muzlightbeer

The Windows Debugger (WinDbg) for Linux users

The following provides commands for getting started with WinDbg if you've come from a Linux only background and have only used GDB and LLDB.

VMware Fusion and VHD images

Some Windows operating system trials come as virtual hard disk (VHD) images, that state Hyper-V is required to use them. With macOS and VMware Fusion (at the time of writing, VMware Fusion 12.1.2), you can drag the executable files into VMware (the same as with ISO images) and install them normally. No subscriptions are required to obtain access to a DVD or ISO image if you do not have a system that uses Windows as the base operating system.

Microsoft symbols

st98

BITS 64

; ref: https://starfleetcadet75.github.io/posts/plaid-2020-golf-so/

ehdr:                               ; Elf64_Ehdr
        db  0x7f, "ELF", 2, 1, 1, 0 ; e_ident
times 8 db  0
        dw  3                       ; e_type
        dw  0x3e                    ; e_machine
        dd  1                       ; e_version

MaskRay

Introduced in musl v1.2.1. Design goal: "Strong hardening against memory usage errors by the caller, including detection of overflows, double-free, and use-after-free, and does not admit corruption of allocator state via these errors."

context

// Singleton: ctx
struct malloc_context {
  uint64_t secret;
#ifndef PAGESIZE
  size_t pagesize;

hkraw

#!/usr/bin/python3
from pwn import *
from past.builtins import xrange
from time import sleep
import random
import subprocess

def PID():
 print(subprocess.check_output(['pidof','still-printf']))

vient

#!/usr/bin/env python3
import 𝗌𝔶𝘴
import 𝚛𝖺𝔫ⅆom
import 𝒔𝘵𝓻𝒾𝚗𝒈
import ｕ𝘯𝕚ｃ𝕠𝒹ｅ𝖽𝙖𝕥𝖆
from ｐ𝔶𝘨ｍ𝑒𝙣t𝑠 import ₗⅇₓₑｒſ as L𝘦𝗑𝚎ᵣ𝐬

𝖀𝗡𝕴𝑪Ｏ𝑫ℰ_𝘾𝐴𝙲ℋ𝐄𝕾 = {}

def 𝘧𝕚𝓵𝘭_ｕ𝙣ⁱ𝙘𝗈de_𝓷𝙖𝐦𝙚𝕤():

hellman

In this challenge we see a password-verification program. The password is quite long:

assert 16 < len(passwd) < 70

The first few checks verify md5, sha1 and sha3_224 digests. Due to long password, it is unlikely to use them to recover the password. Then, three transformations applied aiming to "destroy" the password: exponentiation modulo a prime, iterated encryption with DES and AES. Though, it is easy to see that they are trivially invertible. For the final "destroyed" value, the omnihash tool is used, which checks the password using 72 different hash functions, including many CRC variants. We are given the digests of these functions in the hash.json file.

CRC functions are totally not cryptographically secure: they are affine functions. Therefore, we can efficiently use them to deduce information about the hashed value. One may try to use the definition of CRC functions as modular reductions in the ring of polynomials over GF(2) and use the Chinese Remainder Theorem to reconstruct the va

codebrainz

namespace std
{
	template <>
	struct hash<char *>
	{
		size_t operator()(const char *s) const
		{
			// http://www.cse.yorku.ca/~oz/hash.html
			size_t h = 5381;
			int c;

dergachev

TLDR: I now add the following snippet to all my Dockerfiles:

# If host is running squid-deb-proxy on port 8000, populate /etc/apt/apt.conf.d/30proxy
# By default, squid-deb-proxy 403s unknown sources, so apt shouldn't proxy ppa.launchpad.net
RUN route -n | awk '/^0.0.0.0/ {print $2}' > /tmp/host_ip.txt
RUN echo "HEAD /" | nc `cat /tmp/host_ip.txt` 8000 | grep squid-deb-proxy \
  && (echo "Acquire::http::Proxy \"http://$(cat /tmp/host_ip.txt):8000\";" > /etc/apt/apt.conf.d/30proxy) \
  && (echo "Acquire::http::Proxy::ppa.launchpad.net DIRECT;" >> /etc/apt/apt.conf.d/30proxy) \
  || echo "No squid-deb-proxy detected on docker host"