Skip to content

Instantly share code, notes, and snippets.

@kurgm

kurgm/0_juggle.md

Created December 30, 2018 05:38
Show Gist options
  • Save kurgm/7be93f17eaeba37beee890d3958cdb78 to your computer and use it in GitHub Desktop.
Save kurgm/7be93f17eaeba37beee890d3958cdb78 to your computer and use it in GitHub Desktop.
Download ZIP
Solution for 35C3 CTF juggle
Raw
0_juggle.md 
$ ./as.py < solution.s > solution.xml
$ nc 35.246.237.11 1 < solution.xml
Reading input document from stdin...
<?xml version="1.0" encoding="UTF-8"?><all><flag>35C3_The_chef_gives_you_his_compliments</flag></all>
Raw
1_solution.s
# for (i = 5; i; i--) {
# // target = ????;
# lo = 0;
# hi = 4294967296;
# do {
# mid = (lo + hi) / 2;
# if (mid > target) {
# hi = mid;
# } else {
# lo = mid;
# }
# } while (hi - lo > 1);
# pop_chef(lo);
# }
# get_flag();
# push 5
l0:
push 4294967296
push 0
j l1
l1:
push 2
push 2
copy
push 2
copy
add
div
push 0
copy
gt_target
br l2
push 1
del
j l3
l2:
# mid lo hi i
push 2
del
# mid lo i
push 1
copy
# lo mid lo i
push 2
del
j l3
l3:
# lo hi i
push 0
copy
# lo lo hi i
push 2
copy
# hi lo lo hi i
sub
push 1
lt
br l1
pop_chef
# hi i
push 0
del
# i
push 1
push 1
copy
sub
push 1
del
push 0
copy
br l0
print_flag
# end
Raw
2_as.py
#!/usr/bin/env python3
def print_cmd(name: str):
print("<plate><{0}/></plate>".format(name))
def process(line: str):
line = line.split("#", 1)[0].strip()
if line == "":
return
if line.endswith(":"):
label = line[:-1]
assert label[0] == "l"
n = int(label[1:])
if n != 0:
print("</course>")
print("<course>")
return
tokens = line.split()
assert 1 <= len(tokens) <= 2
if len(tokens) == 2:
cmd = tokens[0]
if cmd == "push":
print("<plate><paella>{0}</paella></plate>".format(tokens[1]))
return
assert cmd in ("j", "br")
assert tokens[1][0] == "l"
n = int(tokens[1][1:])
if cmd == "j":
process("push 1")
process("push {0}".format(n))
# label cond
process("push 1")
process("copy")
# cond label cond
process("push 2")
process("del")
# cond label
print_cmd("æblegrød")
return
cmd = tokens[0]
print_cmd({
"debug": "宫保鸡丁",
"copy": "불고기",
"pop_chef": "Борщ",
"print_flag": "दाल",
"gt_target": "ラーメン",
"lt": "stroopwafels",
"ins": "köttbullar",
"del": "γύρος",
"add": "rösti",
"sub": "לאַטקעס",
"mul": "poutine",
"div": "حُمُّص",
}[cmd])
print("""\
<?xml version="1.0" encoding="UTF-8"?>
<meal>
""")
try:
while True:
line = input()
process(line)
except EOFError:
pass
print("</course>")
print("""
<state>
<drinks>
<value>5</value>
</drinks>
</state>
</meal>
""")
Raw
3_solution.xml
<?xml version="1.0" encoding="UTF-8"?>
<meal>
<course>
<plate><paella>4294967296</paella></plate>
<plate><paella>0</paella></plate>
<plate><paella>1</paella></plate>
<plate><paella>1</paella></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><æblegrød/></plate>
</course>
<course>
<plate><paella>2</paella></plate>
<plate><paella>2</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><불고기/></plate>
<plate><rösti/></plate>
<plate><حُمُّص/></plate>
<plate><paella>0</paella></plate>
<plate><불고기/></plate>
<plate><ラーメン/></plate>
<plate><paella>2</paella></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><æblegrød/></plate>
<plate><paella>1</paella></plate>
<plate><γύρος/></plate>
<plate><paella>1</paella></plate>
<plate><paella>3</paella></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><æblegrød/></plate>
</course>
<course>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><paella>1</paella></plate>
<plate><paella>3</paella></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><æblegrød/></plate>
</course>
<course>
<plate><paella>0</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><불고기/></plate>
<plate><לאַטקעס/></plate>
<plate><paella>1</paella></plate>
<plate><stroopwafels/></plate>
<plate><paella>1</paella></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><æblegrød/></plate>
<plate><Борщ/></plate>
<plate><paella>0</paella></plate>
<plate><γύρος/></plate>
<plate><paella>1</paella></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><לאַטקעס/></plate>
<plate><paella>1</paella></plate>
<plate><γύρος/></plate>
<plate><paella>0</paella></plate>
<plate><불고기/></plate>
<plate><paella>0</paella></plate>
<plate><paella>1</paella></plate>
<plate><불고기/></plate>
<plate><paella>2</paella></plate>
<plate><γύρος/></plate>
<plate><æblegrød/></plate>
<plate><दाल/></plate>
</course>
<state>
<drinks>
<value>5</value>
</drinks>
</state>
</meal>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment