Renzo Toma rtoma

## pwn.py
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this to leak a

## decrypt_flag.rs
#[macro_use]
extern crate arrayref;
extern crate crypto;

use crypto::aead::AeadDecryptor;
use crypto::chacha20poly1305::ChaCha20Poly1305;
use std::env;
use std::fs::File;
use std::io::{Read, Write};

## crypto_backdoor.py
def I(s):
  val = 0
  for i in range(len(s)):
    digit = ord(s[len(s) - i - 1])
    val <<= 8
    val |= digit
  return val

def Sn(i, length):
  s = ''

## 0solve.py
'''
CRC is affine.
CRC(x) = L(x) + C, where L is linear.
We want CRC(x) = L(x) + C = x.
Write as L(x)+x = C.
Solve matrix equation.
'''

from sage.all import *

## yaml2json.sh
yaml2json () {
        ruby -r yaml -r json -e 'puts YAML.load($stdin.read).to_json'
}
	#!/usr/bin/env python3
	#
	# Exploit for "assignment" of GoogleCTF 2017
	#
	# CTF-quality exploit...
	#
	# Slightly simplified and shortened explanation:
	#
	# The bug is a UAF of one or both values during add_assign() if a GC is
	# triggered during allocate_value(). The exploit first abuses this to leak a
	#[macro_use]
	extern crate arrayref;
	extern crate crypto;

	use crypto::aead::AeadDecryptor;
	use crypto::chacha20poly1305::ChaCha20Poly1305;
	use std::env;
	use std::fs::File;
	use std::io::{Read, Write};
	def I(s):
	val = 0
	for i in range(len(s)):
	digit = ord(s[len(s) - i - 1])
	val <<= 8
	val \|= digit
	return val

	def Sn(i, length):
	s = ''
	'''
	CRC is affine.
	CRC(x) = L(x) + C, where L is linear.
	We want CRC(x) = L(x) + C = x.
	Write as L(x)+x = C.
	Solve matrix equation.
	'''

	from sage.all import *
	yaml2json () {
	ruby -r yaml -r json -e 'puts YAML.load($stdin.read).to_json'
	}