pawlos
/ index.html
Created Sep 1, 2021
— forked from lbherrera/index.html
Solution for the MessageKeeper challenge from Pwn2Win 2021
View index.html
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <title>Pwn2Win | MessageKeeper</title> | |
| </head> | |
| <body> | |
| <script> | |
| let alphabet = "0123456789abcdef"; | |
| const sleep = (ms) => { |
View solve.py
| const = 0xc6a4a7935bd1e995 | |
| #simplified mangle algorith form the binary | |
| def mangle(a, i): | |
| b = 1 | |
| c = 0x1337 | |
| temp = c ^ (b * const) |
View gist:9e94a863d089c0d6687d48d0e43cb9e5
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # This exploit template was generated via: | |
| # $ pwn template --host crypto.2021.chall.actf.co --port 21603 | |
| from pwn import * | |
| # Set up pwntools for the correct architecture | |
| exe = context.binary = ELF('./chall') | |
| # Many built-in settings can be controlled on the command-line and show up |
pawlos
/ fix vmwp.bat
Created Feb 16, 2021
— forked from kruxmeier/fix vmwp.bat
enable hardware performance counters in WSL2
View fix vmwp.bat
| REM open cmd.exe as admin to run this | |
| REM Creates a patched vmwp.exe replacing these bytes: | |
| REM 0F B6 43 64 41 89 47 64 0F B6 43 65 41 89 47 68 0F B6 43 66 41 89 47 6C 0F B6 43 67 41 89 47 70 | |
| REM 41 C7 47 64 01 00 00 00 41 C7 47 68 01 00 00 00 41 C7 47 6C 01 00 00 00 41 C7 47 70 01 00 00 00 | |
| REM Enables PMU, LBR, PEBS, IPT | |
| cd %TEMP% | |
| copy %windir%\system32\vmwp.exe . |
View xrefs.py
| #script for https://www.youtube.com/watch?v=FvH7b_qLmbU | |
| import struct | |
| from ghidra.program.model.symbol import * | |
| xrefs = currentProgram.getReferenceManager() | |
| startAddr = currentAddress | |
| currAddr = currentAddress | |
| while True: |
View check.py
| interesting_data = [0x8b,0x84,0x9a,0x9b,0x9a,0xb1,0xd6,0xaf,0x93,0xb2,0x81,0x8c,0x84,0xab,0x9d,0x9c,0x8e,0xb9,0xb0,0xd9,0xa8,0xa4,0x9c,0x81,0x85,0xa0,0xa6,0xb4,0x87,0x9a,0xbb,0x92,0x96,0xad,0x8c,0xd7,0xb0,0x8d,0x97] | |
| shuffle = [0x16,0x0c,0x24,0x17,0x13,0x19,0x07,0x09,0x0e,0x23,0x05,0x01,0x18,0x21,0x0d,0x10,0x12,0x1f,0x1a,0x1e,0x22,0x00,0x0f,0x0b,0x08,0x15,0x11,0x02,0x1d,0x1c,0x26,0x03,0x04,0x25,0x14,0x20,0x06,0x1b,0x0a] | |
| interesting_data = interesting_data[:0x27] | |
| m = 38 | |
| j = 0 | |
| for k in range(len(interesting_data)//2): | |
| i = shuffle.index(m) | |
| uVar1 = shuffle[i] | |
| uVar2 = interesting_data[i] |
View solve3.py
This file has been truncated, but you can view the full file.
View solve2.py
| F_L = "9655B040B64667238524D15D6201.B95D4E01C55CC562C7557405A532D768C55FA12DD074DC697A06E172992CAF3F8A5C7306B7476B38.C555AC40A7469C234424.853FA85C470699477D3851249A4B9C4E.A855AF40B84695239D24895D2101D05CCA62BE5578055232D568C05F902DDC74D2697406D7724C2CA83FCF5C2606B547A73898246B4BC14E941F9121D464D263B947EB77D36E7F1B8254.853FA85C470699477D3851249A4B9C4E.9A55B240B84692239624.CC55A940B44690238B24CA5D7501CF5C9C62B15561056032C468D15F9C2DE374DD696206B572752C8C3FB25C3806.A8558540924668236724B15D2101AA5CC362C2556A055232AE68B15F7C2DC17489695D06DB729A2C723F8E5C65069747AA389324AE4BB34E921F9421.CB55A240B5469B23.AC559340A94695238D24CD5D75018A5CB062BA557905A932D768D15F982D.D074B6696F06D5729E2CAE3FCF5C7506AD47AC388024C14B7C4E8F1F8F21CB64" | |
| onzo = F_L.split(".") | |
| #rigmarole(onzo(7)) | |
| def rigmarole(es): | |
| furphy = "" | |
| c = 0 | |
| s = "" |
View solv.py
| d = open('report2.xls', 'rb').read() | |
| data_chunk = -1 | |
| start_address = [0xace1, | |
| 0xcc88, | |
| 0xecac, | |
| 0x10cd0, |
View solve.py
| def decrypt(text, alphabet): | |
| l = 0x66 | |
| cnt = len(text) | |
| i = 0 | |
| res = [] | |
| while i < cnt: | |
| res.append(chr(text[i] ^ ord(alphabet[i%l]))) | |
| i += 1 |
NewerOlder