Skip to content

Instantly share code, notes, and snippets.

vient vient

Block or report user

Report or block vient

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@vient
vient / bot.py
Last active Jul 22, 2019
cybrics game solution
View bot.py
#!/usr/bin/env python2
from pwn import *
import os
class Room:
def __init__(self, data=None):
self.dimX = None
self.dimY = None
self.player = None
self.flag = None
@vient
vient / _solve.cpp
Created Mar 25, 2019
0CTF/TCTF 2019 Quals: Sixology solution
View _solve.cpp
#include <cstdio>
#include <cstring>
#include <cstdlib>
#include <vector>
#include <string>
#include <iostream>
#include <iomanip>
uint64_t arr0[] = {
0xFA730603, 0xF8084C29, 0xF4290A55, 0xF17A02CD,
@vient
vient / exploit.py
Created Jun 8, 2018
FAUST CTF 2018 "Diagon Alley" exploit
View exploit.py
#!/usr/bin/env python
import sys
import struct
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from pwn import *
View client.py
#!/usr/bin/env python
import sys
import struct
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
from pwn import *
@vient
vient / babyre.md
Last active May 21, 2018
RCTF 2018 writeups
View babyre.md

Binary file is encrypting string by using a function on each char that produces int (as seen in sub_80488E0, sub_804868B). This encryption is not chained so we can pass every character to binary, get them encrypted and use them as reference to decode out file.

@vient
vient / solve.py
Created Apr 2, 2018
0ctf 2018 quals "udp" solution
View solve.py
import sys
import pprint
import struct
TABLE_SIZE = 4000
table = [[]]
iterators = []
locks = set()
def request(cur=0, path_diff=2**64):
@vient
vient / solve.py
Created Jan 1, 2018
34C3 CTF primepwn solution
View solve.py
#!/usr/bin/env python2
from pwn import *
from heapq import *
PRIMES = (2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251)
def gen_byte_generators():
res = {}
@vient
vient / _writeup.md
Last active Dec 10, 2017
SECCON Quals 2017 "printf machine" Writeup
View _writeup.md

The binary is reading format strings one by one from provided file and prints them in /dev/null.

This fprintf receives a lot of parameters, which actually are 16 bytes of memory, 16 bytes of flag, and pointers to said bytes. That are 64 parameters in total. Because of using %hhn specifiers, format strings can write to provided memory addresses, so we can perform additions with them easily.

Since given "virtual program" was pretty big, almost 3400 lines, I wrote a parser to make "virtual instructions" (format strings) more human-readable. For example, %2$*36$s%2$*41$s%4$hhn becomes mem[3] = mem[3] + mem[8].

After parsing int human-readable form patterns in code became more obvious, so the next thing I wrote were two "optimizing" passes that folded additions in multiplications and then multiplications into one big sum.

Next, after parsing we have pretty simple program already. It is clear that flag is checked using a linear system, so we can use z3 to solve it easily.

@vient
vient / description.md
Last active Oct 27, 2017
Kaspersky Crackme 2016
View description.md

Нам дан бинарный исполняемый файл PE под x86. Открываем его в IDA, переходим в main и видим такой код:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax@2
  const char *v4; // ecx@3

  printf("Welcome to Kaspersky CrackMe 2016!\n");
  if ( argc == 3 )
  {
@vient
vient / description.md
Last active Sep 29, 2019
Zeronights 2017 HackQuest Day #2 Writeup
View description.md

Your friend works in an antivirus company. He developed a new algorithm for generating a license key and asks you to test it.

Нам дан архив с исполняемым файлом ELF x86_64 "petrovavlic". Недолго думая, открываем его в IDA, и видим, что он запакован UPX 3.94. Сам UPX распаковать его не может, автор вырезал имена секций. Каким-нибудь образом его распаковываем, например, восстановлением названий, и продолжаем.

По строкам из распакованного файла сразу понятно, что он написан на Go. Из них же и узнаем об авторе задания.

00000fb0: 2800 0000 0400 0000 476f 0000 3766 6661  (.......Go..7ffa
00000fc0: 3865 6437 3736 6134 3236 3237 3165 3864  8ed776a426271e8d
00000fd0: 6664 3937 3062 3530 6330 3163 6637 3666  fd970b50c01cf76f
You can’t perform that action at this time.