ctypes

	context.os = 'linux'
	context.arch = 'amd64'

	LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc-2.27.so')