Skip to content

Instantly share code, notes, and snippets.

View shinh's full-sized avatar

Shinichiro Hamaji shinh

469 followers · 4 following
  • Preferred Networks
  • Tokyo, Japan
View GitHub Profile
@shinh
shinh / b3s23.rb
Created May 23, 2016 03:44
DEFCON CTF Qual 2016 b3s23
#!/usr/bin/env ruby
require './ctfutils'
pipe = popen('./b3s23')
board = <<EOF
o oo
ooo oo o
@shinh
shinh / old TLS_INIT_TP.c
Created July 10, 2017 17:37
old TLS_INIT_TP
/* Code to initially initialize the thread pointer. This might need
special attention since 'errno' is not yet available and if the
operation can cause a failure 'errno' must not be touched. */
# define TLS_INIT_TP(thrdescr, secondcall) \
({ void *_thrdescr = (thrdescr); \
tcbhead_t *_head = _thrdescr; \
union user_desc_init _segdescr; \
int _result; \
\
_head->tcb = _thrdescr; \
@shinh
shinh / py.py
Created July 20, 2017 15:03
TCO17 MM R3 PoisonedWine
import random
class PoisonedWine:
def testWine(self, num_bottles, num_strips, test_rounds, num_poison):
max_poison = num_poison
good_bottles = set()
bottles = range(num_bottles)
while test_rounds >= 1 and num_strips:
r = 1.0 - float(num_poison) / len(bottles)
@shinh
shinh / life.rb
Created August 7, 2017 13:29
ICFPC 2017 for both lightning and fuill
#!/usr/bin/ruby
require 'json'
SERV = 'punter.inf.ed.ac.uk'
NAME = 'anago'
class Site
attr_reader :id, :x, :y, :site
attr_accessor :is_mine, :is_mine_connected, :value
@shinh
shinh / RESULT
Last active August 19, 2017 07:35
ICFPC 2017 shinh vs unagi lightning
# shinh is shinh-fixed.rb
# wata is https://github.com/imos/icfpc2017/tree/master/wata/ with no option (thus for lightning config?)
$ ./death_match.rb ./shinh ./wata
circle ./shinh:4(139) ./shinh:3(114) ./wata:1(60) ./wata:2(98)
circle ./shinh:4(135) ./wata:1(77) ./shinh:2(79) ./wata:3(108)
circle ./shinh:2(136) ./wata:3(218) ./wata:1(26) ./shinh:4(232)
circle ./wata:4(302) ./shinh:3(143) ./shinh:2(55) ./wata:1(0)
circle ./wata:3(152) ./shinh:4(244) ./wata:1(59) ./shinh:2(131)
circle ./wata:4(329) ./wata:1(60) ./shinh:2(80) ./shinh:3(141)
@shinh
shinh / gist:e014849b6fc5460e78f4ac2df0c1351c
Created May 7, 2018 15:21
at_random[0] is stack protector
(gdb) start
Temporary breakpoint 1 at 0x9ef: file mangled_syms.c, line 22.
Starting program: /home/i/test/a.out
Temporary breakpoint 1, main () at mangled_syms.c:22
22 int main() {
(gdb) n
23 unsigned long* at_random = (unsigned long*)getauxval(AT_RANDOM);
(gdb)
24 unsigned long rnd = at_random[1];
@shinh
shinh / crumble.rb
Created May 14, 2018 13:56
DEFCON 2018 Qual ELF Crumble
Encoding.default_external = 'binary'
Encoding.default_internal = 'binary'
c = File.open('pieces/broken', 'r:binary').read
p c[0x5b0-3...0x8d4].size
frags = (1..8).map{|i|File.read("pieces/fragment_#{i}.dat")}
p frags.map{|f|f.size}.inject(:+)
[*0..7].permutation.each do |a|
ff = ''
@shinh
shinh / eregon.rb
Last active May 28, 2018 15:36
eregon.rb, decoded by s/eval/print/
# https://github.com/tric/trick2018/blob/master/honorable-mentions/eregon/entry.rb
#
# Just replacing eval by print should yield:
i,s,S=ARGF.read,[],/"(?:\\["\\\/bfnrtu]|[^"\\])*"/
while i[S]
s << $` << $&
i=$'
end
s << i
@shinh
shinh / loopbench.rb
Created June 4, 2018 01:25
loopbench
#!/usr/bin/ruby
# 65 of https://speakerdeck.com/k0kubun/the-method-jit-compiler
[1, 5, 10, 15, 20, 30, 50, 100].each do |n|
rb = "/tmp/loop_#{n}"
File.open(rb, "w") do |of|
n.times{|i|of.puts "def call#{i}() nil end"}
n.times{|i|of.puts ["call#{i}"] * 5 * '; '}
@shinh
shinh / gen_payload.rb
Created August 19, 2018 13:58
DEF CON CTF 2018 doublethink - A polyglot of 9 architectures
#!/usr/bin/env ruby
#
# DEF CON CTF 2018 doublethink
#
# A polyglot of 9 architectures amd64, mix, pdp-8, pdp-1, pdp-10,
# nova, lgp-30, clemency, and mmix. MMIX was added after the CTF.
#
# This will generate a file named "payload" and you can try it by
#
# $ ./scripts/service.py < payload