pawlos
/ index.html
Created
September 1, 2021 18:07
— forked from lbherrera/index.html
Solution for the MessageKeeper challenge from Pwn2Win 2021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <title>Pwn2Win | MessageKeeper</title> | |
| </head> | |
| <body> | |
| <script> | |
| let alphabet = "0123456789abcdef"; | |
| const sleep = (ms) => { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const = 0xc6a4a7935bd1e995 | |
| #simplified mangle algorith form the binary | |
| def mangle(a, i): | |
| b = 1 | |
| c = 0x1337 | |
| temp = c ^ (b * const) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # This exploit template was generated via: | |
| # $ pwn template --host crypto.2021.chall.actf.co --port 21603 | |
| from pwn import * | |
| # Set up pwntools for the correct architecture | |
| exe = context.binary = ELF('./chall') | |
| # Many built-in settings can be controlled on the command-line and show up |
pawlos
/ fix vmwp.bat
Created
February 16, 2021 20:37
— forked from kruxmeier/fix vmwp.bat
enable hardware performance counters in WSL2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM open cmd.exe as admin to run this | |
| REM Creates a patched vmwp.exe replacing these bytes: | |
| REM 0F B6 43 64 41 89 47 64 0F B6 43 65 41 89 47 68 0F B6 43 66 41 89 47 6C 0F B6 43 67 41 89 47 70 | |
| REM 41 C7 47 64 01 00 00 00 41 C7 47 68 01 00 00 00 41 C7 47 6C 01 00 00 00 41 C7 47 70 01 00 00 00 | |
| REM Enables PMU, LBR, PEBS, IPT | |
| cd %TEMP% | |
| copy %windir%\system32\vmwp.exe . |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #script for https://www.youtube.com/watch?v=FvH7b_qLmbU | |
| import struct | |
| from ghidra.program.model.symbol import * | |
| xrefs = currentProgram.getReferenceManager() | |
| startAddr = currentAddress | |
| currAddr = currentAddress | |
| while True: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| interesting_data = [0x8b,0x84,0x9a,0x9b,0x9a,0xb1,0xd6,0xaf,0x93,0xb2,0x81,0x8c,0x84,0xab,0x9d,0x9c,0x8e,0xb9,0xb0,0xd9,0xa8,0xa4,0x9c,0x81,0x85,0xa0,0xa6,0xb4,0x87,0x9a,0xbb,0x92,0x96,0xad,0x8c,0xd7,0xb0,0x8d,0x97] | |
| shuffle = [0x16,0x0c,0x24,0x17,0x13,0x19,0x07,0x09,0x0e,0x23,0x05,0x01,0x18,0x21,0x0d,0x10,0x12,0x1f,0x1a,0x1e,0x22,0x00,0x0f,0x0b,0x08,0x15,0x11,0x02,0x1d,0x1c,0x26,0x03,0x04,0x25,0x14,0x20,0x06,0x1b,0x0a] | |
| interesting_data = interesting_data[:0x27] | |
| m = 38 | |
| j = 0 | |
| for k in range(len(interesting_data)//2): | |
| i = shuffle.index(m) | |
| uVar1 = shuffle[i] | |
| uVar2 = interesting_data[i] |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| F_T = '58c7661f00634702555f664b7756884c864edc4fef2d9c48881bac0911082214334e424f552f661d7752ce41d54deb70e9468949892db745545270fc333c44aa5525634f772d88699970983b8b18fe1eed3aba1d584c763201724431553e66295a2888269941aa20ef72a435b4359d36312b4b6f4048643d3b3b0927034ca846ee36c295da80b8d9fd3b97d37e51577113dc37cb3dd209a60246e43cfd488a42d938a953fd2a82ee7e8b4d9d582c2dc83b7101d057cee978ed008453950be22c89fdbea6548c106d33c344e4552e6ef87782880b9901fa5b95bcecc09e0c81ff75bd479033d24430558f66fe77b288b39961aabcbb9ccc42ddc5ee33112122e333d944ad55d4666277a78895998faaa6bbc5cca9dd12eeba112e22bf337844d9559066a077c288da998eaa3dbbb4cc38ddb9ee6011f2223233e3443d55f3664a77b2885699d4aa76bb2cccbfddeeeeda118122d0331b44bd552c66bf77af8845997baa32bb92cc7addadeebb11312211339944a855a6669577ec887699b6aab8bb8bccc0dd36ee03116f221833a344b655f366e17750882a9946aa82bbabccbdddb8eeb21152229233ed44de555766af7701888499d4aabbbb85ccb6dd37eebf11d1225833d244bf55ad66e8772e88ca99d3aaf6bb72cc49dd7ceedd1124229733bd443455fd661677b088a699f3aa87bb31ccdaddf2ee06115e221d3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| F_L = "9655B040B64667238524D15D6201.B95D4E01C55CC562C7557405A532D768C55FA12DD074DC697A06E172992CAF3F8A5C7306B7476B38.C555AC40A7469C234424.853FA85C470699477D3851249A4B9C4E.A855AF40B84695239D24895D2101D05CCA62BE5578055232D568C05F902DDC74D2697406D7724C2CA83FCF5C2606B547A73898246B4BC14E941F9121D464D263B947EB77D36E7F1B8254.853FA85C470699477D3851249A4B9C4E.9A55B240B84692239624.CC55A940B44690238B24CA5D7501CF5C9C62B15561056032C468D15F9C2DE374DD696206B572752C8C3FB25C3806.A8558540924668236724B15D2101AA5CC362C2556A055232AE68B15F7C2DC17489695D06DB729A2C723F8E5C65069747AA389324AE4BB34E921F9421.CB55A240B5469B23.AC559340A94695238D24CD5D75018A5CB062BA557905A932D768D15F982D.D074B6696F06D5729E2CAE3FCF5C7506AD47AC388024C14B7C4E8F1F8F21CB64" | |
| onzo = F_L.split(".") | |
| #rigmarole(onzo(7)) | |
| def rigmarole(es): | |
| furphy = "" | |
| c = 0 | |
| s = "" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| d = open('report2.xls', 'rb').read() | |
| data_chunk = -1 | |
| start_address = [0xace1, | |
| 0xcc88, | |
| 0xecac, | |
| 0x10cd0, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt(text, alphabet): | |
| l = 0x66 | |
| cnt = len(text) | |
| i = 0 | |
| res = [] | |
| while i < cnt: | |
| res.append(chr(text[i] ^ ord(alphabet[i%l]))) | |
| i += 1 |
NewerOlder